Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Transactional Authorization | Identiverse | Day 1, June 25

54 views

Published on

Last year, we took a look at what's wrong with OAuth 2. This year, we'll look at some of the directions that technology is moving in, including an in-depth view of transactional authorization built around many of the lessons learned from OAuth 2's deployment.

Published in: Services
  • Be the first to comment

  • Be the first to like this

2019 | Transactional Authorization | Identiverse | Day 1, June 25

  1. 1. @justin__richerhttps://bspk.io/ Transactional Authorization 1
  2. 2. @justin__richerhttps://bspk.io/ What’s Wrong with OAuth 2? 2
  3. 3. @justin__richerhttps://bspk.io/ 3
  4. 4. @justin__richerhttps://bspk.io/ 4
  5. 5. @justin__richerhttps://bspk.io/ 5
  6. 6. @justin__richerhttps://bspk.io/ 6
  7. 7. @justin__richerhttps://bspk.io/ 7
  8. 8. @justin__richerhttps://bspk.io/ 8
  9. 9. @justin__richerhttps://bspk.io/ Not OAuth 9
  10. 10. @justin__richerhttps://bspk.io/ 10
  11. 11. @justin__richerhttps://bspk.io/ 11
  12. 12. @justin__richerhttps://bspk.io/ 12
  13. 13. @justin__richerhttps://bspk.io/ 13
  14. 14. @justin__richerhttps://bspk.io/ 14 Time for School!
  15. 15. @justin__richerhttps://bspk.io/ 15
  16. 16. @justin__richerhttps://bspk.io/ 16
  17. 17. @justin__richerhttps://bspk.io/ 17
  18. 18. @justin__richerhttps://bspk.io/ 18
  19. 19. @justin__richerhttps://bspk.io/ 19
  20. 20. @justin__richerhttps://bspk.io/ 20
  21. 21. @justin__richerhttps://bspk.io/ 21
  22. 22. @justin__richerhttps://bspk.io/ 22
  23. 23. @justin__richerhttps://bspk.io/ 23
  24. 24. @justin__richerhttps://bspk.io/ 24
  25. 25. @justin__richerhttps://bspk.io/ 25
  26. 26. @justin__richerhttps://bspk.io/ 26
  27. 27. @justin__richerhttps://bspk.io/ 27
  28. 28. @justin__richerhttps://bspk.io/ 28
  29. 29. @justin__richerhttps://bspk.io/ 29
  30. 30. @justin__richerhttps://bspk.io/ 30
  31. 31. @justin__richerhttps://bspk.io/ 31
  32. 32. @justin__richerhttps://bspk.io/ 32
  33. 33. @justin__richerhttps://bspk.io/ 33
  34. 34. @justin__richerhttps://bspk.io/ 34
  35. 35. @justin__richerhttps://bspk.io/ 35
  36. 36. @justin__richerhttps://bspk.io/ 36
  37. 37. @justin__richerhttps://bspk.io/ 37
  38. 38. @justin__richerhttps://bspk.io/ 38
  39. 39. @justin__richerhttps://bspk.io/ 39
  40. 40. @justin__richerhttps://bspk.io/ 40
  41. 41. @justin__richerhttps://bspk.io/ The Client 41
  42. 42. @justin__richerhttps://bspk.io/ The Authz Server 42
  43. 43. @justin__richerhttps://bspk.io/ The User 43
  44. 44. @justin__richerhttps://bspk.io/ 44
  45. 45. @justin__richerhttps://bspk.io/ A reminder: This is not OAuth 45
  46. 46. @justin__richerhttps://bspk.io/ The Front Channel 46
  47. 47. @justin__richerhttps://bspk.io/ The Front Channel • User is present • Brower is flexible 47
  48. 48. @justin__richerhttps://bspk.io/ The Front Channel • User is present • Brower is flexible • Information leakage • Tampering • Injection • URL size limitations • HTTP Referrer headers • HTTP server logs 48
  49. 49. @justin__richerhttps://bspk.io/ The Front Channel • User authentication • User interaction • Client identifier • Requested scope • Application state • etc… • Authorization code • Access tokens • Identity assertions • Application state • etc. 49
