SlideShare une entreprise Scribd logo

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"

Andreas Falk
Andreas Falk

Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures. The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC). In this talk, you will get a concise introduction into OAuth 2.0 and OIDC. We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group. So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.

Technologie
1  sur  35
Télécharger pour lire hors ligne
1 Basics of OAuth 2.0 and OpenID Connect Andreas Falk / Novatec Consulting
Our #AppSec Offerings: ▪ OAuth 2.0 & OpenID Connect Trainings and Consulting ▪ Security for Developers Trainings https://www.novatec-gmbh.de/en/consulting/agile-security About Me 2 Andreas Falk Novatec Consulting (Germany) andreas.falk@novatec-gmbh.de @andifalk
RFC 6749: OAuth 2.0 Authorization Framework RFC 6750: OAuth 2.0 Bearer Token Usage 3 Introduction to OAuth 2.0
Do you like it implementing your own Authentication? 4 Password Policies MFA Secure Password Storage Different Clients Brute Force Prevention Reset Password Process
Using Multiple Services before OAuth 2.0 5 Client Resource Owner (i.e. the user) Resource Server 1.Resource owner authenticates to the client 2.Client requests the protected resource Credentials Credentials
“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf ” RFC 6749: OAuth 2.0 6
OAuth 2.0 Roles 7 Client Resource Owner Authorization Server Access Token Resource Server
Basic OAuth 2.0 Protocol Flow 8 Client Resource Owner Authorization Server Access Token Resource Server 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token 4.Client requests the protected resource
Protocol Flow (1): Resource owner authorizes client 9 Resource Owner Authorization Server 1.Resource owner authorizes the client
Protocol Flow (2): Client receives authorization grant 10 Client Resource Owner Authorization Server 1.Resource owner authorizes the client 2.Client receives authorization grant Authorization grant: ▪ Credential representing the resource owner's authorization ▪ Exchange for access token
Protocol Flow (3): Client exchanges grant for access token 11 Client Resource Owner Authorization Server Access Token 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token HTTP/1.1 200 OK Content-Type: application/json { "access_token": "2YotnFZFEjr1zC", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Q" }
Protocol Flow: Client requests the protected resource 12 Client Access Token Resource Server 4.Client requests the protected resource GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer 2YotnFZFEjr1zC
OAuth 2.0 Protocol Endpoints 13 Client Resource Owner Resource Server Authorization ServerToken Endpoint Authorization Endpoint Token Introspection Endpoint Resource Owner Client Authorization Retrieve Authorization Grant Exchange Authorization Grant into Access Token Validate Access Token
Authorization Grant Types 14
2007 OAuth 1.0 Protocol 2010 RFC 5849: The OAuth 1.0a Protocol 2012 RFC 6749: The OAuth 2.0 Authorization Framework 2013 RFC 6819: OAuth 2.0 Threat Model 2015 RFC 7519: JSON Web Token (JWT) 2015 RFC 7636: Proof Key for Code Exchange (PKCE) 2019-2020 OAuth 2.0 Security Best Current Practice OAuth History 15 2020,... OAuth 2.1 TxAuth
▪ Authorization Code grant is extended with PKCE ▪ Implicit grant is omitted from the spec ▪ RO Password Credentials grant is omitted from the spec ▪ Redirect URIs must be compared by exact string matching ▪ Refresh tokens must be sender-constrained or one-time use ▪ Bearer token must not be sent in the query string of URIs The OAuth 2.1 Authorization Framework 16 https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1/
“OAuth 2.1” Authorization Grant Types 17 Resource Owner Client Type Authorization Grant Refresh Token Web Client (Confidential) Authorization Code + PKCE Mobile Client (Public) Authorization Code + PKCE SPA Client (Public) Authorization Code + PKCE Resource Owner Client (Confidential) Client Credentials https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1
▪ RFC 7636: PKCE = Proof Key for Code Exchange (“pixy”) ▪ Mitigates authorization code interception attack ▪ Public clients cannot keep static secrets (“client_secret”) ▪ PKCE adds dynamic secret instead: − Cryptographically random key: The “Code Verifier” − Hashed code verifier (SHA-256): The “Code Challenge” Authorization Code + PKCE Grant Type 18 https://tools.ietf.org/html/rfc7636
OpenID Connect Foundation 19 OpenID Connect 1.0
OAuth 2.0 is NOT an Authentication Protocol! 20 OAuth 2.0 is not an authentication protocol
