Tweet
Tweet

Slide 1

Slide 1 text

Authentication and Access Control using OpenID Connect, JWT and IdentityServer3 Pedro Félix - @pmhsfelix Community Morning #3

Slide 2

Slide 2 text

Outline • Authentication and access control on modern Web Apps and APIs • OAuth 2.0, OpenID Connect and JWT • IdentityServer3

Slide 3

Slide 3 text

whoami • Teacher at the Lisbon Polytechnic Institute (ISEL) • Software developer and consultant • Telco and media industries • Focus on Web APIs, Identity and Access Management • Designing Evolvable Web APIs with ASP.NET, O’Reilly, 2014 See http://webapibook.net/

Slide 4

Slide 4 text

Web App U+P U+P Once upon a time...

Slide 5

Slide 5 text

Web App U+P U+P C Once upon a time...

Slide 6

Slide 6 text

Web App Web App U+P C U+P Multiple sites

Slide 7

Slide 7 text

Web App Web App U+P C T Identity Provider U+P T Identity Providers Relying Parties Federation Protocols SAML, SAMLP, WS-Fed

Slide 8

Slide 8 text

Web App Web App U+P U+P C Services Backend Services

Slide 9

Slide 9 text

Web App Web App U+P U+P C Services U Trusted Subsystem

Slide 10

Slide 10 text

Web App Web App U+P U+P C Web API T Tokens

Slide 11

Slide 11 text

Web App Web App U+P U+P C Web API T

Slide 12

Slide 12 text

Web App Web App U+P C Web API T T Authz Server T Token Providers (aka STS) (aka AS) U+P

Slide 13

Slide 13 text

Web App Web App U+P T C Web API T Web API Native App U+P Authz Server T T

Slide 14

Slide 14 text

Web App Web App U+P T C Web API T Web API Native App U+P Authz Server T T SPA T

Slide 15

Slide 15 text

Web App Web App U+P U+P C Identity Provider U+P C T C Web API T Web API Native App U+P T SPA T Authz Server T T

Slide 16

Slide 16 text

Web App Web App U+P U+P C Identity Provider U+P C T C Web API T Web API Native App U+P T SPA T Authz Server T T

Slide 17

Slide 17 text

Challenges • How to achieve single sign-in between multiple apps? • How to use social and partner identities? • How to access social and partner APIs? • How to secure my APIs from internal and external clients?

Slide 18

Slide 18 text

Technologies • Federation • SAMLP and WS-Fed protocols • OpenID protocol • SAML format (XML-based)

Slide 19

Slide 19 text

Technologies • Federation • SAMLP and WS-Fed protocols • OpenID protocol • SAML format (XML-based) • Token Based Access • WS-Security, WS-Trust • OAuth 1.0 • OAuth 2.0

Slide 20

Slide 20 text

Technologies • Federation • SAMLP and WS-Fed protocols • OpenID protocol • SAML format (XML-based) • Token based access • WS-Security, WS-Trust • OAuth 1.0 • OAuth 2.0

Slide 21

Slide 21 text

OAuth 2.0 • Defines how to associate an access token to a HTTP request

Slide 22

Slide 22 text

OAuth 2.0 • Defines how to associate an access token to a HTTP request • Define protocols for a client application to obtain access tokens...

Slide 23

Slide 23 text

OAuth 2.0 • Defines how to associate an access token to a HTTP request • Define protocols for a client application to obtain access tokens... • ... on its own behalf (server – server) • Client application identity • ... on an user’s behalf (user – server) • Client application identity • User identity • Delegated authorization scope

Slide 24

Slide 24 text

OAuth 2.0 • Defines how to associate an access token to a HTTP request • Define protocols for a client application to obtain access tokens... • ... on its own behalf (server – server) • Client application identity • ... on an user’s behalf (user – server) • Client application identity • User identity • Delegated authorization scope

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

http://openid.net/connect/

Slide 27

Slide 27 text

http://openid.net/connect/

Slide 28

Slide 28 text

Web App Web App Web API Authz Server request request client_id, scope, response_type, ... prompt, login_hint, response_mode, ...

Slide 29

Slide 29 text

Web App Web App Web API Authz Server Authentication & Consent

Slide 30

Slide 30 text

Web App Web App Web API Authz Server response response code, access_token, ... id_token

Slide 31

Slide 31 text

Web App Web App Web API Authz Server response response code, access_token, ... id_token Interoperable and protected claims container

Slide 32

Slide 32 text

Web App Web App Web API Authz Server response response code, access_token, ... id_token code access_token id_token

Slide 33

Slide 33 text

Web App Web App Web API Authz Server response response code, access_token, ... id_token code access_token id_token access_token

Slide 34

Slide 34 text

Web App Web App Web API access_token UserInfo Endpoint Authz Server Offline access

Slide 35

Slide 35 text

Access tokens vs ID tokens Access tokens • Opaque to the client app • Not defined by any spec • Define • User (resource owner) • Client application • Usage scope ID tokens • Internal claims visible to the client app • Specified by OpenID Connect • Define • Identity claims

Slide 36

Slide 36 text

OpenID Connect • ID Token • Standard protected claim container • Standard scopes and claims • Scopes: openid, profile, email, address, phone • Claims: sub, name, email, email_verified, phone_number, address, ... • UserInfo endpoint • Obtain the user’s claims • Extra authorization request parameters and response mode • Discovery and metadata • Session management and logout

