SlideShare una empresa de Scribd logo

Intro to OAuth2 and OpenID Connect

Descargar como PPTX, PDF
L
LiamWadman

An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect

Tecnología
1 de 15
Intro to OAuth2/OpenID Connect Liam Wadman Jan 20 2020
Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522

Recomendados

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 

Recomendados

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

Más contenido relacionado

La actualidad más candente

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 

La actualidad más candente (20)

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth
OAuthOAuth
OAuth
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 

Similar a Intro to OAuth2 and OpenID Connect

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
Ian Foster
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
Priyanka Aash
 

Similar a Intro to OAuth2 and OpenID Connect (20)

Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
OAuth
OAuthOAuth
OAuth
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth
OAuthOAuth
OAuth
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Intro to OAuth2 and OpenID Connect

  • 2. Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
  • 3. OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
  • 4. OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
  • 5. Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
  • 6. Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 7. Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 8. Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
  • 9. OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
  • 10. OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
  • 11. OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
  • 12. Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 13. Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 14. Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
  • 15. References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522