Unifying Authentication & Delegated API Access (NDC Oslo 2014)

Slide 1

Slide 1 text

Unifying Authen-ca-on and delegated API Access OpenID Connect & OAuth2 Dominick Baier h@p://leastprivilege.com @leastprivilege think mobile!

Slide 2

Slide 2 text

2 @leastprivilege Dominick Baier •  Security consultant at thinktecture •  Focus on –  security in distributed applica9ons –  iden9ty management –  access control –  Windows/.NET security –  mobile app security •  MicrosoI MVP for Developer Security •  ASP.NET Web API Advisor •  [email protected] •  h@p://leastprivilege.com think mobile!

Slide 3

Slide 3 text

3 @leastprivilege Agenda •  Why •  How

Slide 4

Slide 4 text

4 @leastprivilege Authen9ca9on & Trusted Subsystem Design Trusted Subsystem

Slide 5

Slide 5 text

5 @leastprivilege Authen9ca9on & Trusted Subsystem Design Trusted Subsystem SAML2p & WS-‐Federa-on T

Slide 6

Slide 6 text

6 @leastprivilege Delegated Service/API Access Trust Boundary ? ?

Slide 7

Slide 7 text

7 @leastprivilege Delegated Service/API Access Trust Boundary T T T OAuth2 WS-‐Trust

Slide 8

Slide 8 text

8 @leastprivilege What's wrong with SAML (& WS-‐Federa9on) Craig Burton (#CIS2012): SAML is the Windows XP of Iden-ty. No funding. No innova-on. People s-ll use it. But it has no future SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.

Slide 9

Slide 9 text

9 @leastprivilege What's wrong with OAuth2

Slide 10

Slide 10 text

10 @leastprivilege •  Authen-ca-on protocol on top of OAuth2 –  defines iden9ty tokens –  defines standard token type –  defines standard cryptography –  defines valida9on procedures –  defines standard scopes –  combines authen9ca9on with short/long-‐lived delegated API access –  defines flows for na9ve, browser and server-‐based applica9ons "OpenID Connect 1.0 is a simple iden-ty layer on top of the OAuth 2.0 protocol."

Slide 11

Slide 11 text

11 @leastprivilege h\p://openid.net/connect/

Slide 12

Slide 12 text

12 @leastprivilege Flows •  Implicit Flow –  na9ve/browser/web applica9ons –  no explicit client authen9ca9on •  Authoriza-on Code Flow –  server-‐based applica9ons –  stronger authen9ca9on –  long lived API access •  Hybrid Flow –  "in-‐between"

Slide 13

Slide 13 text

13 @leastprivilege Excursion: Endpoints Authorize Endpoint Token Endpoint UserInfo Endpoint

Slide 14

Slide 14 text

14 @leastprivilege Implicit Flow – Web Applica9ons GET /authorize ?client_id=app1 &scope=openid email &redirect_uri=h@ps://app.com/cb &response_type=id_token &response_mode=form_post

Slide 15

Slide 15 text

15 @leastprivilege Excursion: Scopes Scope Claims profile name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at email email, email_verified address address phone phone_number, phone_number_verified offline_access requests refresh token

Slide 16

Slide 16 text

16 @leastprivilege Authen9ca9on

Slide 17

Slide 17 text

17 @leastprivilege Consent

Slide 18

Slide 18 text

18 @leastprivilege Response POST /callback

Slide 19

Slide 19 text

19 @leastprivilege Excursion: Iden9ty Token { "typ": "JWT", "alg": "HS256" } { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": "password", "auth_time": 12340819300 } Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature

Slide 20

Slide 20 text

20 @leastprivilege Excursion: Discovery

Slide 21

Slide 21 text

21 @leastprivilege Katana Middleware for OpenID Connect app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Client_Id = "implicitclient", Authority = Constants.BaseAddress, Redirect_Uri = "http://localhost:2671/", Response_Type = "id_token token", Scope = "openid email", SignInAsAuthenticationType = "Cookies" };

Slide 22

Slide 22 text

22 @leastprivilege Implicit Flow for Client-‐side Applica9ons GET /authorize ?client_id=app1 &scope=openid email &redirect_uri=oob://app1/cb &response_type=id_token

Slide 23

Slide 23 text

23 @leastprivilege Response GET /cb #id_token=x12f…zsz

Slide 24

Slide 24 text

24 @leastprivilege Combining Authen9ca9on with API Access GET /authorize ?client_id=app1 &scope=openid email api1 api2 &redirect_uri=oob://app1/cb &response_type=id_token token

Slide 25

Slide 25 text

25 @leastprivilege Response GET /cb #id_token=x12f…zsz &token=32x…133 &expires_in=3600 &token_type=bearer

Slide 26

Slide 26 text

26 @leastprivilege Accessing the API Authoriza-on: Bearer

Slide 27

Slide 27 text

27 @leastprivilege Authoriza9on Code Flow: Long lived API Access GET /authorize ?client_id=app1 &scope=openid email api1 api2 &redirect_uri=h@ps://app.com/callback &response_type=code

Slide 28

Slide 28 text

28 @leastprivilege Response GET /callback?code=xdf123

Slide 29

Slide 29 text

29 @leastprivilege Back-‐channel Communica9on code (client_id:client_secret) { access_token: "xyz…123", expires_in: 3600, token_type: bearer, refresh_token: "dxy…103" }

Slide 30

Slide 30 text

30 @leastprivilege Summary •  OpenID Connect is the future •  Replaces –  SAML2p & WS-‐Federa9on –  home-‐grown OAuth2 authen9ca9on extensions •  Combines authen-ca-on & API access •  h@p://openid.net/developers/libraries/ •  h@p://osis.idcommons.net/wiki/Category:OC5_Par-cipant •  h@ps://github.com/thinktecture/ Thinktecture.Iden-tyServer.v3

Slide 31

Slide 31 text

31 @leastprivilege Excursion: Session Management •  OpenID Connect speciﬁes a logout endpoint –  aka end_session_endpoint •  Cross-‐client cleanup is a much debated topic right now –  JS iframe/even9ng approach –  back-‐channel cleanup –  front-‐channel cleanup