Slide 1

Slide 1 text

Unifying  Authen-ca-on  and   delegated  API  Access     OpenID  Connect  &  OAuth2   Dominick  Baier   h@p://leastprivilege.com   @leastprivilege   think mobile!

Slide 2

Slide 2 text

2   @leastprivilege   Dominick  Baier   •  Security  consultant  at  thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  access  control   –  Windows/.NET  security   –  mobile  app  security     •  MicrosoI  MVP  for  Developer  Security   •  ASP.NET  Web  API  Advisor   •  [email protected]   •  h@p://leastprivilege.com   think mobile!

Slide 3

Slide 3 text

3   @leastprivilege   Agenda   •  Why   •  How  

Slide 4

Slide 4 text

4   @leastprivilege   Authen9ca9on  &     Trusted  Subsystem  Design   Trusted  Subsystem  

Slide 5

Slide 5 text

5   @leastprivilege   Authen9ca9on  &     Trusted  Subsystem  Design   Trusted  Subsystem   SAML2p  &  WS-­‐Federa-on   T  

Slide 6

Slide 6 text

6   @leastprivilege   Delegated  Service/API  Access   Trust  Boundary   ?   ?  

Slide 7

Slide 7 text

7   @leastprivilege   Delegated  Service/API  Access   Trust  Boundary   T   T   T   OAuth2   WS-­‐Trust  

Slide 8

Slide 8 text

8   @leastprivilege   What's  wrong  with  SAML  (&  WS-­‐Federa9on)   Craig  Burton  (#CIS2012):   SAML  is  the  Windows  XP  of  Iden-ty.   No  funding.  No  innova-on.  People  s-ll   use  it.  But  it  has  no  future   SAML  is  dead  !=  SAML  is  bad.     SAML  is  dead  !=  SAML  isn’t  useful.     SAML  is  dead  means  SAML  !=  the  future.  

Slide 9

Slide 9 text

9   @leastprivilege   What's  wrong  with  OAuth2  

Slide 10

Slide 10 text

10   @leastprivilege   •  Authen-ca-on  protocol  on  top  of  OAuth2   –  defines  iden9ty  tokens   –  defines  standard  token  type   –  defines  standard  cryptography   –  defines  valida9on  procedures   –  defines  standard  scopes   –  combines  authen9ca9on  with  short/long-­‐lived  delegated   API  access   –  defines  flows  for  na9ve,  browser  and  server-­‐based   applica9ons   "OpenID  Connect  1.0  is  a  simple  iden-ty  layer  on  top  of  the  OAuth  2.0  protocol."  

Slide 11

Slide 11 text

11   @leastprivilege   h\p://openid.net/connect/  

Slide 12

Slide 12 text

12   @leastprivilege   Flows   •  Implicit  Flow   –  na9ve/browser/web  applica9ons   –  no  explicit  client  authen9ca9on   •  Authoriza-on  Code  Flow   –  server-­‐based  applica9ons   –  stronger  authen9ca9on   –  long  lived  API  access   •  Hybrid  Flow   –  "in-­‐between"  

Slide 13

Slide 13 text

13   @leastprivilege   Excursion:  Endpoints   Authorize   Endpoint   Token   Endpoint   UserInfo   Endpoint  

Slide 14

Slide 14 text

14   @leastprivilege   Implicit  Flow  –  Web  Applica9ons   GET  /authorize        ?client_id=app1      &scope=openid  email      &redirect_uri=h@ps://app.com/cb      &response_type=id_token      &response_mode=form_post  

Slide 15

Slide 15 text

15   @leastprivilege   Excursion:  Scopes   Scope   Claims   profile   name,  family_name,  given_name,  middle_name,   nickname,  preferred_username,  profile,  picture,   website,  gender,  birthdate,  zoneinfo,  locale,  and   updated_at   email   email,  email_verified   address   address   phone   phone_number,  phone_number_verified   offline_access   requests  refresh  token  

Slide 16

Slide 16 text

16   @leastprivilege   Authen9ca9on  

Slide 17

Slide 17 text

17   @leastprivilege   Consent  

Slide 18

Slide 18 text

18   @leastprivilege   Response                 POST  /callback  

Slide 19

Slide 19 text

19   @leastprivilege   Excursion:  Iden9ty  Token   {      "typ":  "JWT",      "alg":  "HS256"   }   {      "iss":  "https://idsrv3",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  

Slide 20

Slide 20 text

20   @leastprivilege   Excursion:  Discovery  

Slide 21

Slide 21 text

21   @leastprivilege   Katana  Middleware  for     OpenID  Connect   app.UseCookieAuthentication(new  CookieAuthenticationOptions          {                  AuthenticationType  =  "Cookies"          });       app.UseOpenIdConnectAuthentication(new  OpenIdConnectAuthenticationOptions          {                  Client_Id  =  "implicitclient",                  Authority  =  Constants.BaseAddress,                  Redirect_Uri  =  "http://localhost:2671/",                  Response_Type  =  "id_token  token",                  Scope  =  "openid  email",                      SignInAsAuthenticationType  =  "Cookies"          };  

Slide 22

Slide 22 text

22   @leastprivilege   Implicit  Flow  for  Client-­‐side   Applica9ons   GET  /authorize        ?client_id=app1      &scope=openid  email      &redirect_uri=oob://app1/cb      &response_type=id_token  

Slide 23

Slide 23 text

23   @leastprivilege   Response   GET  /cb        #id_token=x12f…zsz        

Slide 24

Slide 24 text

24   @leastprivilege   Combining  Authen9ca9on  with     API  Access   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2      &redirect_uri=oob://app1/cb      &response_type=id_token  token  

Slide 25

Slide 25 text

25   @leastprivilege   Response   GET  /cb        #id_token=x12f…zsz      &token=32x…133      &expires_in=3600      &token_type=bearer  

Slide 26

Slide 26 text

26   @leastprivilege   Accessing  the  API   Authoriza-on:  Bearer    

Slide 27

Slide 27 text

27   @leastprivilege   Authoriza9on  Code  Flow:   Long  lived  API  Access   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2      &redirect_uri=h@ps://app.com/callback      &response_type=code  

Slide 28

Slide 28 text

28   @leastprivilege   Response   GET  /callback?code=xdf123  

Slide 29

Slide 29 text

29   @leastprivilege   Back-­‐channel  Communica9on   code   (client_id:client_secret)   {      access_token:  "xyz…123",      expires_in:  3600,      token_type:  bearer,      refresh_token:  "dxy…103"   }  

Slide 30

Slide 30 text

30   @leastprivilege   Summary   •  OpenID  Connect  is  the  future   •  Replaces   –  SAML2p  &  WS-­‐Federa9on   –  home-­‐grown  OAuth2  authen9ca9on  extensions   •  Combines  authen-ca-on  &  API  access   •  h@p://openid.net/developers/libraries/   •  h@p://osis.idcommons.net/wiki/Category:OC5_Par-cipant   •  h@ps://github.com/thinktecture/ Thinktecture.Iden-tyServer.v3  

Slide 31

Slide 31 text

31   @leastprivilege   Excursion:  Session  Management   •  OpenID  Connect  specifies  a  logout  endpoint   –  aka  end_session_endpoint   •  Cross-­‐client  cleanup  is  a  much  debated  topic  right  now   –  JS  iframe/even9ng  approach   –  back-­‐channel  cleanup   –  front-­‐channel  cleanup  

Slide 32

Slide 32 text

32   @leastprivilege   Excursion:  Client  Registra9on  

Slide 33

Slide 33 text

33   @leastprivilege   thank  you!