Upload
forgerock
View
1.322
Download
3
Embed Size (px)
DESCRIPTION
Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013
Citation preview
2013 Open Stack Identity Summit - France
Access Management for Cloud and Mobile
Stateful Session
Single Sign On Web
Application Fat Client Application
web gateway SP IDP
Stateless Session
Authentication Authorization Attributes
Session Store (Memory or Persisted) with option to enable Session Failover/replication
Federation
Create, Leverage & Upgrade Session Leverage session
Session Lifecycle
Management
The Good, The Bad and The Ugly
“You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
On-Premise vs Cloud/Social/Mobile
SOAP XML
REST JSON
OAuth2, OpenID Connect, REST
REST Endpoints
Mobile Social Cloud Enterprise Things
OpenAM Core
HTTP(s) JSON
AuthN AuthZ Session Validation
Identity Management OAuth2 Realm
Mgmt OpenID Connect Logging
Web App
Native App
Native App
Web App
Login App
RE
ST
O
Aut
h2
Ope
nID
Con
nect
Authentication
Authorization
Attribute Delivery
Federation
SSO
Token Persistence
Session Mgmt
OAuth2 Provider
OpenAM
Cloud
Enterprise
Mobile IAM for the Modern Web
“You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
Demo
2 Native apps in iPhone OAuth2 Demo • Obtains an OAuth2 Refresh and Access Token using the
Authorization Code Grant and then stores it locally in the iPhone keyring
• Access User Profile info with the Access Token
• Refreshes the Access Token when it expires using the refresh token
SSO Demo • Retrieves the Access Token from the iPhone keyring
• Access User Profile info with the Access Token
OAuth2 • Authorization protocol
• Grant access to third parties
• Parties do not share sensitive user information, i.e. no credentials are shared
• Used to grant limited access during limited time to specific resources
• Developed by the IETF Working group
Who is using OAuth2
OAuth2 Tokens ACCESS Token
• Used to access a protected resource
• Obtained through one of the grant flow
• Life time short (minutes, hours
REFRESH Token
• Used to obtain a new access token
• Obtained through one of the grant flows
• Life time long (days, weeks, months)
Possible flow
Client Provider
Protected Resource
1
2
3
4
5
6
7
retrieve refresh token
retrieve access token
leveraging access token
Resource Owner Password Flow
Client
Provider
<< 1
2
3
Protected Resource
4
retrieve access token
application provides userid/password credentials
leveraging access token
Presenter’s Logo Here
Supported grants Use Case: For Web Applications § Authorization Code Flow Grant
§ Implicit Flow Grant
Use Case: For Mobile Applications § Resource Owner Password
Use Case: For Application to Application § Client Credentials Flow
§ SAMLv2 Token Insertion
Use Case : Implicit flow Grant
Cheat sheet http://www.cheatography.com/kayalshri/cheat-sheets/oauth-end-points/
What is it not • OpenID Connect is not OpenID
• OpenID is old social protocol, without a mandatory contract between client and provider
• OpenID is unsecure
What is OAUTH2 again ? • OAuth2 is an AUTHORIZATION protocol
• Access/Refresh token represents access to resource for anybody who has that token
• There is not system in place to restrict resource usage to a user identity
OpenID Connect • OpenID Connect uses TWO access/refresh tokens
• One to authorize the resource (see OAUTH2 before) • One to authorize the user identity accessing that resource
• OpenID Connect maintains the relationship between the resource and the user
• User can only access the resource with its access token provided the user access token is entitled to it
Protected Resource OAUTH2
Access Token
User identity OAUTH2
Access Token
2013 Open Stack Identity Summit - France
Coming from a different angle
OpenAM Authentication • MSISDN
• HOTP (Text Messages via cell phone)
• OATH (3rd party Token generators)
Banking grade authentication
Thomas Bostrøm Jørgensen - CEO, Encap