Slide 1

Slide 1 text

CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux @brandonphilips

Slide 2

Slide 2 text

Brandon Philips CTO, CoreOS github.com/philips

Slide 3

Slide 3 text

Demo Instructions github.com/philips/hacks 2015-dex-golangsf

Slide 4

Slide 4 text

Slides speakerdeck.com/philips

Slide 5

Slide 5 text

Identity Plumbing of the Web

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Identity Our Needs

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

The smartest way to run your container infrastructure. tectonic.com @tectonicstack

Slide 10

Slide 10 text

QUAY Secure hosting for private Docker repositories quay.io @quayio

Slide 11

Slide 11 text

Why Dex? Solve our uses quay.io, tectonic.com

Slide 12

Slide 12 text

Why Dex? Share Open Source Solution

Slide 13

Slide 13 text

Why Dex? Leverage Well Understood Web Security

Slide 14

Slide 14 text

Identity Open ID Connect (OIDC)

Slide 15

Slide 15 text

OIDC Nothing to do with OpenID

Slide 16

Slide 16 text

OIDC OAUTH 2.0 with Types

Slide 17

Slide 17 text

OIDC Adopted by Google, Facebook, Amazon

Slide 18

Slide 18 text

OIDC Lots of Language Libraries

Slide 19

Slide 19 text

OIDC http://openid.net/connect/

Slide 20

Slide 20 text

OAuth 2.0 Client (web app)

Slide 21

Slide 21 text

OAuth 2.0 Resource Owner

Slide 22

Slide 22 text

OAuth 2.0 Auth Server

Slide 23

Slide 23 text

OAuth 2.0 1. User request protected page

Slide 24

Slide 24 text

OAuth 2.0 2. User redirected to auth page

Slide 25

Slide 25 text

OAuth 2.0 3. User authenticates (cookie/pw)

Slide 26

Slide 26 text

OAuth 2.0 4. User given authz grant

Slide 27

Slide 27 text

OAuth 2.0 5. User presents grant to client

Slide 28

Slide 28 text

OAuth 2.0 6. Client exchanges grant for access token

Slide 29

Slide 29 text

OAuth 2.0 7. ??? Do stuff

Slide 30

Slide 30 text

OIDC Relying Party

Slide 31

Slide 31 text

OIDC End User

Slide 32

Slide 32 text

OIDC Identity Provider

Slide 33

Slide 33 text

OIDC 0. Relying party periodically syncs public key from IdP

Slide 34

Slide 34 text

1. User request protected page OIDC

Slide 35

Slide 35 text

2. User redirected to auth page OIDC

Slide 36

Slide 36 text

3. User authenticates (cookie/pw) OIDC

Slide 37

Slide 37 text

4. User given authz grant OIDC

Slide 38

Slide 38 text

5. User presents grant to client OIDC

Slide 39

Slide 39 text

6. Relying party exchanges authz code for ID token OIDC

Slide 40

Slide 40 text

7. Client gets ID token and validate claims OIDC

Slide 41

Slide 41 text

JOSE Javascript Object Signing and Encryption

Slide 42

Slide 42 text

JWK Cryptographic Key Object

Slide 43

Slide 43 text

JWS JSON Web Signature

Slide 44

Slide 44 text

JWS <>.<>.<>

Slide 45

Slide 45 text

JWS <>.<>.<>

Slide 46

Slide 46 text

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14

Slide 47

Slide 47 text

{ "alg": "HS256", "typ": "JWT" }

Slide 48

Slide 48 text

{ "hello": "world" }

Slide 49

Slide 49 text

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )

Slide 50

Slide 50 text

JWT JSON Web Token

Slide 51

Slide 51 text

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ

Slide 52

Slide 52 text

{ "alg": "HS256", "typ": "JWT" }

Slide 53

Slide 53 text

{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://imgur.com/me.jpg" }

Slide 54

Slide 54 text

JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Connectors Delegation of Authentication

Slide 57

Slide 57 text

Local Connector Email and Password Auth

Slide 58

Slide 58 text

OIDC Connector Dex as relying party

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

Future Connectors

Slide 61

Slide 61 text

SSH Agent Connector Login with your SSH public key

Slide 62

Slide 62 text

LDAP Connector Login with your SSH public key

Slide 63

Slide 63 text

Dex Features Automatic Key Rotation

Slide 64

Slide 64 text

Dex Features Scalable Architecture

Slide 65

Slide 65 text

Dex Features User Management API

Slide 66

Slide 66 text

Roadmap ● Grouping for Users

Slide 67

Slide 67 text

Help Wanted ● More Connectors ● Alternative Storage Backends ● U2F and Google Authenticator ● > 1 Remote Identities per user

Slide 68

Slide 68 text

coreos.com/careers work with us

Slide 69

Slide 69 text

@coreoslinux @tectonicstack @brandonphilips thank you