  50. 50. @justin__richerhttps://bspk.io/ 50
  51. 51. @justin__richerhttps://bspk.io/ Trying to protect the front channel • OIDC • JAR • JARM • PKCE • Token Binding 51
  52. 52. @justin__richerhttps://bspk.io/ 52 Proposal: Avoid the Front Channel until we need it
  53. 53. @justin__richerhttps://bspk.io/ 53 Transactions!
  54. 54. @justin__richerhttps://bspk.io/ OAuth has always been transactional 54
  55. 55. @justin__richerhttps://bspk.io/ 55
  56. 56. @justin__richerhttps://bspk.io/ 56 Transactions: Registering Intent
  57. 57. @justin__richerhttps://bspk.io/ Start a Transaction { "client":... "interact":... "user":... "resources":[ ...], "key":... } 57
  58. 58. @justin__richerhttps://bspk.io/ “What I Am” "client":{ "name":"My Client DisplayName", "uri":"https://example.net/client" } 58
  59. 59. @justin__richerhttps://bspk.io/ ”What I want” "resources":[{ "actions":["read","write","dolphin"], "locations":["https://server.example.net/", "https://resource.local/other"], "data":["metadata"] }] 59
  60. 60. @justin__richerhttps://bspk.io/ ”What I know about the user” "user":{ "assertion":"eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoi..." "type":"oidc_id_token" } 60
  61. 61. @justin__richerhttps://bspk.io/ “How to recognize me” "key":{ "type":"jwsd", "jwks":{ "keys":[{ "kty":"RSA", "e":"AQAB", "kid":"xyz-1", "alg":"RS256", "n":"kOB5rR4Jv0GMeLaY6_It_..." } ] } } 61
  62. 62. @justin__richerhttps://bspk.io/ The client has to prove possession of all referenced keys 62
  63. 63. @justin__richerhttps://bspk.io/ ”How I can interact with the user” "interact":{ "type":"redirect", "callback":"https://client.example.net/return/123455", "state":"LKLTI25DK82FX4T4QFZC" } 63
  64. 64. @justin__richerhttps://bspk.io/ Process all aspects of the transaction request 64
  65. 65. @justin__richerhttps://bspk.io/ “I need to talk to the user” 65
  66. 66. @justin__richerhttps://bspk.io/ ”Go fetch me the user” { "interaction_url": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 66
  67. 67. @justin__richerhttps://bspk.io/ Each step points to the next 67
  68. 68. @justin__richerhttps://bspk.io/ The Front Channel https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ 68
  69. 69. @justin__richerhttps://bspk.io/ Look up the transaction based on the incoming interaction URL 69
  70. 70. @justin__richerhttps://bspk.io/ Problem Solved! 70
  71. 71. @justin__richerhttps://bspk.io/ • Authenticate • Authorize • Consent • Modify User interacts like you’d expect 71
  72. 72. @justin__richerhttps://bspk.io/ https://client.example.net/return/123455 ?state=LKLTI25DK82FX4T4QFZC&interact=4IFWWIKYBC2PQ6U56NL1 72
  73. 73. @justin__richerhttps://bspk.io/ Validate the state value 73
  74. 74. @justin__richerhttps://bspk.io/ Continue the Transaction { "handle":"80UPRY5NM33OMUKMKSKU", "interact_handle":"4IFWWIKYBC2PQ6U56NL1" } 74
  75. 75. @justin__richerhttps://bspk.io/ The client STILL has to prove possession of all referenced keys 75
  76. 76. @justin__richerhttps://bspk.io/ ”Here’s an access token” { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"bearer" } } 76
  77. 77. @justin__richerhttps://bspk.io/ 77 Handles: Referencing previous state
  78. 78. @justin__richerhttps://bspk.io/ “Use this, I’ll remember you” { "client_handle":{ "value":"VBUEOIQA82PBY2ZDJW7Q","type":"bearer" }, "key_handle":{ "value":"7C7C4AZ9KHRS6X63AJAO","type":"bearer" } } 78
