Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenID Connect & OAuth - Demystifying Cloud Identity

980 views

Published on

SpringOne Platform 2016
Speakers: Filip Hanik; Senior Staff Engineer, Pivotal. Sree Tummidi; Product Manager, Pivotal.

Innovation, proposals and standardization result in endless specifications. Often too many to ingest while focusing your development on the specific business domain at hand.

In this deep dive we will untangle the web of complexity introduced by two of the most popular authentication and authorization frameworks used in native cloud applications today, the OpenID Connect and OAuth 2 standards.

You can expect to learn:

-How to get started using Oauth 2 and Spring
-What made these frameworks so popular
-The intricate details of each implementation
-Implications and challenges of using token based security for applications and microservices
-How to easily extend Spring components for non standard APIs
Join us and share in our experiences building the Cloud Foundry User Authentication and Account management project, the UAA, a production grade OAuth 2 authorization and resource server, as well as an OpenID Connect implementation. The UAA is relying on and extending several Spring Security frameworks to provide a robust identity implementation for the Cloud Foundry platform and its application eco system.

Published in: Technology

OpenID Connect & OAuth - Demystifying Cloud Identity

  1. 1. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demystifying Cloud Identity By Sree Tummidi and Filip Hanik @fhanik @sreetummidi
  2. 2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 3 Sree Tummidi Product Manager A decade of experience in Enterprise Security Started out as Software Engineer PM for CloudFoundry UAA & Pivotal Single Sign-On @sreetummidi
  3. 3. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 4 Filip Hanik Software Engineer devops as a career Cloud Foundry UAA project @fhanik @pivotal
  4. 4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 6
  5. 5. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 7
  6. 6. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OAuth 2 8
  7. 7. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • One standard built
 to rule them all OAuth 2 9 • One standard built
 to rule them all • Very elaborate flows
 aka “grant types” • Grants Access Tokens
  8. 8. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Access Token 10 JWT
  9. 9. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Bearer Token 11 GET /my/data HTTP/1.1 Host: uaa.domain.com Authorization: bearer a2df43cf
  10. 10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • Header • Body • Footer 12 eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGki OiIyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA0LTI1NDAtNDlk Ni05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9z aG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0 aW9uX2NvZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJncmFudF90 eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJl LTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6 Im1hcmlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJldl9zaWciOiJiZTU0OTFk YyIsImlhdCI6MTQ2OTg0Njg3NiwiZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0 OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsIm9hdXRoX3No b3djYXNlX2F1dGhvcml6YXRpb25fY29kZSJdfQ.1AXtzNGdWXL77i7TqeZOYfMbP4CT8pMnqBihmvg8w oY .eyJqdGki OiIyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA0LTI1NDAtNDlk Ni05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9z aG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0 aW9uX2NvZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJncmFudF90 eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtNDlkNi05ZjJl LTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6 Im1hcmlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJldl9zaWciOiJiZTU0OTFk YyIsImlhdCI6MTQ2OTg0Njg3NiwiZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0 OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsIm9hdXRoX3No b3djYXNlX2F1dGhvcml6YXRpb25fY29kZSJdfQ. Access Token
  11. 11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ JSON Web Token - Body 13 { "scope": [ “openid" ], "cid": "oauth_showcase_authorization_code", "user_name": “marissa", "iss": "http://localhost:8080/uaa/oauth/token" }
  12. 12. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 14 Access Token
  13. 13. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Meet the actors 15 Authorization Server Resource Server ApplicationResource Owner
  14. 14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Applications can act on their own 16
  15. 15. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Client Credentials Grant Flow 17 Authorization Server Resource Server Authenticate with Client Credentials Send Token Access protected resource (with token) Application Send resource Access Control
  16. 16. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Client Credentials Grant Flow 18
  17. 17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ curl http://localhost:8080/uaa/oauth/token -d "client_id=oauth_showcase_client_credentials" -d "client_secret=secret" -d "grant_type=client_credentials" POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 94 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_client_credentials&client_secret=secret& grant_type=client_credentials Get a Token - Client Credentials Grant 19
  18. 18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Token Response 20 { "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72", "expires_in": 43199, "jti": "7ea43dfbdfc8424cb689c69aa48b8a72", "scope": "clients.read clients.write uaa.admin clients.admin scim.write scim.read”, "token_type": "bearer" } HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json;charset=UTF-8 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Date: Sat, 30 Jul 2016 21:35:06 GMT
