securing your apps with oauth2 and openid connect - roland guijt - codemotion roma 2015
TRANSCRIPT
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
ROME 27-28 march 2015
Securing your web apps with
OAuth2 and OpenId Connect
[email protected] – RMG Solutions
Roland Guijt
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Agenda
The problem DemosHow it works
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Typical Scenario
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Modern Applications
Web API Web API
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Modern Applications
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
What is OAuth?
- HTTP(S) authorization for the new world
- Gets you tokens in exchange for a secret
- Use the tokens to let software gain access to resources (Web APIs)
without revealing the secret
What is OpenId Connect?
- Extends OAuth
- Authentication: Uses the OAuth way to know the user
- If the identity of the user is needed
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Context
Authorization protocol
Fetches tokens
Authentication
OAuth
OpenId
Connect
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Cast
- Resource Owner
- Client
- Resource Server
- Authorization
server
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Cast
Resource Owner - Homo Sapiens
Client - MVC Website/Browser (js)
Resource server - Web API
Authorization server -Identity Server 3
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Tokens
- Contain claims
- Signed
- Expire
- JWT format for OpenId – parsable by every platform
- Credentials for resource server
- Store/send token instead of secret
- Issued by authorization server
- Trusted by resource server
- Single Sign On (SSO)
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
JWT Example
{
“typ”: “JWT”
“alg” : “HS256”
}
{
“sub” : “3449455”,
“aud” : “clientId”,
“iss” : ”http://issuerURL”,
“exp” : “1311281970”,
“auth_time” : “1311280969”,
“scope” : [“read”, “write”],
“myClaim” : “Something”
}
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
OAuth Flows
- Supported scenarios
- Choose wisely
- Flows without user interaction out of
scope
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
OAuth Flow 1: Authorization Code
Authorization
server
Code
Web API
Code
Code
Token
To
ke
n
Client secret is sent
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
OAuth Flow 2: Implicit
Authorization
serverTo
ke
n
Web API
Token
• Authorization endpoint
GET /authorize?response_type=token&client_id=BhdRkqt&state=xyz&redirect_uri=https://client.Example.com
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
OAuth Flow 3: Hybrid
- Combination of Authorization Code and Implicit
- Can issue code and/or tokens directly
- Code for long lived access (refresh tokens), token for
quick access
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
OpenId Connect Extras
- ID token (scope openid)
- Additional user info (scopes profile, email, address, phone)
- Identity and UserInfo Endpoint
- Discovery
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Refresh Tokens
- offline_access scope
- Not meant for resource server
- Used by client to get another token
- When access token expires
- Received together with access token
- At token refresh a new one is issued
- No support implicit flow: no client authentication
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
Demo Time
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
More Info?
- Read the specs
- http://openid.net/specs/openid-connect-core-1_0.html
- https://tools.ietf.org/html/rfc6749
- IdentityServer
- https://github.com/IdentityServer/IdentityServer3
- https://github.com/IdentityServer/IdentityServer3.Sampl
es
Do Not Place
Anything in This
Space(Add watermark during
editing)Note: Warning will not
appear during Slide Show
ROME 27-28 march 2015 - Roland Guijt
Leave your feedback on Joind.in!
https://joind.in/event/view/3347
Contact me:
@rolandguijt