Modern Applications need modern Identity (2016 Edition)

Slide 1

Slide 1 text

Modern Applications need modern Identity OpenID Connect & OAuth 2.0 Dominick Baier dominick.baier@leastprivilege.com http://leastprivilege.com @leastprivilege

Slide 2

Slide 2 text

2 @leastprivilege Dominick Baier • Independent Consultant – Specializing on Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation for ASP.NET – .NET Foundation Advisory Board – http://identityserver.io dominick.baier@leastprivilege.com http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

Slide 3

Slide 3 text

3 @leastprivilege In the Beginning… Web Applications

Slide 4

Slide 4 text

4 @leastprivilege ..then came Federation Web Applications SAML, WS-Federation WS-Trust/Security

Slide 5

Slide 5 text

5 @leastprivilege Then this happened… No SOAP No SAML No WS* No Windows No Enterprise HTTP JSON

Slide 6

Slide 6 text

6 @leastprivilege Modern Applications Browser Native App Server App "Thing" Web App Web API Web API Web API Security Token Service

Slide 7

Slide 7 text

7 @leastprivilege Security Protocols (I) Browser Native App Server App "Thing" Web App Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect* Security Token Service * *

Slide 8

Slide 8 text

8 @leastprivilege Security Protocols (II) Browser Native App Server App "Thing" Web App Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

Slide 9

Slide 9 text

9 @leastprivilege What's wrong with SAML (& WS-Federation) Craig Burton (#CIS2012): “SAML is the Windows XP of Identity.” “No funding. No innovation. People still use it. But it has no future SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”

Slide 10

Slide 10 text

10 @leastprivilege What’s wrong with OAuth 2.0

Slide 11

Slide 11 text

11 @leastprivilege http://openid.net/connect/

Slide 12

Slide 12 text

12 @leastprivilege Libraries & Implementations

Slide 13

Slide 13 text

13 @leastprivilege

Slide 14

Slide 14 text

14 @leastprivilege IdentityServer

Slide 15

Slide 15 text

15 @leastprivilege OpenID Connect in a Nutshell Browser Native App Web App Web API Authenticate Users Request Access Tokens for APIs

Slide 16

Slide 16 text

16 @leastprivilege Endpoints Authorize Endpoint Token Endpoint UserInfo Endpoint

Slide 17

Slide 17 text

17 @leastprivilege Flows • Implicit Flow – browser-based applications – no explicit client authentication • Hybrid Flow – native/mobile applications – client authentication • Client Credentials Flow – server to server communication – headless devices / IoT

Slide 18

Slide 18 text

18 @leastprivilege Authentication for Web Applications GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email

Slide 19

Slide 19 text

19 @leastprivilege Authentication

Slide 20

Slide 20 text

20 @leastprivilege Consent

Slide 21

Slide 21 text

21 @leastprivilege Response POST /callback

Slide 22

Slide 22 text

22 @leastprivilege Identity Token { "typ": "JWT", "alg": "RS256", "kid": "mj399j…" } { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "j1y…a23", "sub": "182jmm199", "email": "alice@alice.com", "email_verified": true, "amr": [ "password" ], "auth_time": 12340819300 } Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature

Slide 23

Slide 23 text

23 @leastprivilege Discovery

Slide 24

Slide 24 text

24 @leastprivilege ASP.NET Middleware for OpenID Connect app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = "https://identityserver.io", Client_Id = "myapp", Redirect_Uri = "https://myapp.com", Response_Type = "id_token", Scope = "openid email", SignInAsAuthenticationType = "Cookies" }; app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" });

Slide 25

Slide 25 text

25 @leastprivilege Accessing APIs client identity user identity user identity

Slide 26

Slide 26 text

26 @leastprivilege Calling an API using Client Identity Authorization: Bearer POST /token grant_type=client_credentials scope=api1 client_id=client client_secret=secret