OAuth 2.0 vs. OpenID Connect 1.0 21 Hotel Valet Parking Identification Permission / Delegation OpenID Connect 1.0 OAuth 2.0
OpenID Connect 1.0 Standards Layer 22 JSON Web Algorithms (JWA) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) JSON Web Token (JWT) Javascript Object Signing and Encryption (JOSE) OAuth 2.0 Authorization Framework (RFC 6749) OpenID Connect 1.0
▪ Based on OAuth 2.0 ▪ Additions: − ID Token (JWT format is Mandatory) − User Info Endpoint (Mandatory) − Hybrid Grant Flow (Mandatory) − OpenID Provider Configuration Information (Discovery, Optional) https://openid.net/specs/openid-connect-core-1_0.html https://openid.net/specs/openid-connect-registration-1_0.html https://openid.net/specs/openid-connect-discovery-1_0.html OpenID Connect 1.0 (OIDC) 23
{ "alg": "RS256", "typ": "JWT", "kid": "lp_FcMZ8D7U6EEUCiZyWAF21NcwjX_ddwJ5a3eCPMwQ" } JSON Web Token (JWT) - Decoded Form 24 { "exp": 1571745342, "iat": 1571745042, "iss": "http://localhost:8080/auth/realms/workshop", "aud": ["library-service","account"], "sub": "08d3bcaa-5ffd-4b8d-909e-bb567881384b" } HEADER PAYLOAD
OpenID Connect 1.0: Access Token Types 25 JWT Token (Self-contained) Opaque Token (Reference) Offline-Validation (Signature/Expiration) Validation call to introspection-endpoint Contains all required information Additional call to get required information Protocol agnostic Bound to Http Cannot be revoked May be revoked Mandatory for Id Tokens Must not be used for Id Tokens May be used for Access Tokens May be used for Access Tokens
▪ Use OpenID Connect for Authentication ▪ Authorization Grant Types − With End User: Use Authorization Code + PKCE − Without End User: Use Client Credentials ▪ Do NOT use Implicit or Resource Owner Password Grants ▪ ID Token must be JWT, Access Token may be JWT ▪ Always validate Tokens and keep Lifetime short OAuth 2.0 and OpenID Connect: Summary 26
Thank You very much! Questions? 27
Novatec Consulting GmbH Dieselstraße 18/1 D-70771 Leinfelden-Echterdingen T. +49 711 22040-700 info@novatec-gmbh.de www.novatec-gmbh.de 28 Managing Consultant Andreas Falk Mobil: +49 151 46146778 E-Mail: andreas.falk@novatec-gmbh.de
OpenID Connect Implementations 29
▪ RedHat/JBoss Keycloak (https://www.keycloak.org) ▪ Auth0 (https://auth0.com) ▪ Okta (https://www.okta.com) ▪ ForgeRock (https://www.forgerock.com/platform/identity-management) ▪ CloudFoundry UAA (https://github.com/cloudfoundry/uaa) ▪ PingFederate (https://www.pingidentity.com/en/platform/single-sign-on/sso-overview.html) ▪ Azure Active Directory (https://azure.microsoft.com/en-us/services/active-directory) ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Identity Providers 30
▪ oidc-client (Javascript) https://github.com/IdentityModel/oidc-client-js ▪ angular-oauth2-oidc (Typescript) https://github.com/manfredsteyer/angular-oauth2-oidc ▪ angular-auth-oidc-client (Typescript) https://github.com/damienbod/angular-auth-oidc-client ▪ IdentityModel.OidcClient (C#/.Net) https://github.com/IdentityModel/IdentityModel.OidcClient ▪ Nimbus OAuth 2.0 SDK (Java) https://connect2id.com/products/nimbus-oauth-openid-connect-sdk ▪ OIDC RP library (Python) https://github.com/openid/JWTConnect-Python-OidcRP ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Libraries 31
Books and Online References 32
▪ Justin Richer et.al: OAuth2 in Action (Manning, 2017, ISBN 978-1617293276) ▪ Michael Schwartz et.al: Securing the Perimeter (Apress, 2018, ISBN 978-1484226001) ▪ RFC 6749: The OAuth 2.0 Authorization Framework ▪ RFC 6750: OAuth 2.0 Bearer Token Usage ▪ RFC 6819: OAuth 2.0 Threat Model and Security Considerations ▪ RFC 7636: Proof Key for Code Exchange ("Pixy") ▪ OpenID Connect Core 1.0 Specification ▪ OpenID Connect Dynamic Client Registration 1.0 ▪ OpenID Connect Discovery 1.0 ▪ RFC 7519: JSON Web Token (JWT) ▪ JSON Web Token Best Current Practices Books and Online References (1) 33
▪ Why you should stop using the OAuth implicit grant ▪ OAuth 2.0 Security Best Current Practice ▪ OAuth 2.0 for Browser-Based Apps ▪ OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens ▪ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens ▪ OAuth 2.0 Token Exchange Books and Online References (2) 34
▪ Resource Indicators for OAuth 2.0 ▪ Spring Security 5.2 Reference Documentation ▪ Microservices Security Patterns & Protocols with Spring Security (Devoxx Video) ▪ Microservices Security Patterns & Protocols (SpringOne Platform 2019 Video) ▪ How to secure your Spring apps with Keycloak by Thomas Darimont (Video) Books and Online References (3) 35

