SlideShare a Scribd company logo

Build a Secure Login for Apps with OpenID Connect

Download as PPTX, PDF
Farasath Ahamed
Farasath Ahamed

This document provides an overview of OpenID Connect, which is a standard protocol for user authentication and authorization. It describes how OpenID Connect provides a secure login mechanism for applications by defining standard APIs for authentication, authorization, single sign-on, and single logout. The document explains the OpenID Connect flow, advantages of using the standard, and security aspects like signed JSON Web Tokens and preventing request tampering. It also discusses solutions built on OpenID Connect and tips for application developers in implementing authentication securely.

Software
1 of 51
OpenID Connect: Building a secure login for your apps the right way! Farasath Ahamed IAM Team, WSO2
Building an App 2
Building an application 3 ● Building user signup ● Building a login/logout mechanism (authentication and authorization) ● Building reset password / recovery ● Managing users/profiles/sessions. ● The actual app functionality.
What do we usually do wrong? 4
What do we do wrong? 5 ● Either consider security as an afterthought or end up over-engineering security. ● Baking in authentication and authorization logic into the app. ● Thinking that people will use the app as we want.
Common mistakes and misconceptions... 6
Common mistakes and misconceptions 7 ● Trying to implement personally developed security measures ○ Security loopholes ● Reinventing the wheel. ○ User stores ○ Social Login options ○ Libraries
Common mistakes and misconceptions 8 ● Not thinking about the user experience ○ Specially user signup ○ MFA ○ Not thinking about single sign on So what can we do better?
Warm Up 9
Authentication 10
Authorization 11
Single Sign On 12
Single Logout 13
Few more terms... 14 ● Identity Provider ● Service Provider
OpenID Connect? 15
OpenID Connect 16 ● Provides a standard API for login ○ Request <-> Response ○ A verifiable token containing user identity (ID Token) ○ An access token that can be used to obtain further user information ○ Access token also allows scoped authorization
OpenID Connect 17 ● Defines a standard mechanism for single logout ● Provides a standard API for client registration ● Provides a standard API for information discovery ● Build with security in mind. ● Provides an authentication + authorization layer.
The Flow 18
The OpenID Connect Login 19 Application is registered at the OP (OpenID provider) 1. Send an OpenID Connect Request to OP 2. User is authenticated at the OP 3. User is requested for consent at the OP 4. Application receives an intermediate ‘code’. 5. Application sends the code with the application authentication information. 6. The application receives an id_token + access token in the response. App verifies the id_token and completes the login
The OpenID Connect Login 20
Let’s see it action 21
OpenID Connect Login : Request 22 https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https:// developers.google.com/oauthplayground&prompt=consent&respons e_type=code&client_id=407408718192.apps.googleusercontent.co m&scope=openid email profile https://www.googleapis.com/auth/xapi.zoo&access_type=offline
OpenID Connect Login : Authentication at OP 23
OpenID Connect Login : Consent at OP 24
