SlideShare a Scribd company logo

Devteach 2017 OAuth and Open id connect demystified

Download as pptx, pdf
T
Taswar Bhatti

DevTeach Montreal 2017 Talk on OAuth and OpenId Connect, how the technology works the communication channels used and the different kind of grants in OAuth and how OpenId Connect plays in the entire ecosystem

1 of 61
Downloaded 50 times
1
OAUTH2 & OPENID CONNECT DEMYSTIFIED Taswar Bhatti (Microsoft MVP) GEMALTO @taswarbhatti http://taswar.zeytinsoft.co m taswar@gmail.com
2
WHO AM I?? - 4 years Microsoft MVP - 17 years in software - Author of Instant Automapper (Packt) - Currently working at as System Architect at Enterprise Security Space (Gemalto) - You may not have heard of Gemalto but 1/3 of the world population uses Gemalto but they just dont know that
3
WHAT WE WILL COVER TODAY? OAuth 2.0 OAuth flows OpenID JWT (JavaScript Web Token) some says “jot” OpenID Connect Demo (Keycloak IDP)
4
WHAT IS OAUTH? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
5
OAUTH HISTORY OAuth started circa 2007 2010 - RFC 5849 defines OAuth 1.0 2010 - OAuth 2.0 work begins in IETF Working deployments of various drafts & versions at Google, Microsoft, Facebook, Github , Twitter, Flickr, Dropbox … Mid 2012 – Lead author and editor resigned & withdraws his name from all specs (DRAMA……) October 2012 – RFC 6749, RFC 6750
6
THE GOOD OAuth 2.0 is easier to implement than OAuth 1.0 Wide spread and continue growing Shorted lived token Encapsulated Token OAuth2 makes it HTTP/JSON friendly to request and transmit tokens Takes "multiple client" architectures into account Clients can have varying trust levels
7
OAUTH 2.0 - Transport Security : Using HTTPS and TLS - Ease : Usable (no digital certs to verify) - Flexible : Mobile, Web SPA apps, etc - Decoupled: Resource server and authorization server - Bearer Token : Easy for integration; Id Token also known as keys 9/24/2017 7
8
SO I CAN USE MY PASSWORD??? 9/24/2017 8
9
OAUTH IS LIKE A VALET KEY - Provides another domain delegated access to your application server resources 9/24/2017 9
10
OAUTH ROLES 9/24/2017 10 User Application API
11
OAUTH ROLES 9/24/2017 11 User Application API
12
OAUTH MISCONCEPTION Ohh this is easy!! When I login to Spotify with Twitter, it grabs by username and password from Twitter…. Wrong !!!!!!!!!!!!!! 9/24/2017 12 Developer
13
OAUTH IS NOT FOR 9/24/2017 13 - Traditional Access Control - Not for authentication - Not for Federation - OAuth should be used for delegation
14
BEARER TOKEN GET /somedata HTTP/1.1 Host: someserver.com Authorization: Bearer a3b4c55cf The access token can be JWT format - A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can 9/24/2017 14
15
OAUTH TERMINOLOGY - Client or Consumer Application : Is typically a web based or mobile application that wants to access User’s Protected Resources - Resource Server or the Resource Provider: Is a web site or web service API where the User keeps his/her protected data - Authorized Server : The server issuing access tokens to the client after successfully authenticating the resources and obtaining authorization - User or the Resource Owner : Is a member of the Resource Provider, wanting to share certain resources with a third party - Client Credentials : Are the consumer keys and consumer secret used to authenticated the Client - Tokens : are the access token generated by server after request from client
16
OAUTH TOKEN TYPES - Access Token : Used to directly access protected resources on behalf of a user or service - Refresh Token : When given to an authorization server, it will give you a new access token - Authorization Code Token : Use only in the authorization code grant type for access token or refresh token 9/24/2017 16
17
HIGH LEVEL FLOW OF OAUTH 2 - An app registers him/herself on an oauth service provider (lets say twitter) - S/he gets an app key/secret for each app that s/he registers - When users login they are redirected to the service provider to provide the credentials - If user approves then a token is issued to the app for a limited time - Finally the client uses the token to access the resource
18
OAUTH USAGE In OAuth [authorization] You are in BigPhotoPrintingCorp.net account and you need to access your images from AwesomeImage.com site BigPhotoPrintingCorp.net site will redirect you to AwesomeImage.com site You enter you credential to AwesomeImage.com site and authenticated your self. This is like in openId AwesomeImage.com site will ask if you want to give permission to access only photos of AwesomeImage.com site you select yes AwesomeImage.com site will redirect back to BigPhotoPrintingCorp.net site BigPhotoPrintingCorp.net can access AwesomeImage.com site
19
GRANTING THE WRONG PERMISSIONS 9/24/2017 19
20
4 TYPES OF OAUTH FLOW Authorization Code Grant : for apps running on a web server, long lived tokens Implicit Grant : For browser-based or mobile apps, during user is logged in, short lived tokens Resource Owner Credentials Grant : For logging in with a username and password, trusted application Client credentials Grant : for application access machine to machine
21
AUTHORIZATION CODE FOR APPS RUNNING ON A WEB SERVER This is the most common type of application you have when dealing with OAuth servers. Web apps are run on a server where the source code of the application is not available to the public. This case your site will REDIRECT you to particular authorization server. If webserver making multiple request it can use STATE parameter for map callback response with request One of the most complicated one in OAuth
22
YOU HAVE SEEN THIS BEFORE 9/24/2017 22
23
IMPLICIT FOR BROWSER-BASED OR MOBILE APPS Browser-based apps run entirely in the browser after getting source code from a web server. Since the entire source code is available to the public, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case One will make api calls with the token that is assign to it For mobile apps also cannot maintain the confidentiality of their client secret. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. With this concept token is exposed to local operating system. So there are no refresh tokens.
24
PASSWORD FOR LOGGING IN WITH A USERNAME AND PASSWORD OAuth 2 also provides a “password” grant type which can be used to exchange a username and password for an access token directly. This obviously requires the application to collect the user’s password. As a result users may hesitate to use this service unless this app comes from the auth service provider. Only used in highly trusted application, your social media Facebook app, rather than 3rd party apps (Batman Fancy Facebook app)
25
MEET THE ACTORS IN OUR OAUTH 9/24/2017 25 Resource Owner Or User Application Authorization Server Resource Server Or API