Recommandé

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Hyperledger fabric
Hyperledger fabricHyperledger fabric
Hyperledger fabric
Celine George
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Scott Brady
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 

Recommandé

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Hyperledger fabric
Hyperledger fabricHyperledger fabric
Hyperledger fabric
Celine George
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Scott Brady
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
Michel Schudel
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
SecuRing
 
Applications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connectApplications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connect
Kavindu Dodanduwa
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Svetlin Nakov
 
introduction to jsrsasign
introduction to jsrsasignintroduction to jsrsasign
introduction to jsrsasign
Kenji Urushima
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
Blockchain Introduction
Blockchain IntroductionBlockchain Introduction
Blockchain Introduction
Nur Aini Rakhmawati Gunawan
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
shehab najjar
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
Jennifer Estrada
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Scott Brady
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
Omer Meshar
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Scott Brady
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
Derrick Isaacson
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
Sagara Gunathunga
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 

Contenu connexe

Tendances

Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
Michel Schudel
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
Michel Schudel
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Scott Brady
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 

Tendances (20)

Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
 
Applications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connectApplications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connect
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
introduction to jsrsasign
introduction to jsrsasignintroduction to jsrsasign
introduction to jsrsasign
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 
Blockchain Introduction
Blockchain IntroductionBlockchain Introduction
Blockchain Introduction
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 

Similaire à AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"

The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su
 

Similaire à AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect" (20)

iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
OpenID Connect primer
OpenID Connect primerOpenID Connect primer
OpenID Connect primer
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 

Plus de Andreas Falk

Plus de Andreas Falk (6)

Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
 
OWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring Boot
OWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring BootOWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring Boot
OWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring Boot
 
OWASP AppSecEu 2016 Rome - Building secure cloud native apps
OWASP AppSecEu 2016 Rome - Building secure cloud native appsOWASP AppSecEu 2016 Rome - Building secure cloud native apps
OWASP AppSecEu 2016 Rome - Building secure cloud native apps
 
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud DevelopmentCloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"

