Upload
spring-by-pivotal
View
749
Download
1
Embed Size (px)
Citation preview
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Demystifying Cloud IdentityBy
Sree Tummidi and Filip Hanik@fhanik @sreetummidi
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 3
Sree Tummidi
Product Manager
A decade of experience in Enterprise Security
Started out as Software Engineer
PM for CloudFoundry UAA & Pivotal Single Sign-On
@sreetummidi
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 4
Filip HanikSoftware Engineer
devops as a career
Cloud Foundry UAA project
@fhanik @pivotal
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 6
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 7
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OAuth 2
8
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
• One standard builtto rule them all
OAuth 2
9
• One standard builtto rule them all
• Very elaborate flowsaka “grant types”
• Grants Access Tokens
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Access Token
10
JWT
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Bearer Token
11
GET /my/data HTTP/1.1 Host: uaa.domain.com Authorization: bearer a2df43cf
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
• Header• Body• Footer
12
eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJldl9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OTg0Njg3NiwiZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsIm9hdXRoX3No
b3djYXNlX2F1dGhvcml6YXRpb25fY29kZSJdfQ.1AXtzNGdWXL77i7TqeZOYfMbP4CT8pMnqBihmvg8woY
.eyJqdGkiOiIyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJldl9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OTg0Njg3NiwiZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsIm9hdXRoX3No
b3djYXNlX2F1dGhvcml6YXRpb25fY29kZSJdfQ.
Access Token
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
JSON Web Token - Body
13
{ "scope": [ “openid" ], "cid": "oauth_showcase_authorization_code", "user_name": “marissa", "iss": "http://localhost:8080/uaa/oauth/token" }
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 14
Access Token
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Meet the actors
15
AuthorizationServer
Resource Server
ApplicationResource Owner
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Applications can act on their own
16
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Client Credentials Grant Flow
17
AuthorizationServer
Resource Server
Authenticate with Client Credentials
Send Token
Access protected resource (with token)
17
Application
Send resourceAccess Control
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Client Credentials Grant Flow
18
18
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
curl http://localhost:8080/uaa/oauth/token \ -d "client_id=oauth_showcase_client_credentials" \ -d "client_secret=secret" \ -d "grant_type=client_credentials"
POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 94 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_client_credentials&client_secret=secret& grant_type=client_credentials
Get a Token - Client Credentials Grant
19
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Token Response
20
{ "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72", "expires_in": 43199, "jti": "7ea43dfbdfc8424cb689c69aa48b8a72", "scope": "clients.read clients.write uaa.admin clients.admin scim.write scim.read”, "token_type": "bearer" }
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json;charset=UTF-8 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Date: Sat, 30 Jul 2016 21:35:06 GMT
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Approvals
21
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
• Before an access token is granted• What can the application do • When do I give permission to the application
• Explicit• Implied
22
Approvals
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Implied Approval - Password Grant
23
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 24
Password Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Password Grant
25
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Password Grant Flow
26
26
Resource Owner
Provide Username & Password
Username/Password with Client Credentials
Send Token
AuthorizationServer
Resource ServerApplication
Access protected resource
Send resource
AccessControl
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Password Grant Flow
27
27
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
curl http://localhost:8080/uaa/oauth/token \ -d "client_id=oauth_showcase_password_grant" \ -d "client_secret=secret" \ -d "grant_type=password" \ -d "username=marissa" \ -d "password=koala" POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 112 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_password_grant&client_secret=secret& grant_type=password&username=marissa&password=koala
Get a Token - Password Grant
28
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Token Response
29
{ "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72", "expires_in": 43199, "jti": "7ea43dfbdfc8424cb689c69aa48b8a72", "scope": "openid", "token_type": "bearer" }
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json;charset=UTF-8 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Date: Sat, 30 Jul 2016 21:35:06 GMT
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 30
Scopes
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
• The name of permissions
• Client / Application scopes
• User scopes
• Token contains intersection
31
Scopes
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 32
ring.wear
Scopes
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 33
Scopes
ring.wear
ring.destroy
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Token Response
34
{ "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72",
"expires_in": 43199,
"scope": "ring.wear", }
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Explicit Approval - Authorization Code Grant
35
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Authorization Code Grant
36
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Authorization Code Grant
37
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 38
Authorization Code Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 39
Authorization Code Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 40
Authorization Code Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 41
Authorization Code Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Resource Server
Authorization Code Flow
42
42
Access Application
Give me Permission / Approval
Authenticate & Grant Authorization
Send Authorization Code
Exchange code with client credentials for token
Resource Owner
ApplicationAuthorization
Server
Send Token
Access protected resource
Send resource
Access
Control
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Authorization Code Grant Flow
43
43
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize?client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk
HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize?client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk
HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize?client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk
HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize?client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk
HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize?client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk
GET /oidc HTTP/1.1 Host: localhost:8888
Authorization Code - What happened?