26
CLIENT CREDENTIALS FOR APPLICATION ACCESS There are scenarios that applications may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client credentials grant type for this purpose. This is machine to machine communication sort of concept
27
9/24/2017 27
28
TOKEN – CLIENT CREDENTIAL GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d 'grant_type=client_credentials’ -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret' 9/24/2017 28
29
TOKEN – CLIENT CREDENTIAL GRANT Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope":null } 9/24/2017 29
30
PASSWORD GRANT TYPE 9/24/2017 30
31
PASSWORD GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=password’ -d ‘username=batman’ -d ‘password=nananananananannaBatman’ 9/24/2017 31
32
SCOPES AKA PERMISSIONS - Roles, Authority where you want to give access control to who can do what with it - The name of permissions - User scopes - Client/Applications Scopes - Token contains intersection 9/24/2017 32
33
SCOPES 9/24/2017 33 CarKey.Ignite
34
SCOPES 9/24/2017 34 CarKey.OpenTrunk CarKey.Ignite
35
SCOPES IN TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 35
36
AUTHORIZATION CODE GRANT TYPE 9/24/2017 36
37
AUTHORIZATION GRANT $ https://fancy.mysite.com/oidc #Reaching out to application, are you logged in? 302 HTTP Redirect https://api.mysite.com/authorize?response_type=code&client_id=Te stClient&redirect_uri=https://fancy.mysite.com/oidc 9/24/2017 37
38
AUTHORIZATION CODE GRANT GET /oauth/authorize #Login to the app SUCCESS you get back a code HTTP 302 redirect back to redirect_uri https://fancy.mysite.com/oidc?code=SplxlOBeZQQYbYS6WxSbIA&stat e=xyz 9/24/2017 38
39
AUTHORIZATION CODE GETTING THE TOKEN $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=authorization_code’ -d ‘code=SplxlOBeZQQYbYS6WxSbIA’ 9/24/2017 39
40
ACCESS TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600,“ token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 40
41
RESOURCE SERVER CHECK TOKEN - If it is a Jwt token you can verify the key who signed it - Endpoint to check the token returning the scopes to verify if valid token 9/24/2017 41
42
IMPLICT GRANT TYPE - Used for clients that can easily be impersonated like phone or mobile application - 3rd party application - A simplified Authorization Code Grant with eliminating the code step - Access token is given directly to the app - No Refresh Token are given, Access token are short lived - Requires Resource Owner to invoke for new Access Token 9/24/2017 42
43
IMPLICIT GRANT FLOW
44
OPENID Sharing a single Identity with different consumers Decentralized OpenID is a form of Single Sign On (SSO) OpenID is a URL http://myname.myopenid.com
45
WHAT CAN YOU DO? One can claim and prove they own the openid Use it for authentication At a high level its like Microsoft Passport It’s a form of authentication, if you have a system you still will need to populate your fields (e.g firstname, email, etc) OpenId does not provide you with those information
46
OPENID USAGE In OpenId [authentication] You want to access your account on bigcorp.net bigcorp.net is asking your openId You entered your username for openId bigcorp.net will redirect you to the your openid providers site User give password to openId provider and authenticate him/her self openId provider will redirect user back to bigcorp.net site bigcorp.net will grant you to access your account
47
OPENID CONNECT We have talked about OAuth and OpenId and there is also OpenId Connect It’s the new SSO authentication for the internet OpenId Connect build on top of OAuth2 since sometimes you may just need authentication Remember OAuth2 is for authorization OpenID Connect provides Implict flows and Authorization code flow
48
OPENID CONNECT FLOW - SIMPLE 9/24/2017 48
49
OPENID CONNECT TOKEN { "sub" : "alice", “user_name” : “Taswar” "iss" : "https://openid.c2id.com", "aud" : "client-12345", “auth_time” : 123456789, "iat" : 1311280970, "exp" : 1311281970, “email” : Taswar@gmail.com, “phone_number”: 123-4567 } 9/24/2017 49
50
OPENID CONNECT - HYBRID 9/24/2017 50
51
JWT (JAVA WEB TOKEN) JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
52
JWT CONT JWT Token looks like this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsI mlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQx ZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdi NDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKqU9dTB6gK wG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo Ok great…………. Once you understand the format, it's actually pretty simple: <base64-encoded header>.<base64-encoded claims>.<base64- encoded signature> [header].[payload].[signature]
53
JWT CONT In other words: You create a header object, with the JSON format. Then you encode it as a base64 You create a claims object, with the JSON format. Then you encode it in base64 You create a signature for the URI. Then you encode it in base64 You concatenate the three items, with the "." separator
54
BENEFITS JSON Web Tokens work across different programming languages: JWTs work in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell. So you can see that these can be used in many different scenarios. JWTs are self-contained: They will carry all the information necessary within itself. This means that a JWT will be able to transmit basic information about itself, a payload (usually user information), and a signature. JWTs can be passed around easily: Since JWTs are self-contained, they are perfectly used inside an HTTP header when authenticating an API. You can also pass it through the URL.
55
HEADER The header carries 2 parts (JWT and the hashing algorithm like below) { “typ”: “JWT”. “algo”, “HS256” } Then base64 encode it
56
PAYLOAD & CLAIMS The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token. There are multiple claims that we can provide. This includes registered claim names, public claim names, and private claim names. { "iss": “taswar.zeytinsoft.com", "exp": 1300819380, "name": “Taswar Bhatti", "admin": true }
57
SIGNATURE The third and final part of our JSON Web Token is going to be the signature. This signature is made up of a hash of the following components: the header the payload Secret The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones. var encodedString = base64UrlEncode(header) +
58
ENDPOINTS OF OPENID CONNECT Authorization Endpoint (Regular OAuth) Identity Endpoint (username/pass, hardware token, biometrics) UserInfo Endpoint (name, birthday, picture, etc) Optionals (Session Endpoint, WebFinger etc)
59
OPENID CONNECT TOKENS The OpenID Connect server provides client applications with two key tokens: ID token - asserts the users identity in a signed and verifiable way. Access token - provides access to the user’s details at the UserInfo endpoint and other protected web APIs.
