Token-based AuthenticationIN SINGLE-PAGE AND MOBILE APPLICATIONSSATURDAY, MARCH 28 T H , 2015

Will AdamsSenior Software EngineerFiserv, Inc.

Agenda• Overview of token-based authentication.• Types of tokens.• Anti-CSRF.• Access.• Refresh.

• Token formats.• Standards and Guidelines.• Demo.• Resources

Overview• Token-based authentication is the process of verifying a

user’s identity then creating and returning a unique set of claims (i.e. key-value pairs) that describe the user.• Token-based authentication allows you to outsource

authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.

Anti-CSRF “sync” Tokens• Use if you’re relying on cookies for authentication – e.g.

ASP.NET’s forms authentication ticket.• Websites that use any persistent authentication mechanism

such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens.• Sync tokens are random-generated values included in any

form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.

Anti-CSRF Tokens – cont’d• In a claims-based application, ASP.NET will generate and validate

these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface.• Denote the unique claim in your app if you’re using something other than

NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs:AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;

• OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET.

• ASP.NET MVC example:<input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />

Access Tokens• An access token is just an opaque string representing an

authorization granted to a client application.• Access tokens can be Bearer or Holder-of-Key tokens. • Bearer tokens can be used as-is without requiring proof of ownership.• Used by passive, browser-based clients.• Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks.• Refer to OAuth spec: https://tools.ietf.org/html/rfc6750.

• Holder-of-Key tokens require supporting cryptographic material to prove token ownership.• Guarantees end-to-end message key security since the token is signed and

encrypted and keys are shared out-of-band.• Refer to OAuth spec:

https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.

Access Tokens – cont’d• Format explained:

access_token: string containing the token issued by the identity provider.token_type: the type of token issued.expires_in: the lifetime in seconds of the access token.scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user.state: optional parameter used for security checks. Value sent by the client is the same one returned in the response.refresh_token: optional parameter used to request a new access token.

• Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

Refresh Tokens• An opaque string containing an unique identifier used to

retrieve authorization information for a specific client.• Refresh tokens are presented to an authorization server

by a client when the access token becomes invalid or expires.• Refresh tokens are long-lived as compared to access

tokens whose lifetime is much shorter.• Refresh tokens should be able to be revoked in case an

access token is compromised.

Refresh Tokens – cont’d• Example:• {"token":"VggA1h4-

Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cLgfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yjk-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw-fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1-hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp-bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","userName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRefreshTokens":true}

Token Formats• SAML – Security Assertion Markup Language.• JWT – JSON Web Token.• SWT – Simple Web Token.

SAML SWT JWTFormat XML HTML Form

EncodingJSON

Designed For SOAP REST RESTDefault WIF Implementation

Yes No No

Protocols WS-Trust & WS-Federation

OAuth 2.0 OAuth 2.0

Support for Signing Yes Yes YesSupport for Encrypting Yes No Yes

Standards and Guidelines• OpenID Connect is the authentication spec built on top

of OAuth 2.0. It covers the use and format of the JSON Web Token. Refer to: http://openid.net/specs/openid-connect-core-1_0.html.• OWASP has good coverage of topics related to security

and authentication:• https://www.owasp.org/index.php/Authentication_Cheat_Sheet.• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CS

RF)_Prevention_Cheat_Sheet.

• JSON Web Token specification: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.

Demo

Resources• Books:• Pro ASP.NET Web API Security By Badrinarayanan Lakshmiraghavan -

http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c.• Programming Windows Identity Foundation by Vittorio Bertocci - http://

www.amazon.com/Programming-Identity-Foundation-Developer-Reference/dp/0735627185.

• Blog Posts & Articles:• Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API

2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/.

• WIF 4.5 Overview - https://msdn.microsoft.com/en-us/library/hh291066%28v=vs.110%29.aspx.

Resource – cont’d• PluralSight Courses:• Claims-based Identity for Windows: The Big Picture - http://

www.pluralsight.com/courses/claims-based-identity-big-picture.• Windows Identity Foundation Patterns: On-Premise and Cloud -

http://www.pluralsight.com/courses/wif-patterns-premise-cloud.• AngularJS Security Fundamentals - http://

www.pluralsight.com/courses/angularjs-security-fundamentals.• Thinktecture IdentityServer: https://

github.com/IdentityServer/IdentityServer3.