APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
•
2 likes•43 views
Workshop: OAuth by Example Andy March, Platform Specialist, EMEA at Okta
Recommended
Recommended
More Related Content
Similar to APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
Similar to APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta (20)
More from apidays
More from apidays (20)
Recently uploaded
Recently uploaded (20)
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
- 1. by example
- 2. 10+ years working in secure systems Hi! Platform Specialist at Okta Software Developer (.NET / Java / JS) @andymarch
- 8. Digital Identity Circa 2007 Simple Login – forms and cookies Single Sign-on – SAML Delegated Access – passwords
- 9. Yelp ~ 2007
- 10. Facebook ~ 2010
- 12. Specs are not tutorials
- 13. Delegated authorization with OAuth 2.0
- 14. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server Resource Server Guest Hotel RoomReception DeskHotel
- 15. Register: redirect address ClientID, Client secret
- 16. ClientId(a unique identifier of an application)
- 17. ClientSecret (an authenticator for an application)
- 19. Authorization Code Grant (the most common and most secure grant for users)
- 20. Redirect: AuthorizationServer, ClientID, Scope Login ClientID, Scope
- 24. Consent(the user explicitly granting access)
- 26. Front Channel (server to server communication through a user’s browser)
- 27. AuthorizationCode client id, client secret Access Token AccessToken
- 28. Back Channel (direct server to server communication)
- 29. Client Credentials Grant (the machine to machine grant)
- 30. client id, client secret, scopes Access Token Access Token
- 31. What is an access token anyway Sent by a client in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens
- 35. JWT Header { "typ": "JWT", "alg": "HS256" }
- 36. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat": 1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "test@test.com" } JWT Payload
- 39. Local Token Validation Check the signature Check the audience Check the issuance timestamp Check the expiry timestamp
- 43. Remote Token Validation: Introspection http://examply.okta-emea.com/oauth2/default/v1/introspect Authorization Basic ${Base64(<client_id>:<client_secret>)} token=“bdfFGEW3g[…]sdChg7a4n8” token_type_hint=access_token { "active": true } Request Response
- 45. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0 Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization
- 46. OpenID
- 47. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access
- 51. { "typ": "JWT", "alg": "RS256", "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y" } ID Token Header
- 52. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat": 1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload
- 53. Access Token vs ID Token OAuth specification Audience is the resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user
- 54. Simple Login – OpenID Connect Single Sign-on – OpenID Connect Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today
- 56. Resources
- 58. OAuth 2.0 Simplified Written by Aaron Parecki, Senior Security Architect @ Okta Member of the OAuth working group Maintainer of OAuth.net
- 59. OAuth.net
- 60. OIDCDebugger.com