  79. 79. @justin__richerhttps://bspk.io/ Starting a new transaction with handles { "client":"VBUEOIQA82PBY2ZDJW7Q", "key":"7C7C4AZ9KHRS6X63AJAO" } 79
  80. 80. @justin__richerhttps://bspk.io/ The client STILL has to prove possession of all referenced keys 80
  81. 81. @justin__richerhttps://bspk.io/ An access token and a transaction handle { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"bearer” }, "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 81
  82. 82. @justin__richerhttps://bspk.io/ Refreshing a Token { "handle":"80UPRY5NM33OMUKMKSKU" } 82
  83. 83. @justin__richerhttps://bspk.io/ Remembering the user { "user_handle":{ "value":"XUT2MFM1XBIKJKSDU8QM", "type":"bearer" } } 83
  84. 84. @justin__richerhttps://bspk.io/ Scopes, redux "resources":[ "read","write","dolphin" ] 84
  85. 85. @justin__richerhttps://bspk.io/ Structured scopes "resources":[ "read","write","dolphin", { "actions":["read","write","dolphin"], "locations":["https://server.example.net/", "https://resource.local/other"], "data":["metadata"] } ] 85
  86. 86. @justin__richerhttps://bspk.io/ What about other devices? 86
  87. 87. @justin__richerhttps://bspk.io/ The difference is interaction 87
  88. 88. @justin__richerhttps://bspk.io/ ”How I Can Interact With The User” "interact":{ "type":"device” } 88
  89. 89. @justin__richerhttps://bspk.io/ ”Go fetch me the user” { "interaction_url": "https://server.example.com/interact/device", "user_code":"A1BC-3DFF", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 89
  90. 90. @justin__richerhttps://bspk.io/ Tell the user https://server.example.com/interact/device A1BC-3DFF 90
  91. 91. @justin__richerhttps://bspk.io/ • Authenticate • Authorize • Consent • Modify • A1BC-3DFF User interacts like you’d expect 91
  92. 92. @justin__richerhttps://bspk.io/ Look up the transaction based on the user code 92
  93. 93. @justin__richerhttps://bspk.io/ Are we ready yet? { "handle":"80UPRY5NM33OMUKMKSKU" } 93
  94. 94. @justin__richerhttps://bspk.io/ Not yet { "wait":30, "handle":{ "value":"BI9QNW6V9W3XFJK4R02D", "type":"bearer" } } 94
  95. 95. @justin__richerhttps://bspk.io/ What about a combined URL? 95
  96. 96. @justin__richerhttps://bspk.io/ We can use the regular interaction URL { "interaction_url": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 96
  97. 97. @justin__richerhttps://bspk.io/ What about identity? 97
  98. 98. @justin__richerhttps://bspk.io/ Pass identity assertions like OIDC, VC { "id_token":"eyj0...", "verifiable_claims":"..." } 98
  99. 99. @justin__richerhttps://bspk.io/ What about binding tokens? 99
  100. 100. @justin__richerhttps://bspk.io/ Access token is bound to a key { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"jwsd", "key":{ "kid":"token-1234",... } } } 10 0
  101. 101. @justin__richerhttps://bspk.io/ Key proof is presented alongside token Authorization:JWSDOS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0 Detached-JWS:eyJiNjQiOmZhbHNlLCJhbGciOiJSU... 10 1
  102. 102. @justin__richerhttps://bspk.io/ Getting involved 10 2
  103. 103. @justin__richerhttps://bspk.io/ 10 3
  104. 104. @justin__richerhttps://bspk.io/ https://oauth.xyz/ 10 4
  105. 105. @justin__richerhttps://bspk.io/ 10 5
  106. 106. @justin__richerhttps://bspk.io/ 10 6 Questions?
  107. 107. @justin__richerhttps://bspk.io/ 10 7

×