60
DEMO
61
THANK YOU Questions? Contact: Taswar@gmail.com Blog: http://Taswar.zeytinsoft.com Twitter: @taswarbhatti And a special thanks to Lego Batman !
OAUTH2 & OPENID CONNECT DEMYSTIFIED Taswar Bhatti (Microsoft MVP) GEMALTO @taswarbhatti http://taswar.zeytinsoft.co m taswar@gmail.com
WHO AM I?? - 4 years Microsoft MVP - 17 years in software - Author of Instant Automapper (Packt) - Currently working at as System Architect at Enterprise Security Space (Gemalto) - You may not have heard of Gemalto but 1/3 of the world population uses Gemalto but they just dont know that
WHAT WE WILL COVER TODAY? OAuth 2.0 OAuth flows OpenID JWT (JavaScript Web Token) some says “jot” OpenID Connect Demo (Keycloak IDP)
WHAT IS OAUTH? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
OAUTH HISTORY OAuth started circa 2007 2010 - RFC 5849 defines OAuth 1.0 2010 - OAuth 2.0 work begins in IETF Working deployments of various drafts & versions at Google, Microsoft, Facebook, Github , Twitter, Flickr, Dropbox … Mid 2012 – Lead author and editor resigned & withdraws his name from all specs (DRAMA……) October 2012 – RFC 6749, RFC 6750
THE GOOD OAuth 2.0 is easier to implement than OAuth 1.0 Wide spread and continue growing Shorted lived token Encapsulated Token OAuth2 makes it HTTP/JSON friendly to request and transmit tokens Takes "multiple client" architectures into account Clients can have varying trust levels
OAUTH 2.0 - Transport Security : Using HTTPS and TLS - Ease : Usable (no digital certs to verify) - Flexible : Mobile, Web SPA apps, etc - Decoupled: Resource server and authorization server - Bearer Token : Easy for integration; Id Token also known as keys 9/24/2017 7
SO I CAN USE MY PASSWORD??? 9/24/2017 8
OAUTH IS LIKE A VALET KEY - Provides another domain delegated access to your application server resources 9/24/2017 9
OAUTH ROLES 9/24/2017 10 User Application API
OAUTH ROLES 9/24/2017 11 User Application API
OAUTH MISCONCEPTION Ohh this is easy!! When I login to Spotify with Twitter, it grabs by username and password from Twitter…. Wrong !!!!!!!!!!!!!! 9/24/2017 12 Developer
OAUTH IS NOT FOR 9/24/2017 13 - Traditional Access Control - Not for authentication - Not for Federation - OAuth should be used for delegation
BEARER TOKEN GET /somedata HTTP/1.1 Host: someserver.com Authorization: Bearer a3b4c55cf The access token can be JWT format - A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can 9/24/2017 14
OAUTH TERMINOLOGY - Client or Consumer Application : Is typically a web based or mobile application that wants to access User’s Protected Resources - Resource Server or the Resource Provider: Is a web site or web service API where the User keeps his/her protected data - Authorized Server : The server issuing access tokens to the client after successfully authenticating the resources and obtaining authorization - User or the Resource Owner : Is a member of the Resource Provider, wanting to share certain resources with a third party - Client Credentials : Are the consumer keys and consumer secret used to authenticated the Client - Tokens : are the access token generated by server after request from client
OAUTH TOKEN TYPES - Access Token : Used to directly access protected resources on behalf of a user or service - Refresh Token : When given to an authorization server, it will give you a new access token - Authorization Code Token : Use only in the authorization code grant type for access token or refresh token 9/24/2017 16
HIGH LEVEL FLOW OF OAUTH 2 - An app registers him/herself on an oauth service provider (lets say twitter) - S/he gets an app key/secret for each app that s/he registers - When users login they are redirected to the service provider to provide the credentials - If user approves then a token is issued to the app for a limited time - Finally the client uses the token to access the resource
OAUTH USAGE In OAuth [authorization] You are in BigPhotoPrintingCorp.net account and you need to access your images from AwesomeImage.com site BigPhotoPrintingCorp.net site will redirect you to AwesomeImage.com site You enter you credential to AwesomeImage.com site and authenticated your self. This is like in openId AwesomeImage.com site will ask if you want to give permission to access only photos of AwesomeImage.com site you select yes AwesomeImage.com site will redirect back to BigPhotoPrintingCorp.net site BigPhotoPrintingCorp.net can access AwesomeImage.com site
GRANTING THE WRONG PERMISSIONS 9/24/2017 19
4 TYPES OF OAUTH FLOW Authorization Code Grant : for apps running on a web server, long lived tokens Implicit Grant : For browser-based or mobile apps, during user is logged in, short lived tokens Resource Owner Credentials Grant : For logging in with a username and password, trusted application Client credentials Grant : for application access machine to machine
AUTHORIZATION CODE FOR APPS RUNNING ON A WEB SERVER This is the most common type of application you have when dealing with OAuth servers. Web apps are run on a server where the source code of the application is not available to the public. This case your site will REDIRECT you to particular authorization server. If webserver making multiple request it can use STATE parameter for map callback response with request One of the most complicated one in OAuth
YOU HAVE SEEN THIS BEFORE 9/24/2017 22
IMPLICIT FOR BROWSER-BASED OR MOBILE APPS Browser-based apps run entirely in the browser after getting source code from a web server. Since the entire source code is available to the public, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case One will make api calls with the token that is assign to it For mobile apps also cannot maintain the confidentiality of their client secret. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. With this concept token is exposed to local operating system. So there are no refresh tokens.
PASSWORD FOR LOGGING IN WITH A USERNAME AND PASSWORD OAuth 2 also provides a “password” grant type which can be used to exchange a username and password for an access token directly. This obviously requires the application to collect the user’s password. As a result users may hesitate to use this service unless this app comes from the auth service provider. Only used in highly trusted application, your social media Facebook app, rather than 3rd party apps (Batman Fancy Facebook app)
MEET THE ACTORS IN OUR OAUTH 9/24/2017 25 Resource Owner Or User Application Authorization Server Resource Server Or API
CLIENT CREDENTIALS FOR APPLICATION ACCESS There are scenarios that applications may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client credentials grant type for this purpose. This is machine to machine communication sort of concept
