Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux @brandonphilips
Slide 2
Slide 2 text
Brandon Philips CTO, CoreOS github.com/philips
Slide 3
Slide 3 text
Demo Instructions github.com/philips/hacks 2015-dex-golangsf
Slide 4
Slide 4 text
Slides speakerdeck.com/philips
Slide 5
Slide 5 text
Identity Plumbing of the Web
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
Identity Our Needs
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
The smartest way to run your container infrastructure. tectonic.com @tectonicstack
Slide 10
Slide 10 text
QUAY Secure hosting for private Docker repositories quay.io @quayio
Slide 11
Slide 11 text
Why Dex? Solve our uses quay.io, tectonic.com
Slide 12
Slide 12 text
Why Dex? Share Open Source Solution
Slide 13
Slide 13 text
Why Dex? Leverage Well Understood Web Security
Slide 14
Slide 14 text
Identity Open ID Connect (OIDC)
Slide 15
Slide 15 text
OIDC Nothing to do with OpenID
Slide 16
Slide 16 text
OIDC OAUTH 2.0 with Types
Slide 17
Slide 17 text
OIDC Adopted by Google, Facebook, Amazon
Slide 18
Slide 18 text
OIDC Lots of Language Libraries
Slide 19
Slide 19 text
OIDC http://openid.net/connect/
Slide 20
Slide 20 text
OAuth 2.0 Client (web app)
Slide 21
Slide 21 text
OAuth 2.0 Resource Owner
Slide 22
Slide 22 text
OAuth 2.0 Auth Server
Slide 23
Slide 23 text
OAuth 2.0 1. User request protected page
Slide 24
Slide 24 text
OAuth 2.0 2. User redirected to auth page
Slide 25
Slide 25 text
OAuth 2.0 3. User authenticates (cookie/pw)
Slide 26
Slide 26 text
OAuth 2.0 4. User given authz grant
Slide 27
Slide 27 text
OAuth 2.0 5. User presents grant to client
Slide 28
Slide 28 text
OAuth 2.0 6. Client exchanges grant for access token
Slide 29
Slide 29 text
OAuth 2.0 7. ??? Do stuff
Slide 30
Slide 30 text
OIDC Relying Party
Slide 31
Slide 31 text
OIDC End User
Slide 32
Slide 32 text
OIDC Identity Provider
Slide 33
Slide 33 text
OIDC 0. Relying party periodically syncs public key from IdP
Slide 34
Slide 34 text
1. User request protected page OIDC
Slide 35
Slide 35 text
2. User redirected to auth page OIDC
Slide 36
Slide 36 text
3. User authenticates (cookie/pw) OIDC
Slide 37
Slide 37 text
4. User given authz grant OIDC
Slide 38
Slide 38 text
5. User presents grant to client OIDC
Slide 39
Slide 39 text
6. Relying party exchanges authz code for ID token OIDC
Slide 40
Slide 40 text
7. Client gets ID token and validate claims OIDC
Slide 41
Slide 41 text
JOSE Javascript Object Signing and Encryption
Slide 42
Slide 42 text
JWK Cryptographic Key Object
Slide 43
Slide 43 text
JWS JSON Web Signature
Slide 44
Slide 44 text
JWS <>.<>.<>
Slide 45
Slide 45 text
JWS <>.<>.<>
Slide 46
Slide 46 text
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14
Slide 47
Slide 47 text
{ "alg": "HS256", "typ": "JWT" }
Slide 48
Slide 48 text
{ "hello": "world" }
Slide 49
Slide 49 text
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
Slide 50
Slide 50 text
JWT JSON Web Token
Slide 51
Slide 51 text
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ
Slide 52
Slide 52 text
{ "alg": "HS256", "typ": "JWT" }
Slide 53
Slide 53 text
{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "janedoe@example.com", "picture": "http://imgur.com/me.jpg" }
Slide 54
Slide 54 text
JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
Connectors Delegation of Authentication
Slide 57
Slide 57 text
Local Connector Email and Password Auth
Slide 58
Slide 58 text
OIDC Connector Dex as relying party
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
Future Connectors
Slide 61
Slide 61 text
SSH Agent Connector Login with your SSH public key
Slide 62
Slide 62 text
LDAP Connector Login with your SSH public key
Slide 63
Slide 63 text
Dex Features Automatic Key Rotation
Slide 64
Slide 64 text
Dex Features Scalable Architecture
Slide 65
Slide 65 text
Dex Features User Management API
Slide 66
Slide 66 text
Roadmap ● Grouping for Users
Slide 67
Slide 67 text
Help Wanted ● More Connectors ● Alternative Storage Backends ● U2F and Google Authenticator ● > 1 Remote Identities per user
Slide 68
Slide 68 text
coreos.com/careers work with us
Slide 69
Slide 69 text
@coreoslinux @tectonicstack @brandonphilips thank you