Tweet
Tweet

Slide 1

Slide 1 text

OAUTH2, OIDC & JWT

Slide 2

Slide 2 text

ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Member of various IAM Expert groups ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko

Slide 3

Slide 3 text

OAuth 2.0 OIDC JWT

Slide 4

Slide 4 text

Aaron Parecki, Okta, @aaronpk, 2020

Slide 5

Slide 5 text

AUTHORIZATION AUTHENTICATION

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Authorization Code Grant

Slide 8

Slide 8 text

TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

Slide 9

Slide 9 text

OAuth2 w/ Pseudo Authentication

Slide 10

Slide 10 text

OAuth 2.0 AUTHORIZATION, NOT AUTHENTICATION! IETF, RFC 6749, 2012 The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service.

Slide 11

Slide 11 text

OAuth 2.0 Grant Types GRANT TYPE APPS Authorization Code Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

Slide 12

Slide 12 text

Implicit Grant

Slide 13

Slide 13 text

Resource Owner Password Credentials Grant

Slide 14

Slide 14 text

OAuth 2.0 Grant Types GRANT TYPE APPS Authorization Code +PKCE! Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

Slide 15

Slide 15 text

User (Resource Owner) Code Verifier ABC123 Client (Application) Login Code Challenge e0bebd22… SHA256 Hash AuthZ Server (Identity Provider) HTTP Redirect with Code Challenge & Code Challenge Method Client (Application) Login HTTP Redirect with Authorization Code HTTP Response with Access Token HTTP POST with Authorization Code and Code Verifier Code Challenge Comparison PROOF KEY FOR CODE EXCHANGE PKCE

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

BACKEND FOR FRONTEND https://auth0.com/blog/the-backend-for-frontend-pattern-bff/

Slide 18

Slide 18 text

OAuth 2.1 IETF, OAUTH 2.1 DRAFT ‣ PKCE is required for all clients using the authz code flow ‣ Redirect URIs must be compared using exact string matching ‣ The Implicit grant is omitted from this specification ‣ The Resource Owner Password Credentials grant is omitted from this specification

Slide 19

Slide 19 text

TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

Slide 20

Slide 20 text

OPEN ID CONNECT Authentication Layer on top of OAuth 2.0 ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation, 2014

Slide 21

Slide 21 text

SCOPES In OAuth2, scopes define on which data a 3rd party service has which access to. Scope values are not defined.

Slide 22

Slide 22 text

SCOPE: OPENID Authorization Server becomes Identity Provider

Slide 23

Slide 23 text

SCOPES In OIDC scopes are defined: openid, profile, email, phone, address, offline_access Scopes define which user-related data a client can obtain from the IdP

Slide 24

Slide 24 text

OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token": "???", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } OpenID Connect adds the IDentity Token

Slide 25

Slide 25 text

JWT JSON Web Token IETF, RFC 7519 Standard, 2015

Slide 26

Slide 26 text

JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQyMD M2MGU4LTgyOTUtNDlhNy1iOGQzLTMxOWU3MWI2OD k4MiJ9.eyJqdGkiOiJhYzMwYWM3Ni00NTQ5LTRiMWMtO TQwYi1hMGNjNjU1NTNkM2YiLCJpc3MiOiJodHRwOi8va2 V5Y2xvYWsuZGUiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmF tZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H6T 2YmhH-7nsp3zUu9XE7Cs-62J6D38KsXcIO6ZmxDikJ… Base64 encoded

Slide 27

Slide 27 text

JSON Web Token

Slide 28

Slide 28 text

JWT PAYLOAD { "jti": "b7f7b763-240c-4560-827b-d7635e4b2213", "sub": "c7bd0190-7fbd-42bd-8929-63f2a17473fb", "iss": "https://auth.keycloak.de", "aud": "yummy", "exp": 1686767014, "iat": 1686763414, "nbf": 1686763414 } RESERVED CLAIMS: jti, sub, iss, aud, exp, iat, nbf

Slide 29

Slide 29 text

OpenID Connect Standard Claims http://openid.net/specs/openid-connect-core-1_0.html

Slide 30

Slide 30 text

TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

Slide 31

Slide 31 text

TOKEN RESPONSE { "access_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_expires_in": 36000 }

Slide 32

Slide 32 text

OIDC OpenID Connect adds the USERINFO endpoint ‣ dynamic data / up-to-date information ‣ privacy by design / add. data only on-demand ‣ progressive disclosure ‣ separation of concerns

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

THANK YOU. ANY QUESTIONS? More info / slides: https://linktr.ee/dasniko NIKO KÖBLER | www.n-k.de | [email protected] | @dasniko OAUTH2, OIDC & JWT

Slide 36

Slide 36 text

BACKUP

Slide 37

Slide 37 text

PEP 1. View Record #123 6. View Record #123 PDP 2. Can user view record #123? 3. Evaluate Policies PAP Manage Policies PIP 4. Retrieve additional attributes 5. Permit, user can view record #123 AuthZ: PAP / PDP / PEP / PIP