Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 2 und OpenID Connect @DevSec 2017
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Simon Kölsch
October 26, 2017
Education
83
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
OAuth 2 und OpenID Connect @DevSec 2017
//heise devSec() 26, oct, 2017
Simon Kölsch
October 26, 2017
More Decks by Simon Kölsch
See All by Simon Kölsch
Vault @ Continuous Lifecycle 2016
simkoelsch
0
210
Security in Microservices Umgebungen @WJAX2016
simkoelsch
0
77
Secure Clojure Webapplications @ Froscon
simkoelsch
0
140
Docker Introduction Tech Talk
simkoelsch
0
140
Web Crypto API - Talk @EnterJS
simkoelsch
1
170
OAuth 2 und OpenID Connect @JAX2015
simkoelsch
2
490
Web Crypto API - Lightning Talk @Troopers
simkoelsch
1
130
Other Decks in Education
See All in Education
JAWS-UG初心者支部#81 GWにEduJAWSと何か作ろうもくもく会!
otsuki
0
140
Data Management and Analytics Specialisation
signer
PRO
0
1.8k
生成AI時代のエンジニア育成について考えてみた
akasan
0
160
2026年度春学期 統計学 第2回 統計資料の収集と読み方 (2026. 4. 16)
akiraasano
PRO
0
190
0526
cbtlibrary
0
170
アラムコSTEAMチャレンジ 実践報告書
codeforeveryone
0
160
Course Review - Lecture 13 - Information Visualisation (4019538FNR)
signer
PRO
1
2.6k
AI時代に、 なぜ英語を勉強するのか
empelt
0
120
Implicit and Cross-Device Interaction - Lecture 10 - Next Generation User Interfaces (4018166FNR)
signer
PRO
2
2.3k
AI-Based Speaking Assessment of a Short-Term Study Abroad Program
uranoken
0
340
Catecismo 26 #1 - Aula inaugural
cm_manaus
0
180
The Lotus and the Frog
vyadav
0
130
Featured
See All Featured
So, you think you're a good person
axbom
PRO
2
2.1k
GraphQLとの向き合い方2022年版
quramy
50
15k
Faster Mobile Websites
deanohume
310
32k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
550
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Why Our Code Smells
bkeepers
PRO
340
58k
From π to Pie charts
rasagy
0
220
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Everyday Curiosity
cassininazir
0
240
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
400
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.6k
Transcript
OAuth 2 und OpenID Connect //heise devSec() 2015 26.10.2017, Heidelberg
Simon Kölsch & Christoph Iserlohn
Agenda > OAuth 1, OAuth 2, OpenID Connect, O…? >
How does it work? > Use Cases > Should I use it
“Web 2.0” Platforms and many more…
“Web 2.0” Platforms and many more… = User content on
big platforms with APIs 2010 - ~ 550.000 “Facebook Apps” 2015 - ~ 30 Flickr Apps tagged “geo” …
Resource/Auth Server The access problem Client Resource Owner needs Access
checks Permission provides Access gives Permission
OAuth 0 > Client gets user password > Client impersonates
user and gets resource
OAuth 1 > Client registers at the service > Client
asks resource owner for permission via the service > Client gets a token > Client can access the resource with the token
OAuth 1 > Authorization Protocol > RFC 5849 (38 pages
spec) > One security issue (fixed 2009) > non-trivial request / response creation > Scope: “web applications”
Why OAuth 2? > Simplify client development process > Desktop
Applications / Single-Page-Apps > Mobile Phones > “Living room devices”
OAuth 2 Roles > Resource Owner > Client > Resource
Server > Authentication Server
OAuth 2 Tokens > Access Token “An access token is
a string representing an authorization issued to the client.” > Token Type (e.g. “Bearer”) > usually short-living > Refresh Token > Scope
Authorization Code Grant User Agent Client Auth Server redirect to
grant screen add ‘state’ (and callback + client id ) show grant screen grant the request redirect with state and authorisation_code to client callback URI submit auth code, identify with client credentials respond with token optional refresh token
OAuth 2 Grant Types > Authorization Code > Implicit >
User Credentials > (Client Credentials)
OAuth 2 Spec Overview Core Framework Bearer Token Security JSON
Web Token Assertions JWT Bearer Assertion SAML 2 Bearer Assertion WG Drafts (PoP, Token Exchange, …)
Short Comparison OAuth 1 OAuth 2 > Authorization protocol >
Spec finalized > Additional crypto to TLS > Delegation framework > Many extensions > TLS only (Core) > Incompatible implementations
Takeway > OAuth is a complex solution for delegating authorization
in an environment without any trust between the involved parties > It secures APIs and has nothing todo with authentication (AUTHN vs AUTHZ)
Example: Traditional System Client Auth
Example: Microservices Client Auth
Example: Microservices Client Auth T T T T T
OAuth 2 for Single-Sign-On? > Token = “Authorization to access
Resource” Resource could be = Login to Service > Missing: Who? Where? When? How? … ?
Identities Entity Identity 1 Identity 2 Identity 3 Service Service
OpenID Connect OAuth 2 JOSE OpenID Connect Identity Layer
Signature JWT Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } JWT Header JWT Payload
JWT Example Encoded eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5j b20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNv bSIsIm5iZiI6MTQyOTY5MzY3MSwiZXhwIjoxNDI5Njk3 MjcxLCJpYXQiOjE0Mjk2OTM2NzEsImp0aSI6ImlkMTIz NDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9y ZWdpc3RlciJ9.
A3DVPjcIeQPGOkMcABwAe_8lWHvPG9dFhNyskwVfsxIL t6SKtYGxYz0m7V- DjzjYLXqzSwycwlRJBuYr_vdLRA9aoGsGQpP5- SAiA5SdLMMk3MMZTIoSHgZrC8TeZx8bJBlPzkSu91dJI uzKI8PRPp3DH8Tum-XDsCmqu3_uIl2633Mb1Bg4HKEz- q2L2Y6k2Z1bqFxRn2GfV3ziQ8uqGOp3V_UlwvPccX8F3 m- qe3MrF5aPSFGoU9bZDcQcBQ2ypGTluBNYnPzuMx9EdET PJ0IxA1awgP74tFS27rt8KLUDnBvWVATNfYDFrqAcFCj zk49znd4JLvNObbDebka3_g Header Payload Signature
ID Token Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } Claim mandatory Claims scope E-Mail
OpenID Connect Modules Core Discovery Dynamic Client Registration Session Management
Form Post Response Mode
Enterprise Use Cases > Securing internal APIs > Single-Sign-On >
Active Directory > Mobile Clients > White Label Software
Should I use it? > OpenID Connect Extensions still
partly Working Drafts > OAuth Extensions: PoP, etc. > Implementation Complexity
Simon Kölsch | @simkoelsch
[email protected]
innoQ Deutschland GmbH Krischerstr. 100
40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Ludwigstrasse 180 E 63067 Offenbach Germany Kreuzstrasse 16 D-81373 München Germany Thank you! Questions? Comments? Christoph Iserlohn
[email protected]