Your SlideShare is downloading. ×
0
OAuth 2.0 and OpenID
Connect Basics
From OAuth2 to OpenID
Connect by Roland Hedberg
Let’s start with OAuth2
❖ The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to an
HTTP service, !
❖...
The players
Authorization Server
Resource ServerClient
Authorization Request
Authorization Server
Resource Server
Client
Authorization request
Authorization Request - details
Parameters!
client_id!
redirect_uri!
response_type!
scope!
state
Authorization Server
Reso...
Authorization Server
Resource Server
Client
AUTHENTICATION HAPPENS
&
End-user consent/authorization
Authorization Response
Authorization Server
Resource Server
Client
Authorization response
Authorization Response - details
Authorization Server
Resource Server
Client
Authorization response
GET!
https://example.o...
Access Token Request
Authorization Server
Resource Server
Client
Access token request
Access Token Request - details
POST!
http://example.com/token!
!
code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6...
Access Token Response
Authorization Server
Resource Server
Client
Access token response
Access Token Response - details
{!
! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', !
! 'expires_in': 3600...
Resource Access
Authorization Server
Resource Server
Client
Resource request/response
Resource Access - details
Authorization Server
Resource Server
Client
Resource request/response
GET!
https://example.com/r...
The whole
Authorization Server
Resource Server
Client
Authorization request
Authorization Server
Resource Server
Client
Au...
Flows
❖ Authorization Code Grant!
❖ Implicit Grant!
❖ Resource Owner Password Credentials Grant!
❖ Client Credentials Grant
Implicit grant
Authorization Server
Resource Server
Client
Authorization request
Authorization Server
Resource Server
Clie...
Resource Owner Password Credentials Grant
&
Client Credentials Grant
Authorization Server
Resource Server
Client
Access to...
From OAuth2 to OpenID Connect
❖ OpenID Connect 1.0 is a simple identity layer on top of
the OAuth 2.0 protocol. !
❖ It enables Clients to verify the ide...
The differences
❖ Only authorization grant and implicit grant flows!
❖ Dynamic provider discovery and client registration!
...
Flows
❖ Authorization code!
❖ Implicit!
❖ Hybrid (authorization code with a twist)!
❖ code id_token!
❖ code token!
❖ code ...
Dynamic provider
discovery and client
registration
Dynamic discovery and registration
1. Find the provider!
2. Discover provider info!
3. Register client
1.Find the provider
❖ Webfinger (RFC 7033)!
❖ User identifier -> URL!
❖ carol@example.org ->!
!
GET /.well-known/webfinger?!
...
Webfinger response
HTTP/1.1 200 OK!
Access-Control-Allow-Origin: *!
Content-Type: application/jrd+json!
!
{!
"subject" : "...
2.Discover provider info - query
GET /.well-known/openid-configuration HTTP/1.1!
Host: openid.example.com
2. Discover provider info - response
❖ issuer!
❖ jwks_uri!
❖ endpoints!
❖ functions supported!
❖ support for signing/encry...
Required information
❖ issuer!
❖ jwks_uri!
❖ authorization_endpoint!
❖ token_endpoint (*)!
❖ response_types_supported!
❖ s...
3. Client registration
❖ uris!
❖ application information!
❖ support for signing/encrypting algorithms!
❖ key material!
❖ s...
required information
❖ redirect_uris
Client registration response
❖ client_id!
❖ possibly client_secret and if so client_secret_experies_at!
❖ and the Authoriz...
An Authorization Server
❖ MAY add fields the client didn’t include.!
❖ MAY reject or replace any of the Client's requested ...
A Client can not
❖ modify a registration!
❖ delete a registration
ID Token
ID Token
❖ Have to make a detour into JWT/K/A/S/E land
JWT
❖ Jason Web Token!
❖ a compact URL-safe means of representing claims to be
transferred between two parties!
❖ Suggeste...
JWS
represents content secured with digital signatures or
Message Authentication Codes (MACs) using JavaScript
Object Nota...
JWK
a JavaScript Object Notation (JSON) data structure that
represents a cryptographic key
JWA
registers cryptographic alg...
ID Token
❖a security token that contains Claims about the
Authentication of an End-User by an Authorization
Server when us...
ID Token claims -required
❖ iss - Issuer Identifier for the Issuer of the response!
❖ sub - Subject Identifier!
❖ aud - Inte...
ID Token claims - optional
❖ acr - Authentication Context Class Reference!
❖ amr - Authentication Method References!
❖ azp...
Additions/
Clarifications/
Constrictions
OAuth2 Authorization Request - details
Parameters!
client_id!
redirect_uri!
response_type!
scope!
state
Authorization Serv...
Authentication Request - OpenID Connect extensions
❖ response_mode - The mechanism to use for returning
parameters!
❖ nonc...
Signed/encrypted Authentication Request
❖ request - by value!
❖ request_uri - by reference!
!
❖ Single self-contained para...
End-user interactions
❖ display - How to display pages to End-User!
❖ prompt - If the End-User should be prompted for re-a...
Response details
❖ claims!
❖ user_info!
❖ id_token!
!
❖ claims specification!
❖ null!
❖ essential!
❖ value!
❖ values
UserInfo endpoint
User info
❖ sub!
❖ name!
❖ given_name!
❖ family_name!
❖ middle_name!
❖ nickname!
❖ preferred_username
Set of standard clai...
claims types
❖ Normal!
❖ Aggregated!
❖ Distributed
Summary
❖ OAuth2 is about authorization!
❖ OpenID Connect adds authentication and identity
information
Questions ?
Upcoming SlideShare
Loading in...5
×