9/24/2017 27
TOKEN – CLIENT CREDENTIAL GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d 'grant_type=client_credentials’ -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret' 9/24/2017 28
TOKEN – CLIENT CREDENTIAL GRANT Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope":null } 9/24/2017 29
PASSWORD GRANT TYPE 9/24/2017 30
PASSWORD GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=password’ -d ‘username=batman’ -d ‘password=nananananananannaBatman’ 9/24/2017 31
SCOPES AKA PERMISSIONS - Roles, Authority where you want to give access control to who can do what with it - The name of permissions - User scopes - Client/Applications Scopes - Token contains intersection 9/24/2017 32
SCOPES 9/24/2017 33 CarKey.Ignite
SCOPES 9/24/2017 34 CarKey.OpenTrunk CarKey.Ignite
SCOPES IN TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 35
AUTHORIZATION CODE GRANT TYPE 9/24/2017 36
AUTHORIZATION GRANT $ https://fancy.mysite.com/oidc #Reaching out to application, are you logged in? 302 HTTP Redirect https://api.mysite.com/authorize?response_type=code&client_id=Te stClient&redirect_uri=https://fancy.mysite.com/oidc 9/24/2017 37
AUTHORIZATION CODE GRANT GET /oauth/authorize #Login to the app SUCCESS you get back a code HTTP 302 redirect back to redirect_uri https://fancy.mysite.com/oidc?code=SplxlOBeZQQYbYS6WxSbIA&stat e=xyz 9/24/2017 38
AUTHORIZATION CODE GETTING THE TOKEN $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=authorization_code’ -d ‘code=SplxlOBeZQQYbYS6WxSbIA’ 9/24/2017 39
ACCESS TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600,“ token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 40
RESOURCE SERVER CHECK TOKEN - If it is a Jwt token you can verify the key who signed it - Endpoint to check the token returning the scopes to verify if valid token 9/24/2017 41
IMPLICT GRANT TYPE - Used for clients that can easily be impersonated like phone or mobile application - 3rd party application - A simplified Authorization Code Grant with eliminating the code step - Access token is given directly to the app - No Refresh Token are given, Access token are short lived - Requires Resource Owner to invoke for new Access Token 9/24/2017 42
IMPLICIT GRANT FLOW
OPENID Sharing a single Identity with different consumers Decentralized OpenID is a form of Single Sign On (SSO) OpenID is a URL http://myname.myopenid.com
WHAT CAN YOU DO? One can claim and prove they own the openid Use it for authentication At a high level its like Microsoft Passport It’s a form of authentication, if you have a system you still will need to populate your fields (e.g firstname, email, etc) OpenId does not provide you with those information
OPENID USAGE In OpenId [authentication] You want to access your account on bigcorp.net bigcorp.net is asking your openId You entered your username for openId bigcorp.net will redirect you to the your openid providers site User give password to openId provider and authenticate him/her self openId provider will redirect user back to bigcorp.net site bigcorp.net will grant you to access your account
OPENID CONNECT We have talked about OAuth and OpenId and there is also OpenId Connect It’s the new SSO authentication for the internet OpenId Connect build on top of OAuth2 since sometimes you may just need authentication Remember OAuth2 is for authorization OpenID Connect provides Implict flows and Authorization code flow
OPENID CONNECT FLOW - SIMPLE 9/24/2017 48
OPENID CONNECT TOKEN { "sub" : "alice", “user_name” : “Taswar” "iss" : "https://openid.c2id.com", "aud" : "client-12345", “auth_time” : 123456789, "iat" : 1311280970, "exp" : 1311281970, “email” : Taswar@gmail.com, “phone_number”: 123-4567 } 9/24/2017 49
OPENID CONNECT - HYBRID 9/24/2017 50
JWT (JAVA WEB TOKEN) JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
JWT CONT JWT Token looks like this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsI mlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQx ZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdi NDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKqU9dTB6gK wG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo Ok great…………. Once you understand the format, it's actually pretty simple: <base64-encoded header>.<base64-encoded claims>.<base64- encoded signature> [header].[payload].[signature]
JWT CONT In other words: You create a header object, with the JSON format. Then you encode it as a base64 You create a claims object, with the JSON format. Then you encode it in base64 You create a signature for the URI. Then you encode it in base64 You concatenate the three items, with the "." separator
BENEFITS JSON Web Tokens work across different programming languages: JWTs work in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell. So you can see that these can be used in many different scenarios. JWTs are self-contained: They will carry all the information necessary within itself. This means that a JWT will be able to transmit basic information about itself, a payload (usually user information), and a signature. JWTs can be passed around easily: Since JWTs are self-contained, they are perfectly used inside an HTTP header when authenticating an API. You can also pass it through the URL.
HEADER The header carries 2 parts (JWT and the hashing algorithm like below) { “typ”: “JWT”. “algo”, “HS256” } Then base64 encode it
PAYLOAD & CLAIMS The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token. There are multiple claims that we can provide. This includes registered claim names, public claim names, and private claim names. { "iss": “taswar.zeytinsoft.com", "exp": 1300819380, "name": “Taswar Bhatti", "admin": true }
SIGNATURE The third and final part of our JSON Web Token is going to be the signature. This signature is made up of a hash of the following components: the header the payload Secret The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones. var encodedString = base64UrlEncode(header) +
ENDPOINTS OF OPENID CONNECT Authorization Endpoint (Regular OAuth) Identity Endpoint (username/pass, hardware token, biometrics) UserInfo Endpoint (name, birthday, picture, etc) Optionals (Session Endpoint, WebFinger etc)
OPENID CONNECT TOKENS The OpenID Connect server provides client applications with two key tokens: ID token - asserts the users identity in a signed and verifiable way. Access token - provides access to the user’s details at the UserInfo endpoint and other protected web APIs.
DEMO
THANK YOU Questions? Contact: Taswar@gmail.com Blog: http://Taswar.zeytinsoft.com Twitter: @taswarbhatti And a special thanks to Lego Batman !
Ad