Slide 27

Slide 27 text

27 @leastprivilege Web Applications • OpenID Connect Hybrid Flow combines – user authentication (identity token) – access to APIs (access token) • Additional Security Features – access tokens not exposed to the browser – (optional) long-lived API access

Slide 28

Slide 28 text

28 @leastprivilege Hybrid Flow Request GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 api2

Slide 29

Slide 29 text

29 @leastprivilege Hybrid Flow Response POST /cb

Slide 30

Slide 30 text

30 @leastprivilege Retrieving the Access Token • Exchange code for access token – using client id and secret code (client_id:client_secret) { access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }

Slide 31

Slide 31 text

31 @leastprivilege Access Token Lifetime Management • Access tokens have finite lifetimes – requesting a new token requires browser round trip to authorization server – should be as short lived as possible • Refresh tokens allow renewal semantics – no user interaction required – typically combined with a revocation feature

Slide 32

Slide 32 text

32 @leastprivilege Requesting a Refresh Token GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 offline_access

Slide 33

Slide 33 text

33 @leastprivilege Retrieving the Access Token (w/ Refresh Token) code (client_id:client_secret) { access_token: "xyz…123", refresh_token: "jdj9…192j", expires_in: 3600, token_type: "Bearer" }

Slide 34

Slide 34 text

34 @leastprivilege Refreshing an Access Token refresh_token (client_id:client_secret) { access_token: "xyz…567", refresh_token: "jdj9…203j", expires_in: 3600, token_type: "Bearer" }

Slide 35

Slide 35 text

35 @leastprivilege Revocation

Slide 36

Slide 36 text

36 @leastprivilege Native/Mobile Applications • Applications with access to native OS services – e.g. secure data storage • Usage of "in-app browser tab" to show login UI – helps preventing key logging and spoofing attacks – cross app single sign-on – support for password managers • Requires inter-process communication – usage of reverse domain name redirect URIs – RFC 7636 (PKCE - Proof Key for Code Exchange)

Slide 37

Slide 37 text

37 @leastprivilege Hybrid Flow w/ PKCE GET /authorize ?client_id=nativeapp &scope=openid email api1 api2 offline_access &redirect_uri=com.mycompany.nativeapp://cb &response_type=code id_token &code_challenge=x929..1921 code_verifier = random_number code_challenge = hash(code_verifier)

Slide 38

Slide 38 text

38 @leastprivilege Response GET /cb #id_token=x12f…zsz &code=818…1299 callback

Slide 39

Slide 39 text

39 @leastprivilege Retrieving Access Token code & code verifier (client_id:client_secret) { access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: "Bearer" }

Slide 40

Slide 40 text

40 @leastprivilege Libraries for Native Apps • Native – https://github.com/openid/AppAuth-iOS – https://github.com/openid/AppAuth-Android • Portable / Xamarin – https://github.com/IdentityModel/IdentityModel.OidcClient

Slide 41

Slide 41 text

41 @leastprivilege JavaScript Applications • OpenID Connect Implicit Flow designed for JS/Browser- based Applications – simplified flow – no secret required – limited features

Slide 42

Slide 42 text

42 @leastprivilege Implicit Flow Request GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb.html &response_type=id_token token &nonce=j1y…a23 &scope=openid email api1 api2

Slide 43

Slide 43 text

43 @leastprivilege Response GET /callback.html #id_token=x12f…zsz &token=32x…133 &expires_in=3600 &token_type=Bearer

Slide 44

Slide 44 text

44 @leastprivilege JavaScript Client Library • https://github.com/IdentityModel/oidc-token-manager

Slide 45

Slide 45 text

45 @leastprivilege Resources • http://openid.net/connect/ • http://openid.net/developers/libraries/ • http://oauth.net/articles/authentication/ • https://github.com/identityserver • https://github.com/identitymodel

Slide 46

Slide 46 text

46 @leastprivilege thank you! http://leastprivilege.com dominick.baier@leastprivilege.com