CIS14: Working with OAuth and OpenID Connect

1,492

Published on

Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,492
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
100
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "CIS14: Working with OAuth and OpenID Connect"

  1. 1. OAuth 2.0 and OpenID Connect Basics From OAuth2 to OpenID Connect by Roland Hedberg
  2. 2. Let’s start with OAuth2
  3. 3. ❖ The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ! ❖ either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, ! ❖ or by allowing the third-party application to obtain access on its own behalf.
  4. 4. The players Authorization Server Resource ServerClient
  5. 5. Authorization Request Authorization Server Resource Server Client Authorization request
  6. 6. Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  7. 7. Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  8. 8. Authorization Response Authorization Server Resource Server Client Authorization response
  9. 9. Authorization Response - details Authorization Server Resource Server Client Authorization response GET! https://example.org/authz_cb?state=1521671980316802035&! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6 Parameters code! state access_token! token_type! expires_in! scope! state
  10. 10. Access Token Request Authorization Server Resource Server Client Access token request
  11. 11. Access Token Request - details POST! http://example.com/token! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6&! ! grant_type=authorization_code&! ! redirect_uri=https://example.org/authz_cb Authorization Server Resource Server Client Access token request Parameters! client_id! code! grant_type! redirect_uri
  12. 12. Access Token Response Authorization Server Resource Server Client Access token response
  13. 13. Access Token Response - details {! ! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', ! ! 'expires_in': 3600, ! ! 'refresh_token': ’s87BT60pp2U+bNX2HnkWpVCnDYPsy8EOpI’! ! 'state': ’STATE0’,! ! 'token_type': 'Bearer', ! } Authorization Server Resource Server Client Access token response Parameters! access_token! expires_in! refresh_token scope! token_type
  14. 14. Resource Access Authorization Server Resource Server Client Resource request/response
  15. 15. Resource Access - details Authorization Server Resource Server Client Resource request/response GET! https://example.com/resource! ! Header:! ! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
  16. 16. The whole Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  17. 17. Flows ❖ Authorization Code Grant! ❖ Implicit Grant! ❖ Resource Owner Password Credentials Grant! ❖ Client Credentials Grant
  18. 18. Implicit grant Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  19. 19. Resource Owner Password Credentials Grant & Client Credentials Grant Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response
  20. 20. From OAuth2 to OpenID Connect
  21. 21. ❖ OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. ! ❖ It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  22. 22. The differences ❖ Only authorization grant and implicit grant flows! ❖ Dynamic provider discovery and client registration! ❖ ID Token! ❖ Additions/Clarifications/Constrictions! ❖ UserInfo endpoint
  23. 23. Flows ❖ Authorization code! ❖ Implicit! ❖ Hybrid (authorization code with a twist)! ❖ code id_token! ❖ code token! ❖ code id_token token
  24. 24. Dynamic provider discovery and client registration
  25. 25. Dynamic discovery and registration 1. Find the provider! 2. Discover provider info! 3. Register client
  26. 26. 1.Find the provider ❖ Webfinger (RFC 7033)! ❖ User identifier -> URL! ❖ carol@example.org ->! ! GET /.well-known/webfinger?! resource=acct:carol@example.com&! rel=http://openid.net/specs/connect/1.0/issuer! HTTP/1.1! Host: example.com
  27. 27. Webfinger response HTTP/1.1 200 OK! Access-Control-Allow-Origin: *! Content-Type: application/jrd+json! ! {! "subject" : "acct:carol@example.com",! "links" :! [ {! "rel" : "http://openid.net/specs/connect/1.0/issuer",! "href" : "https://openid.example.com"! } ]! }