Recommended

Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4
Bob German
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot Framework
Taswar Bhatti
 
Programming the Microsoft Bot Framework
Programming the Microsoft Bot FrameworkProgramming the Microsoft Bot Framework
Programming the Microsoft Bot Framework
Stefano Tempesta
 
Building intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot frameworkBuilding intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot framework
Rukshan Dangalla
 
Introduction to Microsoft Bot Framework
Introduction to Microsoft Bot FrameworkIntroduction to Microsoft Bot Framework
Introduction to Microsoft Bot Framework
Sam Fernando
 
Microsoft bot framework
Microsoft bot frameworkMicrosoft bot framework
Microsoft bot framework
Software Infrastructure
 
Azure Bot Services - Malaysia
Azure Bot Services - MalaysiaAzure Bot Services - Malaysia
Azure Bot Services - Malaysia
Cheah Eng Soon
 
Build intelligent chatbot with bot framework
Build intelligent chatbot with bot frameworkBuild intelligent chatbot with bot framework
Build intelligent chatbot with bot framework
Puja Pramudya
 
Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginning
Suthahar J
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot Framework
James Mann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot Framework
Phat Nguyen
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)
Sorin Peste
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Marvin Heng
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
Umar Ali
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgets
Thomas Robbins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
Shivanand Arur
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
Luis Beltran
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2fa
Igor Bulatenko
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop application
msarangam
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
Manoj Mittal
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
Srikar Ananthula
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-on
Vlad Filippov
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot Framework
Akshay Deshmukh
 
DIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development todayDIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development today
Bojan Veljanovski
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 

More Related Content

What's hot (18)

Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginning
Suthahar J
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot Framework
James Mann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot Framework
Phat Nguyen
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)
Sorin Peste
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Marvin Heng
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
Umar Ali
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgets
Thomas Robbins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
Shivanand Arur
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
Luis Beltran
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2fa
Igor Bulatenko
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop application
msarangam
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
Manoj Mittal
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
Srikar Ananthula
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-on
Vlad Filippov
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot Framework
Akshay Deshmukh
 
DIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development todayDIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development today
Bojan Veljanovski
 
Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginning
Suthahar J
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot Framework
James Mann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot Framework
Phat Nguyen
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)
Sorin Peste
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Marvin Heng
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
Umar Ali
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgets
Thomas Robbins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
Shivanand Arur
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
Luis Beltran
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2fa
Igor Bulatenko
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop application
msarangam
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
Manoj Mittal
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
Srikar Ananthula
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-on
Vlad Filippov
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot Framework
Akshay Deshmukh
 
DIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development todayDIGIT Noe 2016 - Overview of front end development today
DIGIT Noe 2016 - Overview of front end development today
Bojan Veljanovski
 

Similar to Devteach 2017 OAuth and Open id connect demystified (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdfKeeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
danieloskarsson
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdfKeeping Pace with OAuth’s Evolving Security Practices.pdf
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
danieloskarsson
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Ad

More from Taswar Bhatti (18)

Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019
Taswar Bhatti
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
Taswar Bhatti
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to knowMicrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Taswar Bhatti
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
8 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 20188 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 2018
Taswar Bhatti
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhatti
Taswar Bhatti
 
Cloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong CodeaholicsCloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong Codeaholics
Taswar Bhatti
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Cloud patterns at Carleton University
Cloud patterns at Carleton UniversityCloud patterns at Carleton University
Cloud patterns at Carleton University
Taswar Bhatti
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design Patterns
Taswar Bhatti
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearchDevteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearch
Taswar Bhatti
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar BhattiDev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar Bhatti
Taswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed AssadXamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Taswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
Taswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
Taswar Bhatti
 
Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup
Taswar Bhatti
 
Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019
Taswar Bhatti
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
Taswar Bhatti
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to knowMicrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Taswar Bhatti
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
8 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 20188 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 2018
Taswar Bhatti
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhatti
Taswar Bhatti
 
Cloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong CodeaholicsCloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong Codeaholics
Taswar Bhatti
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Cloud patterns at Carleton University
Cloud patterns at Carleton UniversityCloud patterns at Carleton University
Cloud patterns at Carleton University
Taswar Bhatti
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design Patterns
Taswar Bhatti
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearchDevteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearch
Taswar Bhatti
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar BhattiDev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar Bhatti
Taswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed AssadXamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Taswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
Taswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
Taswar Bhatti
 
Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup
Taswar Bhatti
 
Ad

Recently uploaded (20)

How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
AI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA TechnologiesAI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA Technologies
SandeepKS52
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdfHow to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
victordsane
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps CyclesFrom Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
Marjukka Niinioja
 
Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
Simplify Training with an Online Induction Portal for Contractors
Simplify Training with an Online Induction Portal for ContractorsSimplify Training with an Online Induction Portal for Contractors
Simplify Training with an Online Induction Portal for Contractors
SHEQ Network Limited
 
Content Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ ProductivityContent Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ Productivity
Alex Vladimirovich
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
AI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA TechnologiesAI and Deep Learning with NVIDIA Technologies
AI and Deep Learning with NVIDIA Technologies
SandeepKS52
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...The rise of e-commerce has redefined how retailers operate—and reconciliation...
The rise of e-commerce has redefined how retailers operate—and reconciliation...
Prachi Desai
 
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI SearchAgentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Agentic Techniques in Retrieval-Augmented Generation with Azure AI Search
Maxim Salnikov
 
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdfHow to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
victordsane
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps CyclesFrom Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
From Chaos to Clarity - Designing (AI-Ready) APIs with APIOps Cycles
Marjukka Niinioja
 
Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
Simplify Training with an Online Induction Portal for Contractors
Simplify Training with an Online Induction Portal for ContractorsSimplify Training with an Online Induction Portal for Contractors
Simplify Training with an Online Induction Portal for Contractors
SHEQ Network Limited
 
Content Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ ProductivityContent Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ Productivity
Alex Vladimirovich
 
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The SequelMarketo & Dynamics can be Most Excellent to Each Other – The Sequel
Marketo & Dynamics can be Most Excellent to Each Other – The Sequel
BradBedford3
 

