SlideShare a Scribd company logo
1 of 14
Download to read offline
Token-based
Authentication
IN SINGLE-PAGE AND MOBILE APPLICATIONS
SATURDAY, MARCH 28TH, 2015
WillAdams
Senior Software Engineer
Fiserv, Inc.
Agenda
• Overview of token-based authentication.
• Types of tokens.
• Anti-CSRF.
• Access.
• Refresh.
• Token formats.
• Standards and Guidelines.
• Demo.
• Resources
Overview
• Token-based authentication is the process of verifying a user’s
identity then creating and returning a unique set of claims (i.e. key-
value pairs) that describe the user.
• Token-based authentication allows you to outsource authentication
from your application and instead consume a token based on a
trusted relationship between your app and an identity provider.
Anti-CSRF “sync” Tokens
• Use if you’re relying on cookies for authentication – e.g. ASP.NET’s
forms authentication ticket.
• Websites that use any persistent authentication mechanism such as
Windows Authentication, Basic, etc. can also be subject to CSRF
attacks and should use sync tokens.
• Sync tokens are random-generated values included in any
form/request and are based on the synchronizer token pattern. This
pattern utilizes two anti-CSRF tokens submitted to the server with
each HTTP POST: one token as a cookie and the other as a form
value. When the tokens are submitted, the server compares the two
and allows the request to proceed only if both tokens pass a
comparison check.
Anti-CSRF Tokens – cont’d
• In a claims-based application, ASP.NET will generate and validate these
tokens based on the current user’s identity. This identity is established by
WIF and available via the IIdentity interface.
• Denote the unique claim in your app if you’re using something other than
NameIdentifier. Add a line similar to the following line in the Application_Start
method in Global.asax.cs:
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
• OWASP provides a good explanation of these tokens along with links to the
Microsoft implementations in this article:
https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET.
• ASP.NET MVC example:
<input name="__RequestVerificationToken" type="hidden"
value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs"
/>
Access Tokens
• An access token is just an opaque string representing an
authorization granted to a client application.
• Access tokens can be Bearer or Holder-of-Key tokens.
• Bearer tokens can be used as-is without requiring proof of ownership.
• Used by passive, browser-based clients.
• Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks.
• Refer to OAuth spec: https://tools.ietf.org/html/rfc6750.
• Holder-of-Key tokens require supporting cryptographic material to prove token
ownership.
• Guarantees end-to-end message key security since the token is signed and encrypted
and keys are shared out-of-band.
• Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.
Access Tokens – cont’d
• Format explained:
access_token: string containing the token issued by the identity provider.
token_type: the type of token issued.
expires_in: the lifetime in seconds of the access token.
scope: optional parameter defining which parts of protected resources can be accessed on
behalf of the user.
state: optional parameter used for security checks. Value sent by the client is the same
one returned in the response.
refresh_token: optional parameter used to request a new access token.
• Example:
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
Refresh Tokens
• An opaque string containing an unique identifier used to retrieve
authorization information for a specific client.
• Refresh tokens are presented to an authorization server by a client
when the access token becomes invalid or expires.
• Refresh tokens are long-lived as compared to access tokens whose
lifetime is much shorter.
• Refresh tokens should be able to be revoked in case an access token is
compromised.
Refresh Tokens – cont’d
• Example:
• {"token":"VggA1h4-
Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL
gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj
k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw-
fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1-
hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp-
bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us
erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe
freshTokens":true}
Token Formats
• SAML – Security Assertion Markup Language.
• JWT – JSONWebToken.
• SWT – Simple WebToken.
SAML SWT JWT
Format XML HTML Form Encoding JSON
Designed For SOAP REST REST
Default WIF Implementation Yes No No
Protocols WS-Trust &WS-Federation OAuth 2.0 OAuth 2.0
Support for Signing Yes Yes Yes
Support for Encrypting Yes No Yes
Standards and Guidelines
• OpenID Connect is the authentication spec built on top of OAuth 2.0.
It covers the use and format of the JSONWebToken. Refer to:
http://openid.net/specs/openid-connect-core-1_0.html.
• OWASP has good coverage of topics related to security and
authentication:
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet.
• https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
• JSONWebToken specification: https://tools.ietf.org/html/draft-ietf-
oauth-json-web-token-32.
Demo
Resources
• Books:
• Pro ASP.NETWeb API Security By Badrinarayanan Lakshmiraghavan -
http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c.
• ProgrammingWindows Identity Foundation byVittorio Bertocci -
http://www.amazon.com/Programming-Identity-Foundation-Developer-
Reference/dp/0735627185.
• Blog Posts & Articles:
• Enable OAuth RefreshTokens in AngularJSApp using ASP .NETWeb API 2, and
Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-
app-using-asp-net-web-api-2-owin/.
• WIF 4.5 Overview - https://msdn.microsoft.com/en-
us/library/hh291066%28v=vs.110%29.aspx.
Resource – cont’d
• PluralSight Courses:
• Claims-based Identity forWindows: The Big Picture -
http://www.pluralsight.com/courses/claims-based-identity-big-picture.
• Windows Identity Foundation Patterns: On-Premise and Cloud -
http://www.pluralsight.com/courses/wif-patterns-premise-cloud.
• AngularJS Security Fundamentals -
http://www.pluralsight.com/courses/angularjs-security-fundamentals.
• Thinktecture IdentityServer:
https://github.com/IdentityServer/IdentityServer3.

