1 / 25

OAuth 2.0 and more other stuff

OAuth 2.0 and more other stuff. Geoffrey Simpson. Recap. In the beginning, One Input, One Output Time sharing operating systems Multi User Operating Systems Then the Internet happened Web APIs began in 2000 REST API introduced in 2000 SAML -> Single Sign On Solution (still used today)

ethelyn
Download Presentation

OAuth 2.0 and more other stuff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OAuth 2.0 and more other stuff Geoffrey Simpson

  2. Recap • In the beginning, One Input, One Output • Time sharing operating systems • Multi User Operating Systems • Then the Internet happened • Web APIs began in 2000 • REST API introduced in 2000 • SAML -> Single Sign On Solution (still used today) • OpenID -> Single Sign On for everyone • OAuth Created -> Delegated Authorization

  3. Oauth 2.0 terminology • Resource owner • Client • Authorization Server • Resource Server • Authorization grant • Redirect URI • Access token

  4. OAuth Best Practices • https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11 • Clients MUST prevent CSRF and ensure that each authorization response is only accepted once. One-time use CSRF tokens carried in the "state" parameter, which are securely bound to the user agent, SHOULD be used for that purpose.

  5. OAuth v2.0 In more detail • OAuth v2.0 is a RESTful API • Let’s look at each step in the Authentication Code process • Time to do it yourself! • https://oauth.com/playground

  6. Discussion time • If you are developing an application, what authentication and authorization would you use? • Web App? • Mobile App? • Social Media? • If not Facebook, what?

  7. Live Demo! Create Facebook application Create C# Asp.Net MVC Application Set up Facebook credentials in Application Get Authorization via Facebook OAuth

  8. Next up, Identity!!!!

  9. No Authentication in OAuth v2.0 • But we really want it! (Said Facebook, and others) • Pseudo-Authentication with OAuth 2.0: • A client accesses a /me endpoint with an access token • If a client has access to the resource, then a user profile is returned

  10. Introducing OpenID Connect • OpenID Connect (OIDC) is an authentication protocol, based on the OAuth 2.0 family of specifications. It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. • Facebook Connect, and SAML 2.0 were combined to create OpenID Connect. OpenID Connect (OIDC) extends OAuth 2.0 with a new signed id_token for the client and a UserInfo endpoint to fetch user attributes. Unlike SAML, OIDC provides a standard set of scopes and claims for identities. Examples include: profile, email, address, and phone. • While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication. Its purpose is to give you one login for multiple sites. Each time you need to log in to a website using OIDC, you are redirected to your OpenID site where you login, and then taken back to the website. • For example, if you chose to sign in using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize the app to access your information, Google will send back information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token.

  11. More Introduction • OIDC was created to be internet scalable by making things completely dynamic. There’s no longer downloading metadata and federation like SAML requires. There’s built-in registration, discovery, and metadata for dynamic federations. You can type in your email address, then it dynamically discovers your OIDC provider, dynamically downloads the metadata, dynamically know what certs it’s going to use, and allows BYOI (Bring Your Own Identity). It supports high assurance levels and key SAML use cases for enterprises. • OIDC was made famous by Google and Microsoft, both big early adopters

  12. OIDC Initial Request

  13. OIDC Authorization Grant Request

  14. OIDC Authorization Grant Response

  15. OpenID Connect Flow

  16. OpenID Connect and JSON Web Token (JWT) • When a user successfully logs in using their credentials, an ID Token is returned. • According to the OpenID specs, an ID Token is always a JWT (pronounced “jot”) • Once logged in, an application may request to access routes, services, or resources on behalf of that user. To do this, it uses an Access Token, which *may* be in the form of a JWT. • Each subsequent request includes the JWT. • Single Sign On widely uses JWT nowadays because of JWT’s small overhead and cross-platform support.

  17. ID Token • The ID Token is a JSON Web Token (JWT) that contains identity data. It is consumed by the application and used to get user information like the user's name, email, and so forth, typically used for UI display. ID Tokens conforms to an industry standard (IETF RFC 7519) and contain three parts: a header, a body and a signature. • Why JWT? • Self contained. • Light weight (especially compared to the XML used in SAML)

  18. JWT Sample • https://jwt.io/

  19. OAuth is not the only solution • Inside (and outside) of corporate networks, different solutions are used • Kerberos (Authentication and Authorization) • Lightweight Directory Access Protocol (LDAP) • Active Directory (AD)

  20. Kerberos • Computer Network Authentication Protocol • Developed at MIT • Published version 4 in the late 1980s • Version 5: RFT 1510 • Version 5 was made obsolete by RFS 4120 in 2005 • US banned its export because it used Data Encryption Standard (DES) (with 56-bit keys). Non-US Kerberos 4 implementation developed at Royal Institute of Sweden made it available outside of the US before the US changed it cryptography export regulations (around 2000) • Windows 2000 and later use Kerberos as its default authentication method • In 2005, IETF updated specs: • Encryptions and Checksum specification (RFC 3961) • AES Encryption for Kerberos 5 (RFS 3962) • New Kerberos v5 specification • New edition of the Generic Security Services Application Program Interface (GSS-API)

  21. Unix and Kerberos • Many Unix implementations include software for Kerberos authentication • FreeBSD • Mac OS X • Red Hat Enterprise Linux • Oracle Solaris • IBM AIX • HP HP-UX • OpenVMS

  22. LDAP • Lightweight Directory Access Protocol • Created at the University of Michigan • Works like a Phonebook • Subset of X.500 (Standard for directory services in a network) • Organized as a simple “tree” hierarchy • Can you authenticate with LDAP? • Many different implementations • OpenLDAP • Microsoft Active Directory (Microsoft platform….duh) • Contacts (LDAP Aware address book built into MacOS) • OpenDJ (Cross-platform)

  23. Active Directory • Directory Service by Microsoft • A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network. • Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

  24. More Discussion • What do you think is the future of OpenID Connect, Facebook Connect, etc? • Is there still room for an independent ID Provider? • Will we eventually have just one ID provider, and use it for personal and professional access?

More Related