Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 2 und OpenID Connect @DevSec 2017
Search
Simon Kölsch
October 26, 2017
Education
0
78
OAuth 2 und OpenID Connect @DevSec 2017
//heise devSec() 26, oct, 2017
Simon Kölsch
October 26, 2017
Tweet
Share
More Decks by Simon Kölsch
See All by Simon Kölsch
Vault @ Continuous Lifecycle 2016
simkoelsch
0
200
Security in Microservices Umgebungen @WJAX2016
simkoelsch
0
70
Secure Clojure Webapplications @ Froscon
simkoelsch
0
130
Docker Introduction Tech Talk
simkoelsch
0
140
Web Crypto API - Talk @EnterJS
simkoelsch
1
150
OAuth 2 und OpenID Connect @JAX2015
simkoelsch
2
480
Web Crypto API - Lightning Talk @Troopers
simkoelsch
1
120
Other Decks in Education
See All in Education
미국 교환학생 가서 무료 홈스테이 살면서 인턴 취업하기
maryang
0
110
SARA Annual Report 2024-25
sara2023
1
190
Pydantic(AI)とJSONの詳細解説
mickey_kubo
0
150
2025年度春学期 統計学 第8回 演習(1) 問題に対する答案の書き方(講義前配付用) (2025. 5. 29)
akiraasano
PRO
0
120
計算情報学研究室 (数理情報学第7研究室)紹介スライド (2025)
tomonatu8
0
620
CHARMS-HP-Banner
weltraumreisende
0
360
アントレプレナーシップ教育 ~ 自分で自分の幸せを決めるために ~
yoshizaki
0
140
Tutorial: Foundations of Blind Source Separation and Its Advances in Spatial Self-Supervised Learning
yoshipon
1
130
バックオフィス組織にも「チームトポロジー」の考えが使えるかもしれない!!
masakiokuda
0
110
2025/06/05_読み漁り学習
nag8
0
170
The Art of Note Taking
kanaya
1
140
AI for Learning
fonylew
0
160
Featured
See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
760
The Invisible Side of Design
smashingmag
301
51k
We Have a Design System, Now What?
morganepeng
53
7.7k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
370
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Raft: Consensus for Rubyists
vanstee
140
7k
Bash Introduction
62gerente
613
210k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
Six Lessons from altMBA
skipperchong
28
3.9k
Transcript
OAuth 2 und OpenID Connect //heise devSec() 2015 26.10.2017, Heidelberg
Simon Kölsch & Christoph Iserlohn
Agenda > OAuth 1, OAuth 2, OpenID Connect, O…? >
How does it work? > Use Cases > Should I use it
“Web 2.0” Platforms and many more…
“Web 2.0” Platforms and many more… = User content on
big platforms with APIs 2010 - ~ 550.000 “Facebook Apps” 2015 - ~ 30 Flickr Apps tagged “geo” …
Resource/Auth Server The access problem Client Resource Owner needs Access
checks Permission provides Access gives Permission
OAuth 0 > Client gets user password > Client impersonates
user and gets resource
OAuth 1 > Client registers at the service > Client
asks resource owner for permission via the service > Client gets a token > Client can access the resource with the token
OAuth 1 > Authorization Protocol > RFC 5849 (38 pages
spec) > One security issue (fixed 2009) > non-trivial request / response creation > Scope: “web applications”
Why OAuth 2? > Simplify client development process > Desktop
Applications / Single-Page-Apps > Mobile Phones > “Living room devices”
OAuth 2 Roles > Resource Owner > Client > Resource
Server > Authentication Server
OAuth 2 Tokens > Access Token “An access token is
a string representing an authorization issued to the client.” > Token Type (e.g. “Bearer”) > usually short-living > Refresh Token > Scope
Authorization Code Grant User Agent Client Auth Server redirect to
grant screen add ‘state’ (and callback + client id ) show grant screen grant the request redirect with state and authorisation_code to client callback URI submit auth code, identify with client credentials respond with token optional refresh token
OAuth 2 Grant Types > Authorization Code > Implicit >
User Credentials > (Client Credentials)
OAuth 2 Spec Overview Core Framework Bearer Token Security JSON
Web Token Assertions JWT Bearer Assertion SAML 2 Bearer Assertion WG Drafts (PoP, Token Exchange, …)
Short Comparison OAuth 1 OAuth 2 > Authorization protocol >
Spec finalized > Additional crypto to TLS > Delegation framework > Many extensions > TLS only (Core) > Incompatible implementations
Takeway > OAuth is a complex solution for delegating authorization
in an environment without any trust between the involved parties > It secures APIs and has nothing todo with authentication (AUTHN vs AUTHZ)
Example: Traditional System Client Auth
Example: Microservices Client Auth
Example: Microservices Client Auth T T T T T
OAuth 2 for Single-Sign-On? > Token = “Authorization to access
Resource” Resource could be = Login to Service > Missing: Who? Where? When? How? … ?
Identities Entity Identity 1 Identity 2 Identity 3 Service Service
OpenID Connect OAuth 2 JOSE OpenID Connect Identity Layer
Signature JWT Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } JWT Header JWT Payload
JWT Example Encoded eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5j b20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNv bSIsIm5iZiI6MTQyOTY5MzY3MSwiZXhwIjoxNDI5Njk3 MjcxLCJpYXQiOjE0Mjk2OTM2NzEsImp0aSI6ImlkMTIz NDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9y ZWdpc3RlciJ9.
A3DVPjcIeQPGOkMcABwAe_8lWHvPG9dFhNyskwVfsxIL t6SKtYGxYz0m7V- DjzjYLXqzSwycwlRJBuYr_vdLRA9aoGsGQpP5- SAiA5SdLMMk3MMZTIoSHgZrC8TeZx8bJBlPzkSu91dJI uzKI8PRPp3DH8Tum-XDsCmqu3_uIl2633Mb1Bg4HKEz- q2L2Y6k2Z1bqFxRn2GfV3ziQ8uqGOp3V_UlwvPccX8F3 m- qe3MrF5aPSFGoU9bZDcQcBQ2ypGTluBNYnPzuMx9EdET PJ0IxA1awgP74tFS27rt8KLUDnBvWVATNfYDFrqAcFCj zk49znd4JLvNObbDebka3_g Header Payload Signature
ID Token Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } Claim mandatory Claims scope E-Mail
OpenID Connect Modules Core Discovery Dynamic Client Registration Session Management
Form Post Response Mode
Enterprise Use Cases > Securing internal APIs > Single-Sign-On >
Active Directory > Mobile Clients > White Label Software
Should I use it? > OpenID Connect Extensions still
partly Working Drafts > OAuth Extensions: PoP, etc. > Implementation Complexity
Simon Kölsch | @simkoelsch
[email protected]
innoQ Deutschland GmbH Krischerstr. 100
40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Ludwigstrasse 180 E 63067 Offenbach Germany Kreuzstrasse 16 D-81373 München Germany Thank you! Questions? Comments? Christoph Iserlohn
[email protected]