Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
(#)
Modern Applications need
Modern Security
OpenID Connect & OAuth 2.0
Tuesday, January 29, 2018
12 - 1 PM EST
(#)http://eum.co
• President, Extranet User Manager
• SharePoint MVP
• Partner Seller, Microsoft Canada
• http://blog.petercarson.ca
• www.extranetusermanager.com
• Twitter @carsonpeter
• VP Toronto SharePoint User Group
Peter Carson
(#)http://eum.co
• http://brockallen.com
• Twitter @BrockLAllen
Brock Allen
(#)http://eum.cohttp://eum.co
In the Beginning…
Web Applications
(#)http://eum.cohttp://eum.co
...then came Federation
Web Applications
SAML, WS-Federation
WS-Trust/Security
(#)http://eum.co
No SOAP
No SAML
No WS*
No Windows
No Enterprise
HTTP
JSON
Then this happened…
(#)http://eum.co
Modern Applications
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
Security Token Service
(#)http://eum.co
Security Protocols (I)
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
Security Token Service
WS-Fed, SAML 2.0,OpenID Connect*
*
*
(#)http://eum.co
Security Protocols (II)
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
Security Token Service
WS-Fed, SAML 2.0,OpenID Connect*
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
*
*
(#)http://eum.co
Craig Burton (#CIS2012):
“SAML is the Windows XP of Identity.”
“No funding. No innovation. People still use it. But it has no future
SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”
What's wrong with SAML (& WS-Federation)
(#)http://eum.co
What’s wrong with OAuth 2.0
(#)http://eum.co
http://openid.net/connect/
(#)http://eum.co
Libraries & Implementations
(#)http://eum.co
(#)http://eum.co
IdentityServer
(#)http://eum.co
Browser
Native App
Web App
Web API
AuthenticateUsers
Request Access Tokensfor APIs
OpenID Connect in a Nutshell
(#)http://eum.co
AuthorizeEndpoint
TokenEndpoint
Endpoints
(#)http://eum.co
• Implicit/Hybrid/Code Flow
– interactive applications
– user authentication
• Client Credentials Flow
– server to server communication
– headless devices / IoT
Flows
(#)http://eum.co
Implicit Flow – Web Applications
GET /authorize
?client_id=app1&redirect_uri=https://app.com/cb&response_type=id_token&response_mode=form_post&nonce=j1y…a23&scope=openid email
(#)http://eum.co
Authentication
(#)http://eum.co
Consent
(#)http://eum.co
<form><input type="hidden"
name="id_token"value="xjsj…aas" />
</form>
POST /callback
Response
(#)http://eum.co
{"typ": "JWT","alg": "RS256","kid": "mj399j…"
}
{"iss": "https://idsrv3","exp": 1340819380,"aud": "app1","nonce": "d89ui3jk33",
"sub": "182jmm199","email": "[email protected]","email_verified": true,"amr": [ "password" ],"auth_time": 12340819300
}
Header
Claims
eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature
Identity Token
(#)http://eum.co
Discovery
(#)http://eum.co
client identity
user identity
user identity
Accessing APIs
(#)http://eum.co
Calling an API using Client Identity
Authorization: Bearer <token>
POST /token
grant_type=client_credentialsscope=api1client_id=clientclient_secret=secret
<token>
(#)http://eum.co
• OpenID Connect Hybrid Flow combines
– user authentication (identity token)
– access to APIs (access token)
• Additional Security Features
– access tokens not exposed to the browser
– (optional) long-lived API access
Web Applications
(#)http://eum.co
GET /authorize
?client_id=app1&redirect_uri=https://app.com/cb&response_type=code id_token&response_mode=form_post&nonce=j1y…a23&scope=openid email api1 api2
Hybrid Flow Request
(#)http://eum.co
POST /cb
<form><input type="hidden"
name="id_token"value="xjsj…aas" />
<input type="hidden"name="code"value="i8j1…jj19" />
</form>
Hybrid Flow Response
(#)http://eum.co
code
(client_id:client_secret)
{access_token: "xyz…123",expires_in: 3600,token_type: "Bearer"
}
• Exchange code for access token
– using client id and secret
Retrieving the Access Token
(#)http://eum.co
• OpenID Connect Code Flow
– Better suited for public clients
– Still obtain id token and access token
• Proof key for code exchange (PKCE)
– Acts as dynamic client secret
– Protects against common attacks
Client-side Applications
(#)http://eum.co
GET /authorize
?client_id=app1&redirect_uri=https://app.com/cb.html&response_type=code&nonce=j1y…a23&scope=openid email api1 api2&code_challenge=x929..1921
Requesting tokens from JavaScript
(#)http://eum.co
GET /callback.html?code=238…823j
Authorize Response
(#)http://eum.co
{id_token: "abc…123",access_token: "xyz…123",expires_in: 3600,token_type: "Bearer"
}
• Aajx used to exchange code for tokens
– using client id and code verifier
Token Endpoint Exchange
client_id, code, code verifier
(#)http://eum.co
GET /authorize
?client_id=native.app&scope=openid email api1 api2 offline_access&redirect_uri=com.mycompany://native.app/cb&response_type=code&code_challenge=x929..1921
Native Applications
(#)http://eum.co
GET com.mycompany://native.app/cb
?code=8128…1299
Response
(#)http://eum.co
client_id, code, code verifier
{id_token: "abc…123",access_token: "xyz…123",refresh_token: "dxy…103"expires_in: 3600,token_type: bearer
}
Token Endpoint Exchange
(#)http://eum.co
• http://openid.net/connect/
• http://openid.net/developers/libraries/
• http://oauth.net/articles/authentication/
• https://github.com/identityserver
• https://github.com/identitymodel
Resources
(#)http://eum.co
Upcoming Events
Valo Teamwork and Extranet User ManagerFeb 21, 201912-1 PM EST
eum.co/events
May 21-23, 2019Las Vegas
www.sharepointna.com
Developing Custom Connectors for the Microsoft Power Platform
Feb 28, 201912-1PM EST
eum.co/events
(#)http://eum.co
Thank you!
Questions?
http://eum.co