OpenID Connect Login : Response 25 https://developers.google.com/oauthplayground/?code=4/6Q BptdphHUBvd7X_lpOS5N2BlPvBy1QhrTfnNGlXKr- pu3k6znBQF_s6YGjbSGibtwlUi5Q90rfqVrUgxfbqIKA&scope=o penid%20email%20profile%20https://www.googleapis.com/au th/userinfo.email%20https://www.googleapis.com/auth/userinfo .profile%20https://www.googleapis.com/auth/xapi.zoo&authuse r=0&session_state=7414bbf805e2f09026ee7065bc7358b466 60897a..d46e&prompt=consent
OpenID Connect Login : Token Request 26 POST /oauth2/v4/token HTTP/1.1 Host: www.googleapis.com Content-length: 277 content-type: application/x-www-form-urlencoded user-agent: google-oauth-playground code=4%2F6QAsx1elz4EirZXkhCRW3jrM6- A5ABq_2IrbdHDhPrfm3b6Fwhrld1gLswcBSNxNE3z- E0sg4EJA79Pxm56gIwM&redirect_uri=https%3A%2F%2Fdevelopers .google.com%2Foauthplayground&client_id=407408718192.apps.goo gleusercontent.com&client_secret=************&scope=&grant_type= authorization_code
OpenID Connect Login : Response 27 { "access_token": "ya29.GluoBu2HS6hrn7vVeTexqrW3m3i3sGLc6- kEaH_WK5aJmVtMyGMJY1kmlItrvj3S4WXd- arf199factfJVnq2Dr3GCNQsaVgCzPibWRGAZCTu18J67dAlwkuSY7a", "id_token": "eyJhbGciOiJSUzI1…….", "expires_in": 3600, "token_type": "Bearer", "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email", "refresh_token": "1/MOMjcw6wBrJBtHY5TzIw4wGg5SRt1fJhkOlp-hZo7LQ" }
Code Flow 28
OpenID Connect Login : Code Flow 29
Implicit Flow 30
OpenID Connect Login : Implicit Flow 31
OpenID Connect Login : Code vs Implicit 32
Demo Time! 33
Why should we use OpenID Connect? 34
OpenID Connect : Why? 35 ● Let’s app and site developers authenticate users without taking on the responsibility of storing and managing passwords (Federation) ● End users have control over their data shared with the app.
OpenID Connect : Why? 36 ● It’s a well recognized industry standard / API ○ Wide range of OPs to choose from ○ Libraries ○ JSON over HTTP ○ Well tested in terms of security ○ Zero code change solutions available
OpenID Connect : Why? 37 ● Enables BYOID (Bring your own identity) ● Enables an easy path provide Single Sign On ○ Most IDPs support OpenID Connect ○ Most SaaS apps support OpenID connect
Security in OpenID Connect 38
OpenID Connect : Security Aspects 39 ● Use of signed JWTs to pass user authentication information ○ App must verify id_token sent in response ● Request objects to prevent request tampering ○ Sending request params in a signed JWT. ● ‘state’ parameter to avoid CSRF token ● ‘nonce’ parameter to avoid replay attacks
OIDC Logout 40
OIDC Session Management 41
OpenID Connect Logout 42
Back Channel 43
OpenID Connect Backchannel Logout 44
Demo Time! 45
Solutions built on top of OpenID Connect 46
Mobile Connect 47
OpenID Connect in Open Banking 48 ● Open Banking Standards are built with data security and customer consent at their heart. ● Uses OpenID Connect as the authentication and authorization layer ● Uses OpenID Connect Hybrid Flows to enforce security
Tips for Application Devs 49
Few Tips from one Dev to another 50 ● Try to use a standard APIs/solutions for authentication and authorization. ● Opensource != unsecure ● Use standard libraries. ● Think about how easy it is to migrate from one vendor to another. ● Think about the user experience (Enabling BYOID is now becoming a MUST)
Credits 51 ● All the diagrams I have used in this slide deck were generously borrowed from various blogs, websites etc. So the due credit should go to the respective authors :)