  • 1. 1 Basics of OAuth 2.0 and OpenID Connect Andreas Falk / Novatec Consulting
  • 2. Our #AppSec Offerings: ▪ OAuth 2.0 & OpenID Connect Trainings and Consulting ▪ Security for Developers Trainings https://www.novatec-gmbh.de/en/consulting/agile-security About Me 2 Andreas Falk Novatec Consulting (Germany) andreas.falk@novatec-gmbh.de @andifalk
  • 3. RFC 6749: OAuth 2.0 Authorization Framework RFC 6750: OAuth 2.0 Bearer Token Usage 3 Introduction to OAuth 2.0
  • 4. Do you like it implementing your own Authentication? 4 Password Policies MFA Secure Password Storage Different Clients Brute Force Prevention Reset Password Process
  • 5. Using Multiple Services before OAuth 2.0 5 Client Resource Owner (i.e. the user) Resource Server 1.Resource owner authenticates to the client 2.Client requests the protected resource Credentials Credentials
  • 6. “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf ” RFC 6749: OAuth 2.0 6
  • 7. OAuth 2.0 Roles 7 Client Resource Owner Authorization Server Access Token Resource Server
  • 8. Basic OAuth 2.0 Protocol Flow 8 Client Resource Owner Authorization Server Access Token Resource Server 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token 4.Client requests the protected resource
  • 9. Protocol Flow (1): Resource owner authorizes client 9 Resource Owner Authorization Server 1.Resource owner authorizes the client
  • 10. Protocol Flow (2): Client receives authorization grant 10 Client Resource Owner Authorization Server 1.Resource owner authorizes the client 2.Client receives authorization grant Authorization grant: ▪ Credential representing the resource owner's authorization ▪ Exchange for access token
  • 11. Protocol Flow (3): Client exchanges grant for access token 11 Client Resource Owner Authorization Server Access Token 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token HTTP/1.1 200 OK Content-Type: application/json { "access_token": "2YotnFZFEjr1zC", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Q" }
  • 12. Protocol Flow: Client requests the protected resource 12 Client Access Token Resource Server 4.Client requests the protected resource GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer 2YotnFZFEjr1zC
  • 13. OAuth 2.0 Protocol Endpoints 13 Client Resource Owner Resource Server Authorization ServerToken Endpoint Authorization Endpoint Token Introspection Endpoint Resource Owner Client Authorization Retrieve Authorization Grant Exchange Authorization Grant into Access Token Validate Access Token
  • 15. 2007 OAuth 1.0 Protocol 2010 RFC 5849: The OAuth 1.0a Protocol 2012 RFC 6749: The OAuth 2.0 Authorization Framework 2013 RFC 6819: OAuth 2.0 Threat Model 2015 RFC 7519: JSON Web Token (JWT) 2015 RFC 7636: Proof Key for Code Exchange (PKCE) 2019-2020 OAuth 2.0 Security Best Current Practice OAuth History 15 2020,... OAuth 2.1 TxAuth
  • 16. ▪ Authorization Code grant is extended with PKCE ▪ Implicit grant is omitted from the spec ▪ RO Password Credentials grant is omitted from the spec ▪ Redirect URIs must be compared by exact string matching ▪ Refresh tokens must be sender-constrained or one-time use ▪ Bearer token must not be sent in the query string of URIs The OAuth 2.1 Authorization Framework 16 https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1/
  • 17. “OAuth 2.1” Authorization Grant Types 17 Resource Owner Client Type Authorization Grant Refresh Token Web Client (Confidential) Authorization Code + PKCE Mobile Client (Public) Authorization Code + PKCE SPA Client (Public) Authorization Code + PKCE Resource Owner Client (Confidential) Client Credentials https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1
  • 18. ▪ RFC 7636: PKCE = Proof Key for Code Exchange (“pixy”) ▪ Mitigates authorization code interception attack ▪ Public clients cannot keep static secrets (“client_secret”) ▪ PKCE adds dynamic secret instead: − Cryptographically random key: The “Code Verifier” − Hashed code verifier (SHA-256): The “Code Challenge” Authorization Code + PKCE Grant Type 18 https://tools.ietf.org/html/rfc7636
  • 20. OAuth 2.0 is NOT an Authentication Protocol! 20 OAuth 2.0 is not an authentication protocol
  • 21. OAuth 2.0 vs. OpenID Connect 1.0 21 Hotel Valet Parking Identification Permission / Delegation OpenID Connect 1.0 OAuth 2.0