  28. 28. 2.Discover provider info - query GET /.well-known/openid-configuration HTTP/1.1! Host: openid.example.com
  29. 29. 2. Discover provider info - response ❖ issuer! ❖ jwks_uri! ❖ endpoints! ❖ functions supported! ❖ support for signing/encrypting algorithms! ❖ policy/tos
  30. 30. Required information ❖ issuer! ❖ jwks_uri! ❖ authorization_endpoint! ❖ token_endpoint (*)! ❖ response_types_supported! ❖ subject_types_supported! ❖ id_token_signing_alg_supported
  31. 31. 3. Client registration ❖ uris! ❖ application information! ❖ support for signing/encrypting algorithms! ❖ key material! ❖ server behavior! ❖ client behavior
  32. 32. required information ❖ redirect_uris
  33. 33. Client registration response ❖ client_id! ❖ possibly client_secret and if so client_secret_experies_at! ❖ and the Authorization servers view of things
  34. 34. An Authorization Server ❖ MAY add fields the client didn’t include.! ❖ MAY reject or replace any of the Client's requested field values and substitute them with suitable values.! ❖ MAY ignore values provided by the client, and MUST ignore any fields sent by the Client that it does not understand.
  35. 35. A Client can not ❖ modify a registration! ❖ delete a registration
  36. 36. ID Token
  37. 37. ID Token ❖ Have to make a detour into JWT/K/A/S/E land
  38. 38. JWT ❖ Jason Web Token! ❖ a compact URL-safe means of representing claims to be transferred between two parties! ❖ Suggested pronunciation: ’jot’
  39. 39. JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. JWE represents encrypted content using JavaScript Object Notation (JSON) based data structures.
  40. 40. JWK a JavaScript Object Notation (JSON) data structure that represents a cryptographic key JWA registers cryptographic algorithms and identifiers to be used with the JSON Web Signature(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications
  41. 41. ID Token ❖a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. ! ❖is represented as a JSON Web Token (JWT)
  42. 42. ID Token claims -required ❖ iss - Issuer Identifier for the Issuer of the response! ❖ sub - Subject Identifier! ❖ aud - Intended audience! ❖ exp - Expiration time! ❖ iat - Issued at! ❖ auth_time - Authentication time! ❖ nonce
  43. 43. ID Token claims - optional ❖ acr - Authentication Context Class Reference! ❖ amr - Authentication Method References! ❖ azp - Authorized party
  44. 44. Additions/ Clarifications/ Constrictions
  45. 45. OAuth2 Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  46. 46. Authentication Request - OpenID Connect extensions ❖ response_mode - The mechanism to use for returning parameters! ❖ nonce - Associates client session with ID Token! ❖ Signed/encrypted Authentication Request! ❖ End-user interactions! ❖ Response details
  47. 47. Signed/encrypted Authentication Request ❖ request - by value! ❖ request_uri - by reference! ! ❖ Single self-contained parameter! ❖ Signed and/or encrypted (JWT)
  48. 48. End-user interactions ❖ display - How to display pages to End-User! ❖ prompt - If the End-User should be prompted for re-authentication/ consent! ❖ max_age - allowed max time since last authentication! ❖ ui_locales - End-User’s preferred languages and scripts! ❖ id_token_hint - ID Token previously issued ! ❖ login_hint - login identifier the End-User might want to use! ❖ acr_values - requested Authentication Context Class Reference values
  49. 49. Response details ❖ claims! ❖ user_info! ❖ id_token! ! ❖ claims specification! ❖ null! ❖ essential! ❖ value! ❖ values
  50. 50. UserInfo endpoint
  51. 51. User info ❖ sub! ❖ name! ❖ given_name! ❖ family_name! ❖ middle_name! ❖ nickname! ❖ preferred_username Set of standard claims ❖ profile! ❖ picture! ❖ website! ❖ email! ❖ email_verified! ❖ gender! ❖ birthdate ❖ zoneinfo! ❖ locale! ❖ phone_number! ❖ phone_number_verfied! ❖ address! ❖ updated_at!
  52. 52. claims types ❖ Normal! ❖ Aggregated! ❖ Distributed
  53. 53. Summary ❖ OAuth2 is about authorization! ❖ OpenID Connect adds authentication and identity information
  54. 54. Questions ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×