Recommended

Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
ICAM (Identity, Credential and Access management)-OpenID 2.0 Profile
ICAM (Identity, Credential and Access management)-OpenID 2.0 ProfileICAM (Identity, Credential and Access management)-OpenID 2.0 Profile
ICAM (Identity, Credential and Access management)-OpenID 2.0 ProfileKTH-Applied Information Security Lab Kanwal
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 

Recommended

Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
ICAM (Identity, Credential and Access management)-OpenID 2.0 Profile
ICAM (Identity, Credential and Access management)-OpenID 2.0 ProfileICAM (Identity, Credential and Access management)-OpenID 2.0 Profile
ICAM (Identity, Credential and Access management)-OpenID 2.0 ProfileKTH-Applied Information Security Lab Kanwal
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenIDMax Manders
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
IISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_DesaiIISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_DesaiBhavin Desai
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...Nur Fatihah Mat Ali
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Frameworkijsrd.com
 
Open ID
Open IDOpen ID
Open IDdiwanshu.joshi
 

More Related Content

What's hot

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenIDMax Manders
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
IISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_DesaiIISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_DesaiBhavin Desai
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...Nur Fatihah Mat Ali
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP
 

What's hot (20)

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
IISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_DesaiIISP01345 IA Auditor Senior_Desai
IISP01345 IA Auditor Senior_Desai
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
MembershipReboot & Thinktecture: The Paradigms in Authentication &Authorizati...
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technight
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
 

Similar to Build a Secure Login for Apps with OpenID Connect

Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Frameworkijsrd.com
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
Webinar Identity Hub's Role in Social Logins
Webinar Identity Hub's Role in Social LoginsWebinar Identity Hub's Role in Social Logins
Webinar Identity Hub's Role in Social LoginsNipun Thathsara
 
Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...WSO2
 
Universal login
Universal loginUniversal login
Universal loginZx MYS
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteDavid Keener
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...WSO2
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceMarc Boorshtein
 
#2 connected apps_calicut_31_july
#2 connected apps_calicut_31_july#2 connected apps_calicut_31_july
#2 connected apps_calicut_31_julyJohnMathewPhilip
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity ServerSign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity ServerWSO2
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_appNuhil Mehdy
 

Similar to Build a Secure Login for Apps with OpenID Connect (20)

Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
 
Open ID
Open IDOpen ID
Open ID
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social Logins
 
Webinar Identity Hub's Role in Social Logins
Webinar Identity Hub's Role in Social LoginsWebinar Identity Hub's Role in Social Logins
Webinar Identity Hub's Role in Social Logins
 
Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...
 
Universal login
Universal loginUniversal login
Universal login
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...Setting the Foundation for Digital Transformation Through API Management and ...
Setting the Foundation for Digital Transformation Through API Management and ...
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and Compliance
 
#2 connected apps_calicut_31_july
#2 connected apps_calicut_31_july#2 connected apps_calicut_31_july
#2 connected apps_calicut_31_july
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Open ID Explained
Open ID ExplainedOpen ID Explained
Open ID Explained
 
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity ServerSign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_app
 

Recently uploaded

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 

Recently uploaded (20)

