Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 2 und OpenID Connect @DevSec 2017
Search
Simon Kölsch
October 26, 2017
Education
0
71
OAuth 2 und OpenID Connect @DevSec 2017
//heise devSec() 26, oct, 2017
Simon Kölsch
October 26, 2017
Tweet
Share
More Decks by Simon Kölsch
See All by Simon Kölsch
Vault @ Continuous Lifecycle 2016
simkoelsch
0
180
Security in Microservices Umgebungen @WJAX2016
simkoelsch
0
55
Secure Clojure Webapplications @ Froscon
simkoelsch
0
120
Docker Introduction Tech Talk
simkoelsch
0
110
Web Crypto API - Talk @EnterJS
simkoelsch
1
140
OAuth 2 und OpenID Connect @JAX2015
simkoelsch
2
470
Web Crypto API - Lightning Talk @Troopers
simkoelsch
1
120
Other Decks in Education
See All in Education
Human Perception and Colour Theory - Lecture 2 - Information Visualisation (4019538FNR)
signer
PRO
0
1.7k
論文の読み方 / How to survey
kaityo256
PRO
176
120k
Microsoft Office 365
matleenalaakso
0
1.5k
インターアクトクラブについて:国際ロータリー第2720地区インターアクト委員会 委員長・大分東ロータリークラブ 阿部 克哉 氏
2720japanoke
0
670
ISMSってどんなもの?
fbei_ot
0
180
Data Presentation - Lecture 5 - Information Visualisation (4019538FNR)
signer
PRO
0
1.8k
Monaca Educationを活用した課題解決型の探究学習の実践
asial_edu
0
200
Copilotとして理解する生成AI利用の基本
gmoriki
0
140
Digijulkaisut
matleenalaakso
1
8.5k
HCL Notes 14.0 「スタイルの変更」で「3 設定の確認」を深掘り
harunakano
0
2k
Animaatiot opetuksessa
matleenalaakso
0
3.1k
Padlet opetuksessa
matleenalaakso
3
11k
Featured
See All Featured
Faster Mobile Websites
deanohume
299
30k
Happy Clients
brianwarren
92
6.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
Automating Front-end Workflow
addyosmani
1356
200k
Debugging Ruby Performance
tmm1
70
11k
Music & Morning Musume
bryan
41
5.6k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Transcript
OAuth 2 und OpenID Connect //heise devSec() 2015 26.10.2017, Heidelberg
Simon Kölsch & Christoph Iserlohn
Agenda > OAuth 1, OAuth 2, OpenID Connect, O…? >
How does it work? > Use Cases > Should I use it
“Web 2.0” Platforms and many more…
“Web 2.0” Platforms and many more… = User content on
big platforms with APIs 2010 - ~ 550.000 “Facebook Apps” 2015 - ~ 30 Flickr Apps tagged “geo” …
Resource/Auth Server The access problem Client Resource Owner needs Access
checks Permission provides Access gives Permission
OAuth 0 > Client gets user password > Client impersonates
user and gets resource
OAuth 1 > Client registers at the service > Client
asks resource owner for permission via the service > Client gets a token > Client can access the resource with the token
OAuth 1 > Authorization Protocol > RFC 5849 (38 pages
spec) > One security issue (fixed 2009) > non-trivial request / response creation > Scope: “web applications”
Why OAuth 2? > Simplify client development process > Desktop
Applications / Single-Page-Apps > Mobile Phones > “Living room devices”
OAuth 2 Roles > Resource Owner > Client > Resource
Server > Authentication Server
OAuth 2 Tokens > Access Token “An access token is
a string representing an authorization issued to the client.” > Token Type (e.g. “Bearer”) > usually short-living > Refresh Token > Scope
Authorization Code Grant User Agent Client Auth Server redirect to
grant screen add ‘state’ (and callback + client id ) show grant screen grant the request redirect with state and authorisation_code to client callback URI submit auth code, identify with client credentials respond with token optional refresh token
OAuth 2 Grant Types > Authorization Code > Implicit >
User Credentials > (Client Credentials)
OAuth 2 Spec Overview Core Framework Bearer Token Security JSON
Web Token Assertions JWT Bearer Assertion SAML 2 Bearer Assertion WG Drafts (PoP, Token Exchange, …)
Short Comparison OAuth 1 OAuth 2 > Authorization protocol >
Spec finalized > Additional crypto to TLS > Delegation framework > Many extensions > TLS only (Core) > Incompatible implementations
Takeway > OAuth is a complex solution for delegating authorization
in an environment without any trust between the involved parties > It secures APIs and has nothing todo with authentication (AUTHN vs AUTHZ)
Example: Traditional System Client Auth
Example: Microservices Client Auth
Example: Microservices Client Auth T T T T T
OAuth 2 for Single-Sign-On? > Token = “Authorization to access
Resource” Resource could be = Login to Service > Missing: Who? Where? When? How? … ?
Identities Entity Identity 1 Identity 2 Identity 3 Service Service
OpenID Connect OAuth 2 JOSE OpenID Connect Identity Layer
Signature JWT Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } JWT Header JWT Payload
JWT Example Encoded eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5j b20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNv bSIsIm5iZiI6MTQyOTY5MzY3MSwiZXhwIjoxNDI5Njk3 MjcxLCJpYXQiOjE0Mjk2OTM2NzEsImp0aSI6ImlkMTIz NDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9y ZWdpc3RlciJ9.
A3DVPjcIeQPGOkMcABwAe_8lWHvPG9dFhNyskwVfsxIL t6SKtYGxYz0m7V- DjzjYLXqzSwycwlRJBuYr_vdLRA9aoGsGQpP5- SAiA5SdLMMk3MMZTIoSHgZrC8TeZx8bJBlPzkSu91dJI uzKI8PRPp3DH8Tum-XDsCmqu3_uIl2633Mb1Bg4HKEz- q2L2Y6k2Z1bqFxRn2GfV3ziQ8uqGOp3V_UlwvPccX8F3 m- qe3MrF5aPSFGoU9bZDcQcBQ2ypGTluBNYnPzuMx9EdET PJ0IxA1awgP74tFS27rt8KLUDnBvWVATNfYDFrqAcFCj zk49znd4JLvNObbDebka3_g Header Payload Signature
ID Token Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } Claim mandatory Claims scope E-Mail
OpenID Connect Modules Core Discovery Dynamic Client Registration Session Management
Form Post Response Mode
Enterprise Use Cases > Securing internal APIs > Single-Sign-On >
Active Directory > Mobile Clients > White Label Software
Should I use it? > OpenID Connect Extensions still
partly Working Drafts > OAuth Extensions: PoP, etc. > Implementation Complexity
Simon Kölsch | @simkoelsch
[email protected]
innoQ Deutschland GmbH Krischerstr. 100
40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Ludwigstrasse 180 E 63067 Offenbach Germany Kreuzstrasse 16 D-81373 München Germany Thank you! Questions? Comments? Christoph Iserlohn
[email protected]