The document discusses OAuth2 and OpenId Connect protocols for securing web applications. It provides an overview of how OAuth2 is used to get tokens in exchange for secrets to allow software access to resources without revealing the secret. OpenId Connect extends OAuth2 to provide authentication by using OAuth tokens to identify users. The document outlines common scenarios and actors in the protocols, describes different token types and flows, and demonstrates how to implement OAuth2 and OpenId Connect.
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Securing Web Apps with OAuth2 and OpenId Connect
1. Do Not Place
Anything in This
Space
(Add watermark during
editing)
ROME 27-28 march 2015
Securing your web apps with
OAuth2 and OpenId Connect
roland@rmgsolutions.nl – RMG Solutions
Roland Guijt
2. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Agenda
The problem DemosHow it works
4. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Modern Applications
Web API Web API
5. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Modern Applications
6. Do Not Place
Anything in This
Space
(Add watermark during
editing)
What is OAuth?
- HTTP(S) authorization for the new world
- Gets you tokens in exchange for a secret
- Use the tokens to let software gain access to resources (Web APIs)
without revealing the secret
What is OpenId Connect?
- Extends OAuth
- Authentication: Uses the OAuth way to know the user
- If the identity of the user is needed
7. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Context
Authorization
protocol
Fetches
tokens
Authentication
OAuth
OpenId
Connect
8. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Cast
- Resource Owner
- Client
- Resource Server
- Authorization
server
9. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Cast
Resource Owner - Homo Sapiens
Client - MVC Website/Browser (js)
Resource server - Web API
Authorization server -Identity Server 3
10. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Tokens
- Contain claims
- Signed
- Expire
- JWT format for OpenId – parsable by every platform
- Credentials for resource server
- Store/send token instead of secret
- Issued by authorization server
- Trusted by resource server
- Single Sign On (SSO)
11. Do Not Place
Anything in This
Space
(Add watermark during
editing)
JWT Example
{
“typ”: “JWT”
“alg” : “HS256”
}
{
“sub” : “3449455”,
“aud” : “clientId”,
“iss” : ”http://issuerURL”,
“exp” : “1311281970”,
“auth_time” : “1311280969”,
“scope” : [“read”, “write”],
“myClaim” : “Something”
}
12. Do Not Place
Anything in This
Space
(Add watermark during
editing)
OAuth Flows
- Supported scenarios
- Choose wisely
- Flows without user interaction out of
scope
13. Do Not Place
Anything in This
Space
(Add watermark during
editing)
OAuth Flow 1: Authorization Code
Authorization
server
Code
Web API
Code
Code
Token
Token
Client secret is sent
14. Do Not Place
Anything in This
Space
(Add watermark during
editing)
OAuth Flow 2: Implicit
Authorization
server
Token
Web API
Token
• Authorization endpoint
GET
/authorize?response_type=token
&client_id=BhdRkqt&state=xyz&
redirect_uri=https://client.Example
.com
15. Do Not Place
Anything in This
Space
(Add watermark during
editing)
OAuth Flow 3: Hybrid
- Combination of Authorization Code and Implicit
- Can issue code and/or tokens directly
- Code for long lived access (refresh tokens), token for
quick access
16. Do Not Place
Anything in This
Space
(Add watermark during
editing)
OpenId Connect Extras
- ID token (scope openid)
- Additional user info (scopes profile, email, address, phone)
- Identity and UserInfo Endpoint
- Discovery
17. Do Not Place
Anything in This
Space
(Add watermark during
editing)
Refresh Tokens
- offline_access scope
- Not meant for resource server
- Used by client to get another token
- When access token expires
- Received together with access token
- At token refresh a new one is issued
- No support implicit flow: no client authentication
20. Do Not Place
Anything in This
Space
(Add watermark during
editing)
More Info?
- Read the specs
- http://openid.net/specs/openid-connect-core-1_0.html
- https://tools.ietf.org/html/rfc6749
- IdentityServer
- https://github.com/IdentityServer/IdentityServer3
- https://github.com/IdentityServer/IdentityServer3.Sampl
es
21. Do Not Place
Anything in This
Space
(Add watermark during
editing)
ROME 27-28 march 2015 - Roland Guijt
Leave your feedback on Joind.in!
https://joind.in/event/view/3347
Contact me:
roland.guijt@gmail.com
@rolandguijt
Editor's Notes
Use when you need to list 6 types of something or 6 details about a topic. If you have 4 types, just delete two squares and center.
There is more than one client for the same app
And maybe that app is using multiple APIs
OAuth
Oauth is an authorization protocol using tokens. The tokens contain “claims”, information about the user.
Oauth supplies the room key you get in a hotel. You can get in your room, in the fitness room, swimming pool etc. But not in other guest rooms.
OpenId Connect supplies the ID itself. It more or less proves that you are who you say you are.
Oauth is an authorization protocol using tokens. The tokens contain “claims”, information about the user.
Let’s say I want to watch Breaking Bad for the whole weekend
Then my client could be my TV
The application could be Netflix
And the auth server is of course my wife
Based on the input, my wife says no
So I vary on the theme a little.
It’s still me wanting to watch the whole weekend
But now I’m on my ipad
Watching a television network
But the wife still says no
Actually she could say yes if I only asked her to watch for an hour.
Saying yes or no is authentication
Restricting access for an hour is authorization
So translated to our world:
The user is a human
The client could be a website or windows app
The application could be Web API
And as an auth server we use Thinktecture Identity server 3, but any other will do as well such as Azure AD
For single page application the client is the browser this is the scenario we’re focusing on.
So translated to our world:
The user is a human
The client could be a website or windows app
The application could be Web API
And as an auth server we use Thinktecture Identity server 3, but any other will do as well such as Azure AD
For single page application the client is the browser this is the scenario we’re focusing on.
Authorization code is for web server/windows client apps
The advantage is that the token itself is not known by the client
The token is called an access token. It can be accompanied by a refresh token.
The user-agent (browser) does an initial request to the client.
The client redirects the user-agent to the auth server and gets back a code after authentication.
The code is send to the client, which gets the token from the auth server.
In this way the token never passed through the user agent.
This flow supports refresh tokens
You can see that the password is never known to the client or resource.
Oauth doesn’t specify default scopes, OpenIdConnect does
When redirect uri http://localhost is used, the code is returned as a query string in the (embedded) browser.
Implicit flow is optimized for javascript apps also Cordova.
It’s called implicit because the token is send directly from the auth server without a code in between.
No refresh token support because the client doesn’t authenticate with the auth server.
Client authentication: Next to the client_id a secret specific to the client (not the user!) must be send to the auth server
Like the puk code on mobile phones
Show Auth server
Show Web API
Show WPF Implicit Client
Show MVC OWIN Client (Hybrid)
Show Javascript implicit client - simple