Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
4. Do you like it implementing your own Authentication?
4
Password
Policies
MFA
Secure Password
Storage
Different
Clients
Brute Force
Prevention
Reset
Password
Process
5. Using Multiple Services before OAuth 2.0
5
Client
Resource Owner
(i.e. the user)
Resource Server
1.Resource owner
authenticates to the client
2.Client requests the protected resource
Credentials
Credentials
6. “The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to
an HTTP service, either on behalf of a resource
owner by orchestrating an approval interaction between the
resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf
”
RFC 6749: OAuth 2.0
6
15. 2007
OAuth 1.0
Protocol
2010
RFC 5849: The
OAuth 1.0a
Protocol
2012
RFC 6749:
The OAuth 2.0
Authorization
Framework
2013
RFC 6819:
OAuth 2.0
Threat
Model
2015
RFC 7519:
JSON Web
Token
(JWT)
2015
RFC 7636:
Proof Key for
Code Exchange
(PKCE)
2019-2020
OAuth 2.0
Security Best
Current
Practice
OAuth History
15
2020,...
OAuth 2.1
TxAuth
16. ▪ Authorization Code grant is extended with PKCE
▪ Implicit grant is omitted from the spec
▪ RO Password Credentials grant is omitted from the spec
▪ Redirect URIs must be compared by exact string matching
▪ Refresh tokens must be sender-constrained or one-time use
▪ Bearer token must not be sent in the query string of URIs
The OAuth 2.1 Authorization Framework
16
https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1/
17. “OAuth 2.1” Authorization Grant Types
17
Resource
Owner
Client Type Authorization Grant Refresh
Token
Web Client (Confidential) Authorization Code + PKCE
Mobile Client (Public) Authorization Code + PKCE
SPA Client (Public) Authorization Code + PKCE
Resource Owner Client
(Confidential)
Client Credentials
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics
https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1
18. ▪ RFC 7636: PKCE = Proof Key for Code Exchange (“pixy”)
▪ Mitigates authorization code interception attack
▪ Public clients cannot keep static secrets (“client_secret”)
▪ PKCE adds dynamic secret instead:
− Cryptographically random key: The “Code Verifier”
− Hashed code verifier (SHA-256): The “Code Challenge”
Authorization Code + PKCE Grant Type
18
https://tools.ietf.org/html/rfc7636
20. OAuth 2.0 is NOT an Authentication Protocol!
20
OAuth 2.0 is not an authentication protocol
21. OAuth 2.0 vs. OpenID Connect 1.0
21
Hotel
Valet
Parking
Identification
Permission /
Delegation
OpenID
Connect
1.0
OAuth
2.0
22. OpenID Connect 1.0 Standards Layer
22
JSON Web Algorithms (JWA)
JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK)
JSON Web Token (JWT)
Javascript Object Signing and Encryption (JOSE)
OAuth 2.0 Authorization Framework (RFC 6749)
OpenID Connect 1.0
23. ▪ Based on OAuth 2.0
▪ Additions:
− ID Token (JWT format is Mandatory)
− User Info Endpoint (Mandatory)
− Hybrid Grant Flow (Mandatory)
− OpenID Provider Configuration Information
(Discovery, Optional)
https://openid.net/specs/openid-connect-core-1_0.html
https://openid.net/specs/openid-connect-registration-1_0.html
https://openid.net/specs/openid-connect-discovery-1_0.html
OpenID Connect 1.0 (OIDC)
23
25. OpenID Connect 1.0: Access Token Types
25
JWT Token (Self-contained) Opaque Token (Reference)
Offline-Validation (Signature/Expiration) Validation call to introspection-endpoint
Contains all required information Additional call to get required information
Protocol agnostic Bound to Http
Cannot be revoked May be revoked
Mandatory for Id Tokens Must not be used for Id Tokens
May be used for Access Tokens May be used for Access Tokens
26. ▪ Use OpenID Connect for Authentication
▪ Authorization Grant Types
− With End User: Use Authorization Code + PKCE
− Without End User: Use Client Credentials
▪ Do NOT use Implicit or Resource Owner Password Grants
▪ ID Token must be JWT, Access Token may be JWT
▪ Always validate Tokens and keep Lifetime short
OAuth 2.0 and OpenID Connect: Summary
26
33. ▪ Justin Richer et.al: OAuth2 in Action (Manning, 2017, ISBN 978-1617293276)
▪ Michael Schwartz et.al: Securing the Perimeter (Apress, 2018, ISBN
978-1484226001)
▪ RFC 6749: The OAuth 2.0 Authorization Framework
▪ RFC 6750: OAuth 2.0 Bearer Token Usage
▪ RFC 6819: OAuth 2.0 Threat Model and Security Considerations
▪ RFC 7636: Proof Key for Code Exchange ("Pixy")
▪ OpenID Connect Core 1.0 Specification
▪ OpenID Connect Dynamic Client Registration 1.0
▪ OpenID Connect Discovery 1.0
▪ RFC 7519: JSON Web Token (JWT)
▪ JSON Web Token Best Current Practices
Books and Online References (1)
33
34. ▪ Why you should stop using the OAuth implicit grant
▪ OAuth 2.0 Security Best Current Practice
▪ OAuth 2.0 for Browser-Based Apps
▪ OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens
▪ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
▪ OAuth 2.0 Token Exchange
Books and Online References (2)
34
35. ▪ Resource Indicators for OAuth 2.0
▪ Spring Security 5.2 Reference Documentation
▪ Microservices Security Patterns & Protocols with Spring Security (Devoxx Video)
▪ Microservices Security Patterns & Protocols (SpringOne Platform 2019 Video)
▪ How to secure your Spring apps with Keycloak by Thomas Darimont (Video)
Books and Online References (3)
35