Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 2 und OpenID Connect @DevSec 2017
Search
Simon Kölsch
October 26, 2017
Education
0
78
OAuth 2 und OpenID Connect @DevSec 2017
//heise devSec() 26, oct, 2017
Simon Kölsch
October 26, 2017
Tweet
Share
More Decks by Simon Kölsch
See All by Simon Kölsch
Vault @ Continuous Lifecycle 2016
simkoelsch
0
200
Security in Microservices Umgebungen @WJAX2016
simkoelsch
0
70
Secure Clojure Webapplications @ Froscon
simkoelsch
0
130
Docker Introduction Tech Talk
simkoelsch
0
140
Web Crypto API - Talk @EnterJS
simkoelsch
1
150
OAuth 2 und OpenID Connect @JAX2015
simkoelsch
2
480
Web Crypto API - Lightning Talk @Troopers
simkoelsch
1
120
Other Decks in Education
See All in Education
Data Physicalisation - Lecture 9 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
430
マネジメント「される側」 こそ覚悟を決めろ
nao_randd
10
5.3k
Constructing a Custom TeX Ecosystem for Educational Institutions—Beyond Academic Typesetting
doratex
1
9.1k
Tutorial: Foundations of Blind Source Separation and Its Advances in Spatial Self-Supervised Learning
yoshipon
1
110
Education-JAWS #3 ~教育現場に、AWSのチカラを~
masakiokuda
0
160
AIの時代こそ、考える知的学習術
yum3
2
160
RELC_2025_KYI
otamayuzak
0
110
OpenRobomaster 中国のロボットコンテスト 日本連携の可能性
takasumasakazu
0
450
(キラキラ)人事教育担当のつらみ~教育担当として知っておくポイント~
masakiokuda
0
100
生成AI
takenawa
0
4.8k
Are puppies a ranking factor?
jonoalderson
0
820
2025/06/05_読み漁り学習
nag8
0
140
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Writing Fast Ruby
sferik
628
61k
Fireside Chat
paigeccino
37
3.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Faster Mobile Websites
deanohume
307
31k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.6k
Stop Working from a Prison Cell
hatefulcrawdad
270
20k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
53k
Automating Front-end Workflow
addyosmani
1370
200k
Building Applications with DynamoDB
mza
95
6.5k
Transcript
OAuth 2 und OpenID Connect //heise devSec() 2015 26.10.2017, Heidelberg
Simon Kölsch & Christoph Iserlohn
Agenda > OAuth 1, OAuth 2, OpenID Connect, O…? >
How does it work? > Use Cases > Should I use it
“Web 2.0” Platforms and many more…
“Web 2.0” Platforms and many more… = User content on
big platforms with APIs 2010 - ~ 550.000 “Facebook Apps” 2015 - ~ 30 Flickr Apps tagged “geo” …
Resource/Auth Server The access problem Client Resource Owner needs Access
checks Permission provides Access gives Permission
OAuth 0 > Client gets user password > Client impersonates
user and gets resource
OAuth 1 > Client registers at the service > Client
asks resource owner for permission via the service > Client gets a token > Client can access the resource with the token
OAuth 1 > Authorization Protocol > RFC 5849 (38 pages
spec) > One security issue (fixed 2009) > non-trivial request / response creation > Scope: “web applications”
Why OAuth 2? > Simplify client development process > Desktop
Applications / Single-Page-Apps > Mobile Phones > “Living room devices”
OAuth 2 Roles > Resource Owner > Client > Resource
Server > Authentication Server
OAuth 2 Tokens > Access Token “An access token is
a string representing an authorization issued to the client.” > Token Type (e.g. “Bearer”) > usually short-living > Refresh Token > Scope
Authorization Code Grant User Agent Client Auth Server redirect to
grant screen add ‘state’ (and callback + client id ) show grant screen grant the request redirect with state and authorisation_code to client callback URI submit auth code, identify with client credentials respond with token optional refresh token
OAuth 2 Grant Types > Authorization Code > Implicit >
User Credentials > (Client Credentials)
OAuth 2 Spec Overview Core Framework Bearer Token Security JSON
Web Token Assertions JWT Bearer Assertion SAML 2 Bearer Assertion WG Drafts (PoP, Token Exchange, …)
Short Comparison OAuth 1 OAuth 2 > Authorization protocol >
Spec finalized > Additional crypto to TLS > Delegation framework > Many extensions > TLS only (Core) > Incompatible implementations
Takeway > OAuth is a complex solution for delegating authorization
in an environment without any trust between the involved parties > It secures APIs and has nothing todo with authentication (AUTHN vs AUTHZ)
Example: Traditional System Client Auth
Example: Microservices Client Auth
Example: Microservices Client Auth T T T T T
OAuth 2 for Single-Sign-On? > Token = “Authorization to access
Resource” Resource could be = Login to Service > Missing: Who? Where? When? How? … ?
Identities Entity Identity 1 Identity 2 Identity 3 Service Service
OpenID Connect OAuth 2 JOSE OpenID Connect Identity Layer
Signature JWT Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } JWT Header JWT Payload
JWT Example Encoded eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5j b20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNv bSIsIm5iZiI6MTQyOTY5MzY3MSwiZXhwIjoxNDI5Njk3 MjcxLCJpYXQiOjE0Mjk2OTM2NzEsImp0aSI6ImlkMTIz NDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9y ZWdpc3RlciJ9.
A3DVPjcIeQPGOkMcABwAe_8lWHvPG9dFhNyskwVfsxIL t6SKtYGxYz0m7V- DjzjYLXqzSwycwlRJBuYr_vdLRA9aoGsGQpP5- SAiA5SdLMMk3MMZTIoSHgZrC8TeZx8bJBlPzkSu91dJI uzKI8PRPp3DH8Tum-XDsCmqu3_uIl2633Mb1Bg4HKEz- q2L2Y6k2Z1bqFxRn2GfV3ziQ8uqGOp3V_UlwvPccX8F3 m- qe3MrF5aPSFGoU9bZDcQcBQ2ypGTluBNYnPzuMx9EdET PJ0IxA1awgP74tFS27rt8KLUDnBvWVATNfYDFrqAcFCj zk49znd4JLvNObbDebka3_g Header Payload Signature
ID Token Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub":
"248289761001", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “
[email protected]
”, "email_verified": {"essential": true} } Claim mandatory Claims scope E-Mail
OpenID Connect Modules Core Discovery Dynamic Client Registration Session Management
Form Post Response Mode
Enterprise Use Cases > Securing internal APIs > Single-Sign-On >
Active Directory > Mobile Clients > White Label Software
Should I use it? > OpenID Connect Extensions still
partly Working Drafts > OAuth Extensions: PoP, etc. > Implementation Complexity
Simon Kölsch | @simkoelsch
[email protected]
innoQ Deutschland GmbH Krischerstr. 100
40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Ludwigstrasse 180 E 63067 Offenbach Germany Kreuzstrasse 16 D-81373 München Germany Thank you! Questions? Comments? Christoph Iserlohn
[email protected]