Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
7. On token with insufficient
privileges
HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer error=”insufficient_scope”
8. To learn more about
bearer token usage
See RFC 6750
[ http://tools.ietf.org/html/rfc6750 ]
9. How does your web API
decode the access tokens?
Your W eb API
10. Typical authorisation attributes
associated with an access token
● Scope: e.g. read,
write, admin...
● Expiration time
● User ID
● Client ID
● Issuer
11. The 2 possible token encodings
● Self-contained:
– Require RSA signature
verification, < 1 ms
– Scale extremely well
● Identifier-based:
– Require web API
lookup, ~100+ ms
– Don't scale well, avoid
14. To learn more about JWT
See draft-ietf-oauth-json-web-token-29
[ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]
15. The ultimate Java library for JWT
http://connect2id.com/products/nimbus-jose-jwt
Thousands of deployments, tens of reviewers and
contributors
Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk,
CertiVox, Harvard Medical Schools, unnamed banks, etc.
17. Your authorisation server
Authenticates
users and clients,
issues tokens
OAuth 2.0
server
mobile app
web app
native app
Web API Web API Web API
Web APIs service requests, need only understand access tokens
18. The OAuth 2.0 grants
● Authorisation code – require browser for end-user
interaction
● Implicit – for browser (JS) based apps
● Password – for native apps
● Client credentials – for clients acting on their own
behalf
● Assertions:
– SAML 2.0 Bearer
– JWT Bearer
19. To learn more about OAuth 2.0
See RFC 6749
[ http://tools.ietf.org/html/rfc6749 ]
20. OpenID Connect
● Identity layer on top of the OAuth 2.0 framework
● The server issues an ID token in addition to the
access token:
– The ID token is a signed JWT with claims:
● Subject – the end-user ID
● Issuer – the authority
● Issue and expiration date
● Audience – the intended recipients
● Authentication strength and methods