Slide 1

Slide 1 text

AUTHENTICATION IN WEB, API-BASED & DISTRIBUTED ENVIRONMENTS NIKO KÖBLER (@DASNIKO)

Slide 2

Slide 2 text

ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff with & without computers, writing Software, > 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Twitter: @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS

Slide 3

Slide 3 text

AUTHENTICATION AUTHORIZATION

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

?

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012

Slide 13

Slide 13 text

OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

Slide 14

Slide 14 text

OAUTH2 TERMS Resource Owner Client Authorization Server Resource Server Redirect URI Response Type Scope Consent Client ID Client Secret Authorization Code Access Token

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }

Slide 17

Slide 17 text

OPEN ID CONNECT AUTHENTICATION LAYER ON TOP OF OAUTH 2.0 ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014

Slide 18

Slide 18 text

OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN

Slide 19

Slide 19 text

JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

Slide 20

Slide 20 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

Slide 21

Slide 21 text

JSON WEB TOKEN

Slide 22

Slide 22 text

JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp": 1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp

Slide 23

Slide 23 text

OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

Slide 24

Slide 24 text

ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

THANK YOU. ANY QUESTIONS? Slides: https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de | [email protected] | @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS