SlideShare a Scribd company logo

Openstack identity protocols unconference

D
David Waite
Technology
1 of 39
Download to read offline
Copyright ©2012 Ping Identity Corporation. All rights reserved.1 SAML, OAuth 2, and OpenID Connect Overview David Waite Ping Identity Corporation
Copyright ©2012 Ping Identity Corporation. All rights reserved. CLAIMS-BASED AND FEDERATED IDENTITY 2
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Primarily a Microsoft-Pushed Concept –Unfortunate, less attention outside MS shops • Trusted-party message w/ user attributes –Alternative to directory lookup off account name • Authentication is an external concern –vs each mechanism implemented in each app 3
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Could support multiple trusted issuers • Different levels of trust –Can this issuer assert for this user? –Can this issuer assert the user has this role? • A local trusted party may serve as intermediary/multiplexer –The Security Token Service (STS) Role 4
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Policy decisions based on issuer, claims –vs group-based policy, local directory lookup –claims may map directly to policy decisions • Local trusted issuer can centralize, push policy decisions in tokens 5
Copyright ©2012 Ping Identity Corporation. All rights reserved. Federated Identity • Making local decisions from remote trusted entities is distributed identity • Since there is no global entity to trust, we call this “Federated Identity” • In the consumer space, this is –Social Logins –Windows Live ID –OpenID systems 6
Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO vs API SSO • Web Browser SSO –cross domain interactions –requires no browser extensions –query params or javascript form-post transport –form login, cookies for authentication • API SSO –client logic to acquire tokens via authentication –cache/use tokens for API access 7
Copyright ©2012 Ping Identity Corporation. All rights reserved. SECURITY ASSERTION MARKUP LANGUAGE (SAML) 8
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML • Security Assertion Markup Language –A.K.A, a format for Securely Asserting Identity Information • Includes Web Single Sign-On (Web SSO) • Pieces leveraged by WS-Federation, WS- Security, OAuth 2.0 9
Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO Problem • How to talk about a user (entity) • Between multiple security domains • Where that entity has different identity representations in each domain • Such that the entity can request resources • And not have to re-authenticate 10
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Details • SAML is an XML format –With XML schema –Integrity, confidentiality protection via xmlsec –Almost always signed, encrypted with X.509 –Often self-issued X.509 certs • trust is established out-of-band • Only a subset of features supported by majority of implementations 11
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Roles • Identity Provider –Authenticates the user directly –Asserts identity to other services • Service Provider –Requests, consumes identity to authenticate the user 12
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • SAML Assertion –describes the entity • SAML Protocol –request/response messages • SAML Binding –how messages are sent • SAML Profile –bindings and profiles used for a use case 13
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • Interesting Bits –SAML Assertion • token used by other specs –SAML Web Browser SSO Profile • describes how to send browsers cross domains to authenticate users 14
Copyright ©2012 Ping Identity Corporation. All rights reserved. Subset of SAML in wide use • Web Browser SSO • Assertions –subject - unique identifier in system • email, DN, employee ID –attributes • personalization items like first/last name • groups, other information for policy decisions 15
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Limitations • XML digital signatures are difficult –to implement –to reason about • Majority of implementations only handle Web SSO • Most API usage is WS-Security (SOAP) –OAuth 2.0 profile is in draft 16
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAUTH 2.0 17
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 • Provides Authorization for API access –3rd party makes API calls on user’s behalf –Without asking for/caching user password –User can revoke client access individually –Changing password doesn’t break access 18
Copyright ©2012 Ping Identity Corporation. All rights reserved. Existing Problem to Solve* 19
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Four parties defined –The User –The Client application –A Protected Resource requiring authorization –An Authorization Service 20
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access tokens –message to resource from AS about client • what they are allowed to do • who they represent –usually opaque to the client –validation of token is not part of core spec • local crypto check, or remote call –Requires secure transport (TLS) 21
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 fundamentals • Scopes –Clients request scope of usage for token • API-specific strings or URIs –AS logic determines what scopes you get • internal policy • user consent –Good for pre-computing broad policy decisions 22
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access token validation is often cached • Access tokens expire • Refresh token –given to client alongside access token –can be used to request new access token –usually what is revoked by user –only shared between client and AS 23
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Benefits • Splits token acquisition from token usage • Acquisition POST /authsvc Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQK grant_type=password&username=jdoe&password=A3ddj3 • Usage: Authorization: Bearer YWNjZXNzdGtuCg== 24
Copyright ©2012 Ping Identity Corporation. All rights reserved. Grant Types • A few interesting grant_types: –username / password user auth –browser-based authentication and consent • returning temporary code to exchange for token • returning token directly to be consumed by code –client authentication w/o user –SAML (separate draft spec) –JWT (to discuss later) 25
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 2 is not a protocol, but a framework • No profiles for interoperability –No Mandatory to Implement grant types –AS extends return value • Token –Token might not be opaque to client –Resource → AS Token Validation • Client → Resource token usage is solid 26
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 1 had message signing –for integrity protection • Protect integrity/confidentiality with TLS 27
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • But, OAuth 1 signing was –Request only –Only for URLEncoded request (no XML, JSON) –No existing support, had to be implemented –Home-grown impls broke on API changes –X.509-based signing often unimplemented –Confidentiality still required TLS • OAuth 2 has work toward MAC signing 28
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth requires client registration –limits API usage to registered clients • except some username/password deployments • Does not protect from malicious or phishing clients –but would support user authentication mechanisms which would support this 29
Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON WEB TOKEN (JWT) 30
Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON Web Token • Abbreviated JWT, pronounced “Jot” • Standard token format –containing JSON data –supporting integrity, confidentiality • Overly broad/bad definition –“SAML Assertions in JSON instead of XML” 31
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Overview • Fills in some missing pieces –What is a good OAuth access token format? –What “standard” attributes should I care about? • subject • “issued at” time • “not before”, “expiry” to provide validity window • “issuer”, “audience” • unique token identifier 32
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Features • “Issuer” allows you to support multiple Authorization Servers • Allow resources to consume token directly –without talking to AS • OAuth 2 grant proposed to exchange remote JWT for local access token –federation 33
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Format • Format is simple –URL-safe Base64-encoded data chunks, separated by dots • crypto object defining integrity/ confidentiality checks • data object with some reserved keys –possibly encrypted • optionally, signature block 34
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Proposed usage • Eventual token form for APIs to support –network optimization • Alternative to SAML for API access from other domains 35
Copyright ©2012 Ping Identity Corporation. All rights reserved. OPENID CONNECT 36
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Caveat • Not an Authentication Protocol on its own –Do not treat OAuth access tokens as • proof authentication was performed recently • proof the party giving you this token is the user • that this token is meant for your client –Generally, do not treat the token as a message to a client about the user 37
Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Completely New Protocol • Extends AS with OpenID Provider Role • Adds Identity Token (id_token) for SSO –JSON Web Token –Message to client about user • Adds UserInfo endpoint • Adds hybrid flows –client is split between local and hosted pieces 38
Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Adds Dynamic Registration of clients • Adds Discovery of OpenID Provider metadata on domain – via /.well-known/ 39

Recommended

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 

Recommended

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
Eugene Siow
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
OpenIDFoundation
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
Oliver Pfaff
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
Dan Usher
 
Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 

More Related Content

What's hot

Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
Dan Usher
 
Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 

What's hot (20)

Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 

Similar to Openstack identity protocols unconference

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
CloudIDSummit
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01
Nordic APIs
 

Similar to Openstack identity protocols unconference (20)

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Presentation
PresentationPresentation
Presentation
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Identity soup
Identity soupIdentity soup
Identity soup
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Openstack identity protocols unconference

  • 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1 SAML, OAuth 2, and OpenID Connect Overview David Waite Ping Identity Corporation
  • 2. Copyright ©2012 Ping Identity Corporation. All rights reserved. CLAIMS-BASED AND FEDERATED IDENTITY 2
  • 3. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Primarily a Microsoft-Pushed Concept –Unfortunate, less attention outside MS shops • Trusted-party message w/ user attributes –Alternative to directory lookup off account name • Authentication is an external concern –vs each mechanism implemented in each app 3
  • 4. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Could support multiple trusted issuers • Different levels of trust –Can this issuer assert for this user? –Can this issuer assert the user has this role? • A local trusted party may serve as intermediary/multiplexer –The Security Token Service (STS) Role 4
  • 5. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Policy decisions based on issuer, claims –vs group-based policy, local directory lookup –claims may map directly to policy decisions • Local trusted issuer can centralize, push policy decisions in tokens 5
  • 6. Copyright ©2012 Ping Identity Corporation. All rights reserved. Federated Identity • Making local decisions from remote trusted entities is distributed identity • Since there is no global entity to trust, we call this “Federated Identity” • In the consumer space, this is –Social Logins –Windows Live ID –OpenID systems 6
  • 7. Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO vs API SSO • Web Browser SSO –cross domain interactions –requires no browser extensions –query params or javascript form-post transport –form login, cookies for authentication • API SSO –client logic to acquire tokens via authentication –cache/use tokens for API access 7
  • 8. Copyright ©2012 Ping Identity Corporation. All rights reserved. SECURITY ASSERTION MARKUP LANGUAGE (SAML) 8
  • 9. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML • Security Assertion Markup Language –A.K.A, a format for Securely Asserting Identity Information • Includes Web Single Sign-On (Web SSO) • Pieces leveraged by WS-Federation, WS- Security, OAuth 2.0 9
  • 10. Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO Problem • How to talk about a user (entity) • Between multiple security domains • Where that entity has different identity representations in each domain • Such that the entity can request resources • And not have to re-authenticate 10
  • 11. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Details • SAML is an XML format –With XML schema –Integrity, confidentiality protection via xmlsec –Almost always signed, encrypted with X.509 –Often self-issued X.509 certs • trust is established out-of-band • Only a subset of features supported by majority of implementations 11
  • 12. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Roles • Identity Provider –Authenticates the user directly –Asserts identity to other services • Service Provider –Requests, consumes identity to authenticate the user 12
  • 13. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • SAML Assertion –describes the entity • SAML Protocol –request/response messages • SAML Binding –how messages are sent • SAML Profile –bindings and profiles used for a use case 13
  • 14. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • Interesting Bits –SAML Assertion • token used by other specs –SAML Web Browser SSO Profile • describes how to send browsers cross domains to authenticate users 14
  • 15. Copyright ©2012 Ping Identity Corporation. All rights reserved. Subset of SAML in wide use • Web Browser SSO • Assertions –subject - unique identifier in system • email, DN, employee ID –attributes • personalization items like first/last name • groups, other information for policy decisions 15
  • 16. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Limitations • XML digital signatures are difficult –to implement –to reason about • Majority of implementations only handle Web SSO • Most API usage is WS-Security (SOAP) –OAuth 2.0 profile is in draft 16
  • 17. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAUTH 2.0 17
  • 18. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 • Provides Authorization for API access –3rd party makes API calls on user’s behalf –Without asking for/caching user password –User can revoke client access individually –Changing password doesn’t break access 18
  • 19. Copyright ©2012 Ping Identity Corporation. All rights reserved. Existing Problem to Solve* 19
  • 20. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Four parties defined –The User –The Client application –A Protected Resource requiring authorization –An Authorization Service 20
  • 21. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access tokens –message to resource from AS about client • what they are allowed to do • who they represent –usually opaque to the client –validation of token is not part of core spec • local crypto check, or remote call –Requires secure transport (TLS) 21
  • 22. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 fundamentals • Scopes –Clients request scope of usage for token • API-specific strings or URIs –AS logic determines what scopes you get • internal policy • user consent –Good for pre-computing broad policy decisions 22
  • 23. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access token validation is often cached • Access tokens expire • Refresh token –given to client alongside access token –can be used to request new access token –usually what is revoked by user –only shared between client and AS 23
  • 24. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Benefits • Splits token acquisition from token usage • Acquisition POST /authsvc Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQK grant_type=password&username=jdoe&password=A3ddj3 • Usage: Authorization: Bearer YWNjZXNzdGtuCg== 24
  • 25. Copyright ©2012 Ping Identity Corporation. All rights reserved. Grant Types • A few interesting grant_types: –username / password user auth –browser-based authentication and consent • returning temporary code to exchange for token • returning token directly to be consumed by code –client authentication w/o user –SAML (separate draft spec) –JWT (to discuss later) 25
  • 26. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 2 is not a protocol, but a framework • No profiles for interoperability –No Mandatory to Implement grant types –AS extends return value • Token –Token might not be opaque to client –Resource → AS Token Validation • Client → Resource token usage is solid 26
  • 27. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 1 had message signing –for integrity protection • Protect integrity/confidentiality with TLS 27
  • 28. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • But, OAuth 1 signing was –Request only –Only for URLEncoded request (no XML, JSON) –No existing support, had to be implemented –Home-grown impls broke on API changes –X.509-based signing often unimplemented –Confidentiality still required TLS • OAuth 2 has work toward MAC signing 28
  • 29. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth requires client registration –limits API usage to registered clients • except some username/password deployments • Does not protect from malicious or phishing clients –but would support user authentication mechanisms which would support this 29
  • 30. Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON WEB TOKEN (JWT) 30
  • 31. Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON Web Token • Abbreviated JWT, pronounced “Jot” • Standard token format –containing JSON data –supporting integrity, confidentiality • Overly broad/bad definition –“SAML Assertions in JSON instead of XML” 31
  • 32. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Overview • Fills in some missing pieces –What is a good OAuth access token format? –What “standard” attributes should I care about? • subject • “issued at” time • “not before”, “expiry” to provide validity window • “issuer”, “audience” • unique token identifier 32
  • 33. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Features • “Issuer” allows you to support multiple Authorization Servers • Allow resources to consume token directly –without talking to AS • OAuth 2 grant proposed to exchange remote JWT for local access token –federation 33
  • 34. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Format • Format is simple –URL-safe Base64-encoded data chunks, separated by dots • crypto object defining integrity/ confidentiality checks • data object with some reserved keys –possibly encrypted • optionally, signature block 34
  • 35. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Proposed usage • Eventual token form for APIs to support –network optimization • Alternative to SAML for API access from other domains 35
  • 36. Copyright ©2012 Ping Identity Corporation. All rights reserved. OPENID CONNECT 36
  • 37. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Caveat • Not an Authentication Protocol on its own –Do not treat OAuth access tokens as • proof authentication was performed recently • proof the party giving you this token is the user • that this token is meant for your client –Generally, do not treat the token as a message to a client about the user 37
  • 38. Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Completely New Protocol • Extends AS with OpenID Provider Role • Adds Identity Token (id_token) for SSO –JSON Web Token –Message to client about user • Adds UserInfo endpoint • Adds hybrid flows –client is split between local and hosted pieces 38
  • 39. Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Adds Dynamic Registration of clients • Adds Discovery of OpenID Provider metadata on domain – via /.well-known/ 39