More Related Content

What's hot

Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 

What's hot (20)

Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
SSL
SSLSSL
SSL
 
Encryption
EncryptionEncryption
Encryption
 
Authentication
AuthenticationAuthentication
Authentication
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
Kerberos
KerberosKerberos
Kerberos
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Web Security
Web SecurityWeb Security
Web Security
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 

Viewers also liked

PIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckPIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckAndrew Lau
 
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogReveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogITrust - Cybersecurity as a Service
 
13. colocacion bata esteril
13. colocacion bata esteril13. colocacion bata esteril
13. colocacion bata esterilcaedhmh
 
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister
 
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...PriceMinister
 
Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Edgar Gonzalez Allegre
 
Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Bryan Chung
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud PlatformSujai Prakasam
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Ali Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo
 
15. toma de muestras orina de rutina
15. toma de muestras  orina de rutina15. toma de muestras  orina de rutina
15. toma de muestras orina de rutinacaedhmh
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
MVA Presentation 2
MVA Presentation 2MVA Presentation 2
MVA Presentation 2Bryan Chung
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
 

Viewers also liked (20)

PIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckPIC Philosophy and Credentials Deck
PIC Philosophy and Credentials Deck
 
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogReveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
 
13. colocacion bata esteril
13. colocacion bata esteril13. colocacion bata esteril
13. colocacion bata esteril
 
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
 
4P Business
4P Business4P Business
4P Business
 
PC63 Remedial Drawing
PC63 Remedial DrawingPC63 Remedial Drawing
PC63 Remedial Drawing
 
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
 
Marketing function
Marketing function Marketing function
Marketing function
 
Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016
 
Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01
 
Linea del tiempo
Linea del tiempoLinea del tiempo
Linea del tiempo
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
 
Ali Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirt
 
15. toma de muestras orina de rutina
15. toma de muestras  orina de rutina15. toma de muestras  orina de rutina
15. toma de muestras orina de rutina
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3
 
MVA Presentation 2
MVA Presentation 2MVA Presentation 2
MVA Presentation 2
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 

Similar to Token-based uthentication

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 

Similar to Token-based uthentication (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Presentation
PresentationPresentation
Presentation
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
otp crid cards
otp crid cardsotp crid cards
otp crid cards
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 

Recently uploaded

Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 

Recently uploaded (20)

Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 

Token-based uthentication

  • 1. Token-based Authentication IN SINGLE-PAGE AND MOBILE APPLICATIONS SATURDAY, MARCH 28TH, 2015 WillAdams Senior Software Engineer Fiserv, Inc.
  • 2. Agenda • Overview of token-based authentication. • Types of tokens. • Anti-CSRF. • Access. • Refresh. • Token formats. • Standards and Guidelines. • Demo. • Resources
  • 3. Overview • Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. • Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.
  • 4. Anti-CSRF “sync” Tokens • Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. • Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. • Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.
  • 5. Anti-CSRF Tokens – cont’d • In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. • Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; • OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET. • ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />
  • 6. Access Tokens • An access token is just an opaque string representing an authorization granted to a client application. • Access tokens can be Bearer or Holder-of-Key tokens. • Bearer tokens can be used as-is without requiring proof of ownership. • Used by passive, browser-based clients. • Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. • Refer to OAuth spec: https://tools.ietf.org/html/rfc6750. • Holder-of-Key tokens require supporting cryptographic material to prove token ownership. • Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. • Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.
  • 7. Access Tokens – cont’d • Format explained: access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. • Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
  • 8. Refresh Tokens • An opaque string containing an unique identifier used to retrieve authorization information for a specific client. • Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. • Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. • Refresh tokens should be able to be revoked in case an access token is compromised.
  • 9. Refresh Tokens – cont’d • Example: • {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}
  • 10. Token Formats • SAML – Security Assertion Markup Language. • JWT – JSONWebToken. • SWT – Simple WebToken. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST REST Default WIF Implementation Yes No No Protocols WS-Trust &WS-Federation OAuth 2.0 OAuth 2.0 Support for Signing Yes Yes Yes Support for Encrypting Yes No Yes
  • 11. Standards and Guidelines • OpenID Connect is the authentication spec built on top of OAuth 2.0. It covers the use and format of the JSONWebToken. Refer to: http://openid.net/specs/openid-connect-core-1_0.html. • OWASP has good coverage of topics related to security and authentication: • https://www.owasp.org/index.php/Authentication_Cheat_Sheet. • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. • JSONWebToken specification: https://tools.ietf.org/html/draft-ietf- oauth-json-web-token-32.
  • 12. Demo
  • 13. Resources • Books: • Pro ASP.NETWeb API Security By Badrinarayanan Lakshmiraghavan - http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c. • ProgrammingWindows Identity Foundation byVittorio Bertocci - http://www.amazon.com/Programming-Identity-Foundation-Developer- Reference/dp/0735627185. • Blog Posts & Articles: • Enable OAuth RefreshTokens in AngularJSApp using ASP .NETWeb API 2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs- app-using-asp-net-web-api-2-owin/. • WIF 4.5 Overview - https://msdn.microsoft.com/en- us/library/hh291066%28v=vs.110%29.aspx.
  • 14. Resource – cont’d • PluralSight Courses: • Claims-based Identity forWindows: The Big Picture - http://www.pluralsight.com/courses/claims-based-identity-big-picture. • Windows Identity Foundation Patterns: On-Premise and Cloud - http://www.pluralsight.com/courses/wif-patterns-premise-cloud. • AngularJS Security Fundamentals - http://www.pluralsight.com/courses/angularjs-security-fundamentals. • Thinktecture IdentityServer: https://github.com/IdentityServer/IdentityServer3.