  • 22. OpenID Connect 1.0 Standards Layer 22 JSON Web Algorithms (JWA) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) JSON Web Token (JWT) Javascript Object Signing and Encryption (JOSE) OAuth 2.0 Authorization Framework (RFC 6749) OpenID Connect 1.0
  • 23. ▪ Based on OAuth 2.0 ▪ Additions: − ID Token (JWT format is Mandatory) − User Info Endpoint (Mandatory) − Hybrid Grant Flow (Mandatory) − OpenID Provider Configuration Information (Discovery, Optional) https://openid.net/specs/openid-connect-core-1_0.html https://openid.net/specs/openid-connect-registration-1_0.html https://openid.net/specs/openid-connect-discovery-1_0.html OpenID Connect 1.0 (OIDC) 23
  • 24. { "alg": "RS256", "typ": "JWT", "kid": "lp_FcMZ8D7U6EEUCiZyWAF21NcwjX_ddwJ5a3eCPMwQ" } JSON Web Token (JWT) - Decoded Form 24 { "exp": 1571745342, "iat": 1571745042, "iss": "http://localhost:8080/auth/realms/workshop", "aud": ["library-service","account"], "sub": "08d3bcaa-5ffd-4b8d-909e-bb567881384b" } HEADER PAYLOAD
  • 25. OpenID Connect 1.0: Access Token Types 25 JWT Token (Self-contained) Opaque Token (Reference) Offline-Validation (Signature/Expiration) Validation call to introspection-endpoint Contains all required information Additional call to get required information Protocol agnostic Bound to Http Cannot be revoked May be revoked Mandatory for Id Tokens Must not be used for Id Tokens May be used for Access Tokens May be used for Access Tokens
  • 26. ▪ Use OpenID Connect for Authentication ▪ Authorization Grant Types − With End User: Use Authorization Code + PKCE − Without End User: Use Client Credentials ▪ Do NOT use Implicit or Resource Owner Password Grants ▪ ID Token must be JWT, Access Token may be JWT ▪ Always validate Tokens and keep Lifetime short OAuth 2.0 and OpenID Connect: Summary 26
  • 27. Thank You very much! Questions? 27
  • 28. Novatec Consulting GmbH Dieselstraße 18/1 D-70771 Leinfelden-Echterdingen T. +49 711 22040-700 info@novatec-gmbh.de www.novatec-gmbh.de 28 Managing Consultant Andreas Falk Mobil: +49 151 46146778 E-Mail: andreas.falk@novatec-gmbh.de
  • 30. ▪ RedHat/JBoss Keycloak (https://www.keycloak.org) ▪ Auth0 (https://auth0.com) ▪ Okta (https://www.okta.com) ▪ ForgeRock (https://www.forgerock.com/platform/identity-management) ▪ CloudFoundry UAA (https://github.com/cloudfoundry/uaa) ▪ PingFederate (https://www.pingidentity.com/en/platform/single-sign-on/sso-overview.html) ▪ Azure Active Directory (https://azure.microsoft.com/en-us/services/active-directory) ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Identity Providers 30
  • 31. ▪ oidc-client (Javascript) https://github.com/IdentityModel/oidc-client-js ▪ angular-oauth2-oidc (Typescript) https://github.com/manfredsteyer/angular-oauth2-oidc ▪ angular-auth-oidc-client (Typescript) https://github.com/damienbod/angular-auth-oidc-client ▪ IdentityModel.OidcClient (C#/.Net) https://github.com/IdentityModel/IdentityModel.OidcClient ▪ Nimbus OAuth 2.0 SDK (Java) https://connect2id.com/products/nimbus-oauth-openid-connect-sdk ▪ OIDC RP library (Python) https://github.com/openid/JWTConnect-Python-OidcRP ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Libraries 31
  • 32. Books and Online References 32
  • 33. ▪ Justin Richer et.al: OAuth2 in Action (Manning, 2017, ISBN 978-1617293276) ▪ Michael Schwartz et.al: Securing the Perimeter (Apress, 2018, ISBN 978-1484226001) ▪ RFC 6749: The OAuth 2.0 Authorization Framework ▪ RFC 6750: OAuth 2.0 Bearer Token Usage ▪ RFC 6819: OAuth 2.0 Threat Model and Security Considerations ▪ RFC 7636: Proof Key for Code Exchange ("Pixy") ▪ OpenID Connect Core 1.0 Specification ▪ OpenID Connect Dynamic Client Registration 1.0 ▪ OpenID Connect Discovery 1.0 ▪ RFC 7519: JSON Web Token (JWT) ▪ JSON Web Token Best Current Practices Books and Online References (1) 33
  • 34. ▪ Why you should stop using the OAuth implicit grant ▪ OAuth 2.0 Security Best Current Practice ▪ OAuth 2.0 for Browser-Based Apps ▪ OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens ▪ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens ▪ OAuth 2.0 Token Exchange Books and Online References (2) 34
  • 35. ▪ Resource Indicators for OAuth 2.0 ▪ Spring Security 5.2 Reference Documentation ▪ Microservices Security Patterns & Protocols with Spring Security (Devoxx Video) ▪ Microservices Security Patterns & Protocols (SpringOne Platform 2019 Video) ▪ How to secure your Spring apps with Keycloak by Thomas Darimont (Video) Books and Online References (3) 35