44
You’re reaching out to the applicationApplication checks if you are “logged in”
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6
GET /oauth/authorize HTTP/1.1 Host: localhost:8080
Authorization Code - What happened?
45
Log in and approve the application
HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
curl http://localhost:8080/uaa/oauth/token \ -d “client_id=oauth_showcase_authorization_code” \ -d "client_secret=secret" \ -d "grant_type=authorization_code" \ -d "code=a2c4e6"
POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 102 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_authorization_code&client_secret=secret& grant_type=authorization_code&code=koala
Get a Token - Authorization Code Grant
46
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
curl http://localhost:8080/uaa/check_token \ -u "oauth_showcase_authorization_code:secret" \ -d "token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tl…."
POST /uaa/check_token HTTP/1.1 Host: localhost:8080 Content-Length: 1144 Authorization: Basic b2F1dGhfc2hvd2Nhc2VfYXV0aG9yaXphdGlvbl9jb2RlOnNlY== Content-Type: application/x-www-form-urlencoded token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tl
Resource Server - Authorize
47
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Authorization - Claims Returned
48
{ "scope": [ “openid" ], "cid": "oauth_showcase_authorization_code", "user_name": “marissa", "iss": “http://localhost:8080/uaa/oauth/token”, "iat": 1469998244, "exp": 1470041444 }
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Full Circle
49
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Implicit Grant
50
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 / 51
Implicit Grant
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OpenID Connect
53
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OpenID Connect 1.0
54
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OpenID Connect Flow - Simple
55
55
Load Application
Request Login
Authenticate
UserIdentity ProviderApplication
Send Authorization Code
Exchange code with client credentials for ID Token
Send ID Token
Request ID Token
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OpenID Connect Flow - Hybrid
56
56
Load Application
Request Login/Authorize
Authenticate & Grant Authorization
Request ID + Access Token
User Identity Provider RSApplication
Send Authorization Code
Exchange code with client credentials for ID + AT
Send ID + AT
Exchange AT for Protected Resource
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
OpenID Connect - ID Token
57
{ "sub" : "22a55160-01b7-4208-a9fe-b99cc5f1542e", "user_name" : "marissa", "iss" : "http://localhost:8080/uaa/oauth/token", "aud" : [ "c980ec9f-23c5-472f-8e15-7552d5802250" ], "scope" : [ "openid" ], "auth_time" : 1470109898, "exp" : 1470153098, "iat" : 1470109898, "email" : “[email protected]", “phone_number” : “xxx xxx xxxx” }
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Summary• Clients are applications
• Authorization servers grant tokens• to applications• on behalf of users
58
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Summary• Users approve token grants
• Implied consent - password• Explicit - authorization code/implicit
• Tokens can be • JWT or opaque• Validated offline or with the authorization server
59
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Summary• access_token is used for
• Accessing endpoints over HTTP• Carried in the Authorization header
• id_token is used for • Authenticate and identify a user• Access user information endpoint
60
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
• Can be opaque or JWT (JSON Web Token) • JWT offers offline validation• Opaque tokens solve token explosion
• Can be granted with or without sharing user credentials• Approvals can be implied or explicit• Expire or revoked
• Explicit revocation• Revocation due to changed password/secret
61
Access Token Summary
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
DEMO
62
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Use case Setup
63
Todo APIApplicationEnterprise User Store
Authenticate Access
Unless o therw ise ind ica ted , these s l ides are © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion-NonCommerc ia l l i cense: h t tp : / / c rea t ivecommons.org / l i censes /by-nc /3 .0 /
Security Model
64
Access Application
List Todo Items
Add Todo Items
• All enterprise users can access the application
• Only Users in Group1 can list Items
• Only Users in Group 2 can add items