Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen

Authentication scenarios for mobile Applications*

The Microsoft Technology Stack**

Corporate vs Customer facing Applications

*WS-Federation, OpenID Connect, OAuth2

**AD, ADFS, AAD, ADAL, Katana

Agenda

Classic Intranet Scenario

VPN

Bridging the Gap – On Premise

ADFS

Web

Application

Proxy

Cloud

sync

AAD

Typical Application Scenarios

ProtocolsWS-Fed, SAML

2.0, OpenID

Connect

OAuth2

OAuth2

OAuth2

OAuth2

OAuth2

OAuth2

1. Browser to Web Application

WS-Fed, SAML

2.0, OpenID

Connect

WebApp Service Principal

• App ID URI

• Reply Url

1. Navigate to site

2. Redirect to token service

3. Sign in

4. Send security token to Reply URL

5. Set session

Web Browser to

Web App:

WS-Federation,

SAML 2.0,

OpenID Connect

SAML, WS-Fed, or OpenID Connect Endpoint

Katana

Authentication Middleware for ASP.NET

WS-Federation

OpenID Connect

JSON Web Tokens

Cookies

Katana

OpenID Connect – Request

GET /authorize

?client_id=app1

&scope=openid profile

&redirect_uri=https://app.com/cb

&response_type=id_token

&response_mode=form_post

OpenID Connect – Response

<form>

<input type="hidden"

name="id_token"

value="xjsj…aas" />

</form>

POST /callback

JSON Web Tokens (JWT){

"typ": "JWT","alg": "HS256"

}

{"iss": "https://login.windows.net","exp": 1340819380,"aud": "app1",

"sub": "182jmm199","email": "alice@alice.com","email_verified": true,"amr": "password","auth_time": 12340819300

}

Header

Claims

eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt

Header Claims Signature

2. Native Client to Web API

OAuth 2.0

1. Request Authorization Code

Native Client to

Web API:

OAuth 2.0

auth code grant,

public client

NativeApp SP

• Client ID

• Redirect URI

Authorize Endpoint Token Endpoint

ADAL

2. Sign in

3. Return Authorization Code to Redirect URI

User sees

web pop up… Katana

WebAPI SP

• App ID URI

GET https://login/adfs/oauth2/authorize

?response_type=code

&resource=https://myservice

&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d

&redirect_uri=http://myclient/

<< Stuff happens here to sign the user in... >>

302 Found http://myclient/

?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff…

Authorization Code Request/Response

Web-based

Name/Password

2FA

Kerberos (ADFS)

Client Certificates (ADFS)

Authentication Methods

4. Redeem Authorization Code

Native Client to

Web API:

OAuth 2.0

auth code grant,

public client

Authorize Endpoint Token Endpoint

ADAL

5. Return Access Token, Refresh Token

6. Send Access Token on Authorization Header

Katana

NativeApp SP

• Client ID

• Redirect URI

WebAPI SP

• App ID URI

POST https://login/adfs/oauth2/token

grant_type=authorization_code

&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…

&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d

&redirect_uri=http://myclient/

&resource=https://myservice

200 OK

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",

"token_type":"Bearer",

"expires_in":"3599",

"refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",

Token Request/Response

{

"typ": "JWT", "alg": "RS256", "x5t": "NGTFvdK-fythEuLwjpwAJOM9n-A”

}.

{

"aud": "http://myService",

"iss": "https://sts.windows.net/81aabdd2-3682-48fd-9efa-2cb2fcea8557/",

"iat": 1396468289, "nbf": 1396468289, "exp": 1396472189, "ver": "1.0",

"tid": "81aabdd2-3682-48fd-9efa-2cb2fcea8557",

"oid": "b3809430-6c28-4e43-870d-fa7d38636dcd",

"upn": "dbaier@leastprivilege.com",

"sub": "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-A",

"family_name": "Baier",

"given_name": "Dominick",

"appid": "fb715b0e-3ca9-45b8-9928-2329a776b42d",

}

Example AAD JWT Access Token (shortened)

http://jwt.io/

Active Directory Authentication Library

Open Source Client Library for

Desktop .NET

Windows RT

Windows Phone

iOS/Android Native

iOS/Android Xamarin

ADAL

https://github.com/AzureAD

ADAL supports token caching (extensible)

Token renewal via existing logon session

Refresh tokens

Token Lifetime Management

Native Client to

Web API:

Refresh Tokens

Authorize Endpoint Token Endpoint

ADAL

2. Access Token has Expired

3. Request new Access Token with Refresh Token

4. Return Access Token, Refresh Token

5. Call web API with Access Token in AuthZ Header

1. Call WebAPI (Access Token in AuthZ Header)

Katana

NativeApp SP

• Client ID

• Redirect URI

WebAPI SP

• App ID URI

Brand new ADAL.js library (preview)

familiar programming interface, AngularJS support..

Support for OAuth2 “Implicit Flow”

simplified flow – no server back-end required

currently AAD only

What about SPAs?

http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/

3. Web Application to Web API

Web App calls Web API using own identity

Trusted Subsystem design

OAuth2 client credential flow or code flow

Web App calls Web API using user identity

OpenID Connect and/or OAuth2 code flow

Options

Web App to

Web API:

OAuth 2.0

client credentials

1. Signed in, using the web app…

2. Request token (Client ID, Credential, App ID URI)

3. Return access token

4. Call web API with Access Token in AuthZ Header

*The application’s

credential can be a

password, or it can be

an assertion (a JWT

token) signed with

private key.

NativeApp SP

• Client ID

• Credential

WebAPI SP

• App ID URI

Authorize Endpoint Token Endpoint

Katana

ADAL

Katana

Web App to

Web API:

Delegation with

OpenID Connect

1. Navigate to site

2. Redirect to sign in and request auth code (Client ID, Redirect URI)

3. Sign in

4. Return ID Token and

Auth Code to Redirect URI

6. Set session

Authorize Endpoint Token Endpoint

Might require

user consent

NativeApp SP

• Client ID

• Credential

WebAPI SP

• App ID URI

Katana

ADAL

Katana

Web App to

Web API:

Delegation with

OpenID Connect

WIF OWIN

7. Request access token

8. Return access token, refresh token

9. Call web API with Access Token in AuthZ Header

Authorize Endpoint Token Endpoint

ADALKatana

ADAL

Katana

NativeApp SP

• Client ID

• Credential

WebAPI SP

• App ID URI

AD traditionally geared towards corporate identities

ADFS & AAD are protocol / infrastructure

extensions

What about customer identities & applications?

Where to store identities?

What about social logins?

B2B vs B2C

B2B & B2C Hybrid Architecture

ADFS

Customer Accounts

AAD

Thinktecture

IdentityServer

https://github.com/thinktecture/Thinktecture.IdentityServer.v3

ADFS (2012R2) Azure AD IdentityServer v3

Type Domain joined SaaS Standalone

WS-Federation yes yes yes

WS-Trust yes no no

OAuth2

Code Flow yes yes yes

Resource

Owner Flow

no yes yes

Implicit Flow no yes yes

Client

Credentials

Flow

no yes yes

Social Logins no no yes

OpenID Connect no yes yes

Saml2p yes yes no

Price Model Part of Windows

Server

Freemium Free (OSS)

http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx

Feature Matrix (non exhaustive)

© 2014 Microsoft Corporation. All rights reserved. Because

Microsoft must respond to changing market conditions, it should

not be interpreted to be a commitment on the part of Microsoft,

and Microsoft cannot guarantee the accuracy of any information

provided after the date of this presentation. MICROSOFT MAKES

NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE

INFORMATION IN THIS PRESENTATION.

Vielen Dank