Devteach 2017 OAuth and Open id connect demystified

  • 1. OAUTH2 & OPENID CONNECT DEMYSTIFIED Taswar Bhatti (Microsoft MVP) GEMALTO @taswarbhatti http://taswar.zeytinsoft.co m [email protected]
  • 2. WHO AM I?? - 4 years Microsoft MVP - 17 years in software - Author of Instant Automapper (Packt) - Currently working at as System Architect at Enterprise Security Space (Gemalto) - You may not have heard of Gemalto but 1/3 of the world population uses Gemalto but they just dont know that
  • 3. WHAT WE WILL COVER TODAY? OAuth 2.0 OAuth flows OpenID JWT (JavaScript Web Token) some says “jot” OpenID Connect Demo (Keycloak IDP)
  • 4. WHAT IS OAUTH? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
  • 5. OAUTH HISTORY OAuth started circa 2007 2010 - RFC 5849 defines OAuth 1.0 2010 - OAuth 2.0 work begins in IETF Working deployments of various drafts & versions at Google, Microsoft, Facebook, Github , Twitter, Flickr, Dropbox … Mid 2012 – Lead author and editor resigned & withdraws his name from all specs (DRAMA……) October 2012 – RFC 6749, RFC 6750
  • 6. THE GOOD OAuth 2.0 is easier to implement than OAuth 1.0 Wide spread and continue growing Shorted lived token Encapsulated Token OAuth2 makes it HTTP/JSON friendly to request and transmit tokens Takes "multiple client" architectures into account Clients can have varying trust levels
  • 7. OAUTH 2.0 - Transport Security : Using HTTPS and TLS - Ease : Usable (no digital certs to verify) - Flexible : Mobile, Web SPA apps, etc - Decoupled: Resource server and authorization server - Bearer Token : Easy for integration; Id Token also known as keys 9/24/2017 7
  • 8. SO I CAN USE MY PASSWORD??? 9/24/2017 8
  • 9. OAUTH IS LIKE A VALET KEY - Provides another domain delegated access to your application server resources 9/24/2017 9
  • 10. OAUTH ROLES 9/24/2017 10 User Application API
  • 12. OAUTH MISCONCEPTION Ohh this is easy!! When I login to Spotify with Twitter, it grabs by username and password from Twitter…. Wrong !!!!!!!!!!!!!! 9/24/2017 12 Developer
  • 13. OAUTH IS NOT FOR 9/24/2017 13 - Traditional Access Control - Not for authentication - Not for Federation - OAuth should be used for delegation
  • 14. BEARER TOKEN GET /somedata HTTP/1.1 Host: someserver.com Authorization: Bearer a3b4c55cf The access token can be JWT format - A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can 9/24/2017 14
  • 15. OAUTH TERMINOLOGY - Client or Consumer Application : Is typically a web based or mobile application that wants to access User’s Protected Resources - Resource Server or the Resource Provider: Is a web site or web service API where the User keeps his/her protected data - Authorized Server : The server issuing access tokens to the client after successfully authenticating the resources and obtaining authorization - User or the Resource Owner : Is a member of the Resource Provider, wanting to share certain resources with a third party - Client Credentials : Are the consumer keys and consumer secret used to authenticated the Client - Tokens : are the access token generated by server after request from client
  • 16. OAUTH TOKEN TYPES - Access Token : Used to directly access protected resources on behalf of a user or service - Refresh Token : When given to an authorization server, it will give you a new access token - Authorization Code Token : Use only in the authorization code grant type for access token or refresh token 9/24/2017 16
  • 17. HIGH LEVEL FLOW OF OAUTH 2 - An app registers him/herself on an oauth service provider (lets say twitter) - S/he gets an app key/secret for each app that s/he registers - When users login they are redirected to the service provider to provide the credentials - If user approves then a token is issued to the app for a limited time - Finally the client uses the token to access the resource
  • 18. OAUTH USAGE In OAuth [authorization] You are in BigPhotoPrintingCorp.net account and you need to access your images from AwesomeImage.com site BigPhotoPrintingCorp.net site will redirect you to AwesomeImage.com site You enter you credential to AwesomeImage.com site and authenticated your self. This is like in openId AwesomeImage.com site will ask if you want to give permission to access only photos of AwesomeImage.com site you select yes AwesomeImage.com site will redirect back to BigPhotoPrintingCorp.net site BigPhotoPrintingCorp.net can access AwesomeImage.com site
  • 20. 4 TYPES OF OAUTH FLOW Authorization Code Grant : for apps running on a web server, long lived tokens Implicit Grant : For browser-based or mobile apps, during user is logged in, short lived tokens Resource Owner Credentials Grant : For logging in with a username and password, trusted application Client credentials Grant : for application access machine to machine
  • 21. AUTHORIZATION CODE FOR APPS RUNNING ON A WEB SERVER This is the most common type of application you have when dealing with OAuth servers. Web apps are run on a server where the source code of the application is not available to the public. This case your site will REDIRECT you to particular authorization server. If webserver making multiple request it can use STATE parameter for map callback response with request One of the most complicated one in OAuth
  • 22. YOU HAVE SEEN THIS BEFORE 9/24/2017 22
  • 23. IMPLICIT FOR BROWSER-BASED OR MOBILE APPS Browser-based apps run entirely in the browser after getting source code from a web server. Since the entire source code is available to the public, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case One will make api calls with the token that is assign to it For mobile apps also cannot maintain the confidentiality of their client secret. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. With this concept token is exposed to local operating system. So there are no refresh tokens.
  • 24. PASSWORD FOR LOGGING IN WITH A USERNAME AND PASSWORD OAuth 2 also provides a “password” grant type which can be used to exchange a username and password for an access token directly. This obviously requires the application to collect the user’s password. As a result users may hesitate to use this service unless this app comes from the auth service provider. Only used in highly trusted application, your social media Facebook app, rather than 3rd party apps (Batman Fancy Facebook app)
  • 25. MEET THE ACTORS IN OUR OAUTH 9/24/2017 25 Resource Owner Or User Application Authorization Server Resource Server Or API
  • 26. CLIENT CREDENTIALS FOR APPLICATION ACCESS There are scenarios that applications may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client credentials grant type for this purpose. This is machine to machine communication sort of concept