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 

Build a Secure Login for Apps with OpenID Connect

  • 1. OpenID Connect: Building a secure login for your apps the right way! Farasath Ahamed IAM Team, WSO2
  • 3. Building an application 3 ● Building user signup ● Building a login/logout mechanism (authentication and authorization) ● Building reset password / recovery ● Managing users/profiles/sessions. ● The actual app functionality.
  • 4. What do we usually do wrong? 4
  • 5. What do we do wrong? 5 ● Either consider security as an afterthought or end up over-engineering security. ● Baking in authentication and authorization logic into the app. ● Thinking that people will use the app as we want.
  • 7. Common mistakes and misconceptions 7 ● Trying to implement personally developed security measures ○ Security loopholes ● Reinventing the wheel. ○ User stores ○ Social Login options ○ Libraries
  • 8. Common mistakes and misconceptions 8 ● Not thinking about the user experience ○ Specially user signup ○ MFA ○ Not thinking about single sign on So what can we do better?
  • 14. Few more terms... 14 ● Identity Provider ● Service Provider
  • 16. OpenID Connect 16 ● Provides a standard API for login ○ Request <-> Response ○ A verifiable token containing user identity (ID Token) ○ An access token that can be used to obtain further user information ○ Access token also allows scoped authorization
  • 17. OpenID Connect 17 ● Defines a standard mechanism for single logout ● Provides a standard API for client registration ● Provides a standard API for information discovery ● Build with security in mind. ● Provides an authentication + authorization layer.
  • 19. The OpenID Connect Login 19 Application is registered at the OP (OpenID provider) 1. Send an OpenID Connect Request to OP 2. User is authenticated at the OP 3. User is requested for consent at the OP 4. Application receives an intermediate ‘code’. 5. Application sends the code with the application authentication information. 6. The application receives an id_token + access token in the response. App verifies the id_token and completes the login
  • 20. The OpenID Connect Login 20
  • 21. Let’s see it action 21
  • 22. OpenID Connect Login : Request 22 https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https:// developers.google.com/oauthplayground&prompt=consent&respons e_type=code&client_id=407408718192.apps.googleusercontent.co m&scope=openid email profile https://www.googleapis.com/auth/xapi.zoo&access_type=offline
  • 23. OpenID Connect Login : Authentication at OP 23
  • 24. OpenID Connect Login : Consent at OP 24
  • 25. OpenID Connect Login : Response 25 https://developers.google.com/oauthplayground/?code=4/6Q BptdphHUBvd7X_lpOS5N2BlPvBy1QhrTfnNGlXKr- pu3k6znBQF_s6YGjbSGibtwlUi5Q90rfqVrUgxfbqIKA&scope=o penid%20email%20profile%20https://www.googleapis.com/au th/userinfo.email%20https://www.googleapis.com/auth/userinfo .profile%20https://www.googleapis.com/auth/xapi.zoo&authuse r=0&session_state=7414bbf805e2f09026ee7065bc7358b466 60897a..d46e&prompt=consent
  • 26. OpenID Connect Login : Token Request 26 POST /oauth2/v4/token HTTP/1.1 Host: www.googleapis.com Content-length: 277 content-type: application/x-www-form-urlencoded user-agent: google-oauth-playground code=4%2F6QAsx1elz4EirZXkhCRW3jrM6- A5ABq_2IrbdHDhPrfm3b6Fwhrld1gLswcBSNxNE3z- E0sg4EJA79Pxm56gIwM&redirect_uri=https%3A%2F%2Fdevelopers .google.com%2Foauthplayground&client_id=407408718192.apps.goo gleusercontent.com&client_secret=************&scope=&grant_type= authorization_code
  • 27. OpenID Connect Login : Response 27 { "access_token": "ya29.GluoBu2HS6hrn7vVeTexqrW3m3i3sGLc6- kEaH_WK5aJmVtMyGMJY1kmlItrvj3S4WXd- arf199factfJVnq2Dr3GCNQsaVgCzPibWRGAZCTu18J67dAlwkuSY7a", "id_token": "eyJhbGciOiJSUzI1…….", "expires_in": 3600, "token_type": "Bearer", "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email", "refresh_token": "1/MOMjcw6wBrJBtHY5TzIw4wGg5SRt1fJhkOlp-hZo7LQ" }
  • 29. OpenID Connect Login : Code Flow 29
  • 31. OpenID Connect Login : Implicit Flow 31
  • 32. OpenID Connect Login : Code vs Implicit 32
  • 34. Why should we use OpenID Connect? 34
  • 35. OpenID Connect : Why? 35 ● Let’s app and site developers authenticate users without taking on the responsibility of storing and managing passwords (Federation) ● End users have control over their data shared with the app.
  • 36. OpenID Connect : Why? 36 ● It’s a well recognized industry standard / API ○ Wide range of OPs to choose from ○ Libraries ○ JSON over HTTP ○ Well tested in terms of security ○ Zero code change solutions available
  • 37. OpenID Connect : Why? 37 ● Enables BYOID (Bring your own identity) ● Enables an easy path provide Single Sign On ○ Most IDPs support OpenID Connect ○ Most SaaS apps support OpenID connect
  • 38. Security in OpenID Connect 38
  • 39. OpenID Connect : Security Aspects 39 ● Use of signed JWTs to pass user authentication information ○ App must verify id_token sent in response ● Request objects to prevent request tampering ○ Sending request params in a signed JWT. ● ‘state’ parameter to avoid CSRF token ● ‘nonce’ parameter to avoid replay attacks
  • 46. Solutions built on top of OpenID Connect 46
  • 48. OpenID Connect in Open Banking 48 ● Open Banking Standards are built with data security and customer consent at their heart. ● Uses OpenID Connect as the authentication and authorization layer ● Uses OpenID Connect Hybrid Flows to enforce security
  • 50. Few Tips from one Dev to another 50 ● Try to use a standard APIs/solutions for authentication and authorization. ● Opensource != unsecure ● Use standard libraries. ● Think about how easy it is to migrate from one vendor to another. ● Think about the user experience (Enabling BYOID is now becoming a MUST)
  • 51. Credits 51 ● All the diagrams I have used in this slide deck were generously borrowed from various blogs, websites etc. So the due credit should go to the respective authors :)