Slide 37

Slide 37 text

JWT - JSON Web Token – RFC 7519 • Protected claim container • Based on the JSON format • “Intended for space constrained environments such as HTTP Authorization headers and URI query parameters.” • Relies on • JWS – JSON Web Signature • JWE – JSON Web Encryption • Represented as • Sequence of Base64url encoded parts • Separeted by ‘.’ 37

Slide 38

Slide 38 text

JWT Example eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzZWxmIiwiYXVkIjoiaHR0cDovL3 d3dy5leGFtcGxlLmNvbSIsIm5iZiI6MTM3MDczNjkzOSwiZXhwIjoxMzcwNzM3MDU5L CJ1bmlxdWVfbmFtZSI6IlBlZHJvIiwicm9sZSI6IkF1dGhvciJ9.oKsW1AtfnkaebyAEA0GE udxsTrzQw94SBUULvEe2nGM {"typ":"JWT","alg":"HS256"} { "iss":"self", "aud":"http://www.example.com", "nbf":1370736939, "exp":1370737059, "unique_name":"Pedro", "role":"Author“ } a0ab16d40b5f9e469e6f2004034184b9dc6c4ebcd0c3de1205450bbc47b69c63 38

Slide 39

Slide 39 text

{ “iss”: “...”, “sub”: “...”, “name”: “...”, “email”: “...”, “aud”: “...” } Web App Token Provider JWT as an ID Token

Slide 40

Slide 40 text

JWT – other uses And because a secure container format always comes in handy... • ... Access Tokens • ... Cookies

Slide 41

Slide 41 text

IdentityServer3

Slide 42

Slide 42 text

IdentityServer3 • Open source project created by Dominick Baier and Brock Allen • Apache 2.0 • .NET Foundation • https://github.com/IdentityServer/IdentityServer3

Slide 43

Slide 43 text

IdentityServer3 • Open source project created by Dominick Baier and Brock Allen • Apache 2.0 • .NET Foundation • https://github.com/IdentityServer/IdentityServer3 • Extensible OpenID Connect and OAuth2 authorization server • “framework and a hostable component” • “allows implementing single sign-on and access control for modern web applications and APIs” • “using protocols like OpenID Connect and OAuth2”

Slide 44

Slide 44 text

IdentityServer3 • Open source project created by Dominick Baier and Brock Allen • Apache 2.0 • .NET Foundation • https://github.com/IdentityServer/IdentityServer3 • Extensible OpenID Connect and OAuth2 authorization server • “framework and a hostable component” • “allows implementing single sign-on and access control for modern web applications and APIs” • “using protocols like OpenID Connect and OAuth2” • Based on Katana and ASP.NET Web API

Slide 45

Slide 45 text

Relying Party Client Application Token Issuance access tokens ID tokens OIDC OAuth 2.0

Slide 46

Slide 46 text

Relying Party Client Application Token Issuance access tokens ID tokens OIDC OAuth 2.0 • Multiple endpoints • Authorization Endpoint • Token Endpoint • UserInfo Endpoint • Token Introspection • Refresh Tokens and Token Reissuance • Stateful vs. Reference Access Tokens • Discovery and Metadata • Session Management

Slide 47

Slide 47 text

Relying Party Client Application Token Issuance Login

Slide 48

Slide 48 text

Relying Party Client Application Token Issuance Login Local Authentication

Slide 49

Slide 49 text

Partner and Social IdPs Relying Party Client Application Token Issuance External Authentication Login Local Authentication Partner and Social IdPs

Slide 50

Slide 50 text

Partner and Social IdPs Relying Party Client Application Token Issuance External Authentication Login Local Authentication Account linking Partner and Social IdPs

Slide 51

Slide 51 text

Partner and Social IdPs Relying Party Client Application Token Issuance External Authentication Consent Login Local Authentication Account linking Partner and Social IdPs

Slide 52

Slide 52 text

Demo • id.example.com • Authorization Server and Identity Provider • Based on IdentityServer3, hosted on System.Web using Katana • app1.example.com • Relying party Web app and API • Based on ASP.NET MVC 5 and Web API • app2.example.com • JS-based client application • Consumes app1 API • Based on http://brockallen.com/2015/06/19/demos-ndc-oslo-2015/

Slide 53

Slide 53 text

Configurable Services • IUserService • IAuthorizationCodeStore, IClientStore, IConsentStore, ... • ITokenService, ITokenSigningService • IViewService • ICache • ICustom[Grant|Request|Token]Validator

Slide 54

Slide 54 text

Final remarks • New authentication and access control challenges • OpenID Connect unifies both authentication delegation, single sign-in and access delegation • JWT as a protected claims container • IdentityServer3 is a highly configurable framework for creating • Identity Providers • Authorization Servers

Slide 55

Slide 55 text

Resources • http://openid.net/connect/ • https://identityserver.github.io/Documentation/ • https://speakerdeck.com/leastprivilege • https://speakerdeck.com/pmhsfelix • https://gitter.im

Slide 56

Slide 56 text

Resources • http://openid.net/connect/ • https://identityserver.github.io/Documentation/ • https://speakerdeck.com/leastprivilege • https://speakerdeck.com/pmhsfelix • https://gitter.im Thanks