Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Token, token... From SAML to OIDC

821 views

Published on

A overview of SAML, OAuth 2.0, OIDC, and JWT. What are they, and what to watch out for.

Published in: Technology
  • Be the first to comment

Token, token... From SAML to OIDC

  1. 1. IBM Confidential Token OAuth/OIDC/JWT/SAML shiufun@us.ibm.com STSM, Security, APIc/GW, Cloud Division
  2. 2. SAML 2 Source : http://www.ibm.com/developerworks/library/ws-SAMLWAS/
  3. 3. OIDC 3 Source : http://openid.net/connect
  4. 4. 4 •  Delegated authoriza/on •  Permission : Allow/ Denied •  IETF RFC 6749 •  access_token (RFC6750) •  Bearer * •  Vendor specified •  Introspec/on : IETF RFC 7662 •  Authen/ca/on •  Who are you ? •  OpenID.net •  Extend OAuth 2.0 with user informa/on •  id_token •  JSON Web Token (JWT) •  Signed with JWS •  Encrypted with JWE •  Signed & Encrypted Protocol : SAML vs OAuth 2.0 vs OpenID •  Federated Iden/ty •  Who are you ? •  Permission : Allow/ Denied •  OASIS/WS-* •  SAML Asser/on •  1.0, 1.1, 2.0 •  XML based •  Signed/Encrypted
  5. 5. [Token] SAML vs access_token (Bearer) vs id_token (JWT) 5 •  Identity assertion token •  SAML or id_token (JWT) •  e.g. ‘WickedPrinterApp’ requires Alice to authenticate successfully before presenting its service •  Authorization token •  SAML or access_token (bearer) •  e.g. ‘WickedPrinterApp’ can print Alice’s photo if access_token is valid SAML : <saml:Asser2on xmlns:…> <saml:Issuer>…</saml:Issuer> <saml:Subject>...</saml:Subject> <saml:Condi2on>...</saml:Condi2on> ..... </saml:Asser2on> access_token : HTTP Header : Authoriza2on: Bearer xyzjj…......... Ø  Apply introspec2on (RFC 7662) against the token : { "ac2ve":true, "token_type":"bearer", "client_id":”spoon-applica2on", "username":”shiufun", "sub":”shiufun", "exp":1504323675, …} id_token : HTTP Header : Authoriza2on: Bearer xxx.yyy.zzzz unpacked into {“alg”:”HS256”}. {“iss”:”xx”,”sub”:”yy”…}. zzzz
  6. 6. [Token] SAML vs access_token (Bearer) vs id_token (JWT) SAML access_token id_token XML based (OASIS) Opaque (RFC 6750) * Binary vs defined format JSON Web Token (RFC 7519) HTTP(s), Payload HTTP(s), Payload HTTP(s), Payload WS-Security specification Introspection (RFC 7662) JOSE (JWS/JWE) Web service/WebApp WebApp/Mobile WebApp/Mobile * SAML for OAuth – authenticate resource owner or application * JWT for OAuth – authentication resource owner or client 6
  7. 7. SAML •  Specifica2on is well established •  Confiden2ality/Integrity •  How to protect it during transit •  Replay ? •  Condi2on ? •  Authen2ca2on/Abribute/Authoriza2on Statement hbps://www.oasis-open.org/commibees/download.php/8733/sstc-saml-sec-consider-2.0-drad-05-diff.pdf 7
  8. 8. OAuth 2.0/OIDC •  Redirect_uri •  Client/applica2on •  How secure is its creden2al •  How to securely store the permission •  *well-behaved* •  Applica2on authen2city •  Session management of the end user •  How to authen2cate the user •  Web applica2on, API applica2on •  follow the best prac2ce to prevent CSRF, XSS, Session 8 https://tools.ietf.org/html/rfc6819
  9. 9. Transit/local storage •  TLS/SSL •  Who is token being kept securely once it is issued •  Token/Session management •  Ttl == infinity, what could go wrong (?) 9

×