Modern Applications need Modern Security · Modern Applications need Modern Security OpenID Connect...

(#)

Modern Applications need

Modern Security

OpenID Connect & OAuth 2.0

Tuesday, January 29, 2018

12 - 1 PM EST

(#)http://eum.co

• President, Extranet User Manager

• SharePoint MVP

• Partner Seller, Microsoft Canada

• peter.carson@extranetusermanager.com

• http://blog.petercarson.ca

• www.extranetusermanager.com

• Twitter @carsonpeter

• VP Toronto SharePoint User Group

Peter Carson

(#)http://eum.co

• http://brockallen.com

• brockallen@gmail.com

• Twitter @BrockLAllen

Brock Allen

(#)http://eum.cohttp://eum.co

In the Beginning…

Web Applications

(#)http://eum.cohttp://eum.co

...then came Federation

Web Applications

SAML, WS-Federation

WS-Trust/Security

(#)http://eum.co

No SOAP

No SAML

No WS*

No Windows

No Enterprise

HTTP

JSON

Then this happened…

(#)http://eum.co

Modern Applications

Browser

Native App

Server App"Thing"

Web App

Web API Web API

Web API

Security Token Service

(#)http://eum.co

Security Protocols (I)

Browser

Native App

Server App"Thing"

Web App

Web API Web API

Web API

Security Token Service

WS-Fed, SAML 2.0,OpenID Connect*

*

*

(#)http://eum.co

Security Protocols (II)

Browser

Native App

Server App"Thing"

Web App

Web API Web API

Web API

Security Token Service

WS-Fed, SAML 2.0,OpenID Connect*

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

*

*

(#)http://eum.co

Craig Burton (#CIS2012):

“SAML is the Windows XP of Identity.”

“No funding. No innovation. People still use it. But it has no future

SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”

What's wrong with SAML (& WS-Federation)

(#)http://eum.co

What’s wrong with OAuth 2.0

(#)http://eum.co

http://openid.net/connect/

(#)http://eum.co

Libraries & Implementations

(#)http://eum.co

(#)http://eum.co

IdentityServer

(#)http://eum.co

Browser

Native App

Web App

Web API

AuthenticateUsers

Request Access Tokensfor APIs

OpenID Connect in a Nutshell

(#)http://eum.co

AuthorizeEndpoint

TokenEndpoint

Endpoints

(#)http://eum.co

• Implicit/Hybrid/Code Flow

– interactive applications

– user authentication

• Client Credentials Flow

– server to server communication

– headless devices / IoT

Flows

(#)http://eum.co

Implicit Flow – Web Applications

GET /authorize

?client_id=app1&redirect_uri=https://app.com/cb&response_type=id_token&response_mode=form_post&nonce=j1y…a23&scope=openid email

(#)http://eum.co

Authentication

(#)http://eum.co

Consent

(#)http://eum.co

<form><input type="hidden"

name="id_token"value="xjsj…aas" />

</form>

POST /callback

Response

(#)http://eum.co

{"typ": "JWT","alg": "RS256","kid": "mj399j…"

}

{"iss": "https://idsrv3","exp": 1340819380,"aud": "app1","nonce": "d89ui3jk33",

"sub": "182jmm199","email": "alice@alice.com","email_verified": true,"amr": [ "password" ],"auth_time": 12340819300

}

Header

Claims

eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt

Header Claims Signature

Identity Token

(#)http://eum.co

Discovery

(#)http://eum.co

client identity

user identity

user identity

Accessing APIs

(#)http://eum.co

Calling an API using Client Identity

Authorization: Bearer <token>

POST /token

grant_type=client_credentialsscope=api1client_id=clientclient_secret=secret

<token>

(#)http://eum.co

• OpenID Connect Hybrid Flow combines

– user authentication (identity token)

– access to APIs (access token)

• Additional Security Features

– access tokens not exposed to the browser

– (optional) long-lived API access

Web Applications

(#)http://eum.co

GET /authorize

?client_id=app1&redirect_uri=https://app.com/cb&response_type=code id_token&response_mode=form_post&nonce=j1y…a23&scope=openid email api1 api2

Hybrid Flow Request

(#)http://eum.co

POST /cb

<form><input type="hidden"

name="id_token"value="xjsj…aas" />

<input type="hidden"name="code"value="i8j1…jj19" />

</form>

Hybrid Flow Response

(#)http://eum.co

code

(client_id:client_secret)

{access_token: "xyz…123",expires_in: 3600,token_type: "Bearer"

}

• Exchange code for access token

– using client id and secret

Retrieving the Access Token

(#)http://eum.co

• OpenID Connect Code Flow

– Better suited for public clients

– Still obtain id token and access token

• Proof key for code exchange (PKCE)

– Acts as dynamic client secret

– Protects against common attacks

Client-side Applications

(#)http://eum.co

GET /authorize

?client_id=app1&redirect_uri=https://app.com/cb.html&response_type=code&nonce=j1y…a23&scope=openid email api1 api2&code_challenge=x929..1921

Requesting tokens from JavaScript

(#)http://eum.co

GET /callback.html?code=238…823j

Authorize Response

(#)http://eum.co

{id_token: "abc…123",access_token: "xyz…123",expires_in: 3600,token_type: "Bearer"

}

• Aajx used to exchange code for tokens

– using client id and code verifier

Token Endpoint Exchange

client_id, code, code verifier

(#)http://eum.co

GET /authorize

?client_id=native.app&scope=openid email api1 api2 offline_access&redirect_uri=com.mycompany://native.app/cb&response_type=code&code_challenge=x929..1921

Native Applications

(#)http://eum.co

GET com.mycompany://native.app/cb

?code=8128…1299

Response

(#)http://eum.co

client_id, code, code verifier

{id_token: "abc…123",access_token: "xyz…123",refresh_token: "dxy…103"expires_in: 3600,token_type: bearer

}

Token Endpoint Exchange

(#)http://eum.co

• http://openid.net/connect/

• http://openid.net/developers/libraries/

• http://oauth.net/articles/authentication/

• https://github.com/identityserver

• https://github.com/identitymodel

Resources

(#)http://eum.co

Upcoming Events

Valo Teamwork and Extranet User ManagerFeb 21, 201912-1 PM EST

eum.co/events

May 21-23, 2019Las Vegas

www.sharepointna.com

Developing Custom Connectors for the Microsoft Power Platform

Feb 28, 201912-1PM EST

eum.co/events

(#)http://eum.co

Thank you!

Questions?

http://eum.co