  • 28. TOKEN – CLIENT CREDENTIAL GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d 'grant_type=client_credentials’ -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret' 9/24/2017 28
  • 29. TOKEN – CLIENT CREDENTIAL GRANT Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope":null } 9/24/2017 29
  • 31. PASSWORD GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=password’ -d ‘username=batman’ -d ‘password=nananananananannaBatman’ 9/24/2017 31
  • 32. SCOPES AKA PERMISSIONS - Roles, Authority where you want to give access control to who can do what with it - The name of permissions - User scopes - Client/Applications Scopes - Token contains intersection 9/24/2017 32
  • 35. SCOPES IN TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 35
  • 37. AUTHORIZATION GRANT $ https://fancy.mysite.com/oidc #Reaching out to application, are you logged in? 302 HTTP Redirect https://api.mysite.com/authorize?response_type=code&client_id=Te stClient&redirect_uri=https://fancy.mysite.com/oidc 9/24/2017 37
  • 38. AUTHORIZATION CODE GRANT GET /oauth/authorize #Login to the app SUCCESS you get back a code HTTP 302 redirect back to redirect_uri https://fancy.mysite.com/oidc?code=SplxlOBeZQQYbYS6WxSbIA&stat e=xyz 9/24/2017 38
  • 39. AUTHORIZATION CODE GETTING THE TOKEN $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=authorization_code’ -d ‘code=SplxlOBeZQQYbYS6WxSbIA’ 9/24/2017 39
  • 40. ACCESS TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600,“ token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 40
  • 41. RESOURCE SERVER CHECK TOKEN - If it is a Jwt token you can verify the key who signed it - Endpoint to check the token returning the scopes to verify if valid token 9/24/2017 41
  • 42. IMPLICT GRANT TYPE - Used for clients that can easily be impersonated like phone or mobile application - 3rd party application - A simplified Authorization Code Grant with eliminating the code step - Access token is given directly to the app - No Refresh Token are given, Access token are short lived - Requires Resource Owner to invoke for new Access Token 9/24/2017 42
  • 44. OPENID Sharing a single Identity with different consumers Decentralized OpenID is a form of Single Sign On (SSO) OpenID is a URL http://myname.myopenid.com
  • 45. WHAT CAN YOU DO? One can claim and prove they own the openid Use it for authentication At a high level its like Microsoft Passport It’s a form of authentication, if you have a system you still will need to populate your fields (e.g firstname, email, etc) OpenId does not provide you with those information
  • 46. OPENID USAGE In OpenId [authentication] You want to access your account on bigcorp.net bigcorp.net is asking your openId You entered your username for openId bigcorp.net will redirect you to the your openid providers site User give password to openId provider and authenticate him/her self openId provider will redirect user back to bigcorp.net site bigcorp.net will grant you to access your account
  • 47. OPENID CONNECT We have talked about OAuth and OpenId and there is also OpenId Connect It’s the new SSO authentication for the internet OpenId Connect build on top of OAuth2 since sometimes you may just need authentication Remember OAuth2 is for authorization OpenID Connect provides Implict flows and Authorization code flow
  • 48. OPENID CONNECT FLOW - SIMPLE 9/24/2017 48
  • 49. OPENID CONNECT TOKEN { "sub" : "alice", “user_name” : “Taswar” "iss" : "https://openid.c2id.com", "aud" : "client-12345", “auth_time” : 123456789, "iat" : 1311280970, "exp" : 1311281970, “email” : [email protected], “phone_number”: 123-4567 } 9/24/2017 49
  • 50. OPENID CONNECT - HYBRID 9/24/2017 50
  • 51. JWT (JAVA WEB TOKEN) JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
  • 52. JWT CONT JWT Token looks like this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsI mlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQx ZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdi NDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKqU9dTB6gK wG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo Ok great…………. Once you understand the format, it's actually pretty simple: .. [header].[payload].[signature]
  • 53. JWT CONT In other words: You create a header object, with the JSON format. Then you encode it as a base64 You create a claims object, with the JSON format. Then you encode it in base64 You create a signature for the URI. Then you encode it in base64 You concatenate the three items, with the "." separator
  • 54. BENEFITS JSON Web Tokens work across different programming languages: JWTs work in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell. So you can see that these can be used in many different scenarios. JWTs are self-contained: They will carry all the information necessary within itself. This means that a JWT will be able to transmit basic information about itself, a payload (usually user information), and a signature. JWTs can be passed around easily: Since JWTs are self-contained, they are perfectly used inside an HTTP header when authenticating an API. You can also pass it through the URL.
  • 55. HEADER The header carries 2 parts (JWT and the hashing algorithm like below) { “typ”: “JWT”. “algo”, “HS256” } Then base64 encode it
  • 56. PAYLOAD & CLAIMS The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token. There are multiple claims that we can provide. This includes registered claim names, public claim names, and private claim names. { "iss": “taswar.zeytinsoft.com", "exp": 1300819380, "name": “Taswar Bhatti", "admin": true }
  • 57. SIGNATURE The third and final part of our JSON Web Token is going to be the signature. This signature is made up of a hash of the following components: the header the payload Secret The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones. var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'secret');
  • 58. ENDPOINTS OF OPENID CONNECT Authorization Endpoint (Regular OAuth) Identity Endpoint (username/pass, hardware token, biometrics) UserInfo Endpoint (name, birthday, picture, etc) Optionals (Session Endpoint, WebFinger etc)
  • 59. OPENID CONNECT TOKENS The OpenID Connect server provides client applications with two key tokens: ID token - asserts the users identity in a signed and verifiable way. Access token - provides access to the user’s details at the UserInfo endpoint and other protected web APIs.
  • 60. DEMO
  • 61. THANK YOU Questions? Contact: [email protected] Blog: http://Taswar.zeytinsoft.com Twitter: @taswarbhatti And a special thanks to Lego Batman !

Editor's Notes

  • #5: This is a newer version rather than using SAML
  • #13: Passwords are never passed around