Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen

Authentication scenarios for mobile Applications* The Microsoft Technology Stack** Corporate vs Customer facing Applications *WS-Federation, OpenID Connect, OAuth2 **AD, ADFS, AAD, ADAL, Katana Agenda

Classic Intranet Scenario VPN

No content

Bridging the Gap – On Premise ADFS Web Application Proxy

Cloud sync AAD

Typical Application Scenarios Browser Native app Server app Web application Web API Web API Web API

Protocols Browser Native app Server app Web application Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect OAuth2 OAuth2 OAuth2 OAuth2 OAuth2 OAuth2

1. Browser to Web Application Browser Web application WS-Fed, SAML 2.0, OpenID Connect

Browser WebApp ADFS / AAD WebApp Service Principal •  App ID URI •  Reply Url 1. Navigate to site 2. Redirect to token service 3. Sign in 4. Send security token to Reply URL 5. Set session Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint Katana

Authentication Middleware for ASP.NET WS-Federation OpenID Connect JSON Web Tokens Cookies Katana

OpenID Connect – Request GET /authorize ?client_id=app1 &scope=openid profile &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post

OpenID Connect – Response POST /callback

JSON Web Tokens (JWT) {      "typ":  "JWT",      "alg":  "HS256"   }   {      "iss":  "https://login.windows.net",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header Claims Signature

2. Native Client to Web API Native app Web API OAuth 2.0

WebAPI ADFS / AAD 1. Request Authorization Code Native Client to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP •  Client ID •  Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Sign in 3. Return Authorization Code to Redirect URI User sees web pop up … Katana WebAPI SP •  App ID URI

  GET  https://login/adfs/oauth2/authorize   ?response_type=code   &resource=https://myservice   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/      <<  Stuff  happens  here  to  sign  the  user  in...  >>     302  Found  http://myclient/   ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-­‐_cqhsBff…   Authorization Code Request/Response

Web-based Name/Password 2FA Kerberos (ADFS) Client Certificates (ADFS) Authentication Methods

NativeApp 4. Redeem Authorization Code Native Client to Web API: OAuth 2.0 auth code grant, public client Authorize Endpoint Token Endpoint ADAL 5. Return Access Token, Refresh Token 6. Send Access Token on Authorization Header WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

POST  https://login/adfs/oauth2/token   grant_type=authorization_code   &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/   &resource=https://myservice       200  OK   {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",   "token_type":"Bearer",   "expires_in":"3599",   "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",   Token Request/Response

{      "typ":  "JWT",  "alg":  "RS256",  "x5t":  "NGTFvdK-­‐fythEuLwjpwAJOM9n-­‐A”   }.   {    "aud":  "http://myService",    "iss":  "https://sts.windows.net/81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557/",    "iat":  1396468289,  "nbf":  1396468289,  "exp":  1396472189,  "ver":  "1.0",    "tid":  "81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557",    "oid":  "b3809430-­‐6c28-­‐4e43-­‐870d-­‐fa7d38636dcd",    "upn":  "[email protected]",    "sub":  "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-­‐A",    "family_name":  "Baier",    "given_name":  "Dominick",    "appid":  "fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d",   }   Example AAD JWT Access Token (shortened) http://jwt.io/

Active Directory Authentication Library Open Source Client Library for Desktop .NET Windows RT Windows Phone iOS/Android Native iOS/Android Xamarin ADAL https://github.com/AzureAD

ADAL supports token caching (extensible) Token renewal via existing logon session Refresh tokens Token Lifetime Management

Native Client to Web API: Refresh Tokens NativeApp Authorize Endpoint Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token with Refresh Token 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header 1. Call WebAPI (Access Token in AuthZ Header) WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

Brand new ADAL.js library (preview) familiar programming interface, AngularJS support.. Support for OAuth2 “Implicit Flow” simplified flow – no server back-end required currently AAD only What about SPAs? http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/

3. Web Application to Web API Browser Web application Web API

Web App calls Web API using own identity Trusted Subsystem design OAuth2 client credential flow or code flow Web App calls Web API using user identity OpenID Connect and/or OAuth2 code flow Options

WebAPI Web App to Web API: OAuth 2.0 client credentials 1. Signed in, using the web app… Browser WebApp 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Authorize Endpoint Token Endpoint Katana ADAL Katana

WebAPI Web App to Web API: Delegation with OpenID Connect Browser WebApp 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token and Auth Code to Redirect URI 6. Set session Authorize Endpoint Token Endpoint Might require user consent AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Katana ADAL Katana

Web App to Web API: Delegation with OpenID Connect Browser WebApp WIF OWIN 7. Request access token 8. Return access token, refresh token 9. Call web API with Access Token in AuthZ Header Authorize Endpoint Token Endpoint ADAL WebAPI WebApp Katana ADAL Katana AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI

AD traditionally geared towards corporate identities ADFS & AAD are protocol / infrastructure extensions What about customer identities & applications? Where to store identities? What about social logins? B2B vs B2C

B2B & B2C Hybrid Architecture ADFS Customer Accounts AAD Thinktecture IdentityServer https://github.com/thinktecture/Thinktecture.IdentityServer.v3

ADFS (2012R2) Azure AD IdentityServer v3 Type Domain joined SaaS Standalone WS-Federation yes yes yes WS-Trust yes no no OAuth2 Code Flow yes yes yes Resource Owner Flow no yes yes Implicit Flow no yes yes Client Credentials Flow no yes yes Social Logins no no yes OpenID Connect no yes yes Saml2p yes yes no Price Model Part of Windows Server Freemium Free (OSS) http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx Feature Matrix (non exhaustive)

© 2014 Microsoft Corporation. All rights reserved. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Vielen Dank [email protected] http://leastprivilege.com @leastprivilege