19
pingidentity.com

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Embed Size (px)

DESCRIPTION

John Bradley, Ping Identity Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.

Citation preview

Page 1: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

pingidentity.com

Page 2: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CONSOLIDATING AUTHENTICATION AND API AUTHORIZATION USING OPENID CONNECT

John Bradley

Copyright © 2014 Ping Identity Corp. All rights reserved. 2 Confidential — do not distribute

Page 3: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

SAML SOAP WS-*

SAML Web SSO

SAML SOAP WS-*

Typical SAML Deployment model

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 3

Page 4: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Typical SAML Deployment model

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 4

• Two flows – One using Web SSO for Authentication.

– One call to a STS to exchange authentication token for security token.

– Typically no user consent.

– Not mobile friendly.

Page 5: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

OpenID Connect

OpenID Connect Deployment model

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 5

OAuth 2

Page 6: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

OpenID Connect Deployment model

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 6

• Single flow – One request returns both Identity Assertion and security

token for access.

– Opportunity for user consent for API and login in a single interface.

– Mobile/REST friendly.

Page 7: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Connect Rolls

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 7

• Authorization Server (IdP) – Authorization endpoint

– Token endpoint

• Client (SP)

• Resource Server (API)

Page 8: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Authentication & Authorization request

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 8

• The basic OAuth Authorization request contains a list of scopes (resources) that the client is requesting access to.

• Connect adds a single scope to the request called “openid” that causes the Identity assertion to be returned.

Page 9: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Authorization Response

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 9

• The Authorization server response is standard OAuth

• The Authorization server returns a single use artifact called a code.

• This prevents PII leakage via the browser, and prevents large redirect URI that cause problems in some browsers.

Page 10: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Request for tokens

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 10

• The client uses its credentials to make a direct authenticated request to the Authorization Server with the code received from the Authorization server via the users browser.

• This is a simple http POST request.

• This request is standard OAuth.

Page 11: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Token Response

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 11

• Standard OAuth response containing – Refresh Token

– Access Token

–  JWT id_token (Connect extension to OAuth)

Page 12: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Identity Assertion

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 12

•  JWT Contains –  Audience –  Issuer –  Subject –  Issued At –  Expiry – Other optional claims like Authentication context.

Page 13: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Refresh Token

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 13

• Used to make additional requests for access tokens. – Allows access tokens to be short lived.

– Allows Authorization server to revoke API access by not granting new access tokens.

– Revoked refresh tokens cause the client to attempt reauthorization by the Resource owner (user).

Page 14: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Access Token

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 14

• The token is added to REST calls to a Resource server’s API. – The token can be a signed JWT

– The token can be opaque and introspected via callback to the Authorization server.

Page 15: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Delta between Oauth 2 and Connect to add basic Authentication

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 15

• One additional scope requested “openID”

• One additional parameter returned id_token.

Page 16: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Native Applications

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 16

• Many social native applications use the id_token from a login at google to authenticate to their own API.

Page 17: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Using the id_token as an assertion

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 17

Native App

Authorization server

App API Server

AS Resource Server

Request

Access and ID Tokens

Access Token

ID Token

Page 18: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

NAPPS

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 18

Token Agent

Authorization server

App API Server

AS Resource Server

Authentication Request

Refresh Token

Access Token

ID Token Native App

Request

Token Request Access & ID Tokens

Access & ID Tokens

Page 19: CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

QUESTIONS?

John Bradley @ve7jtb

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 19