  19. 19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Approvals 21
  20. 20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • Before an access token is granted • What can the application do • When do I give permission to the application • Explicit • Implied 22 Approvals
  21. 21. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Implied Approval - Password Grant 23
  22. 22. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 24 Password Grant
  23. 23. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Password Grant 25
  24. 24. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Password Grant Flow 26 Resource Owner Provide Username & Password Username/Password with Client Credentials Send Token Authorization Server Resource ServerApplication Access protected resource Send resource Access Control
  25. 25. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Password Grant Flow 27
  26. 26. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ curl http://localhost:8080/uaa/oauth/token -d "client_id=oauth_showcase_password_grant" -d "client_secret=secret" -d "grant_type=password" -d "username=marissa" -d "password=koala" POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 112 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_password_grant&client_secret=secret& grant_type=password&username=marissa&password=koala Get a Token - Password Grant 28
  27. 27. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Token Response 29 { "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72", "expires_in": 43199, "jti": "7ea43dfbdfc8424cb689c69aa48b8a72", "scope": "openid", "token_type": "bearer" } HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json;charset=UTF-8 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Date: Sat, 30 Jul 2016 21:35:06 GMT
  28. 28. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 30 Scopes
  29. 29. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • The name of permissions • Client / Application scopes • User scopes • Token contains intersection 31 Scopes
  30. 30. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 32 ring.wear Scopes
  31. 31. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 33 Scopes ring.wear ring.destroy
  32. 32. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Token Response 34 { "access_token": "7ea43dfbdfc8424cb689c69aa48b8a72", "expires_in": 43199, "scope": "ring.wear", }
  33. 33. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Explicit Approval - Authorization Code Grant 35
  34. 34. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization Code Grant 36
  35. 35. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization Code Grant 37
  36. 36. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 38 Authorization Code Grant
  37. 37. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 39 Authorization Code Grant
  38. 38. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 40 Authorization Code Grant
  39. 39. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 41 Authorization Code Grant
  40. 40. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resource Server Authorization Code Flow 42 Access Application Give me Permission / Approval Authenticate & Grant Authorization Send Authorization Code Exchange code with client credentials for token Resource Owner Application Authorization Server Send Token Access protected resource Send resource Access Control
  41. 41. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization Code Grant Flow 43
  42. 42. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize? client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize? client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize? client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize? client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk HTTP/1.1 302 FOUND Location: http://localhost:8080/uaa/oauth/authorize? client_id=oauth_showcase_authorization_code& redirect_uri=http://localhost:8888/login& response_type=code&state=TQdkCk GET /oidc HTTP/1.1 Host: localhost:8888 Authorization Code - What happened? 44 You’re reaching out to the application Application checks if you are “logged in”
  43. 43. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6 GET /oauth/authorize HTTP/1.1 Host: localhost:8080 Authorization Code - What happened? 45 Log in and approve the application HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6 HTTP/1.1 302 FOUND Location: http://localhost:8888/login?code=a2c4e6
  44. 44. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ curl http://localhost:8080/uaa/oauth/token -d “client_id=oauth_showcase_authorization_code” -d "client_secret=secret" -d "grant_type=authorization_code" -d "code=a2c4e6" POST /uaa/oauth/token HTTP/1.1 Host: localhost:8080 Content-Length: 102 Content-Type: application/x-www-form-urlencoded client_id=oauth_showcase_authorization_code&client_secret=secret& grant_type=authorization_code&code=koala Get a Token - Authorization Code Grant 46
  45. 45. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ curl http://localhost:8080/uaa/check_token -u "oauth_showcase_authorization_code:secret" -d "token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tl…." POST /uaa/check_token HTTP/1.1 Host: localhost:8080 Content-Length: 1144 Authorization: Basic b2F1dGhfc2hvd2Nhc2VfYXV0aG9yaXphdGlvbl9jb2RlOnNlY== Content-Type: application/x-www-form-urlencoded token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tl Resource Server - Authorize 47
  46. 46. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization - Claims Returned 48 { "scope": [ “openid" ], "cid": "oauth_showcase_authorization_code", "user_name": “marissa", "iss": “http://localhost:8080/uaa/oauth/token”, "iat": 1469998244, "exp": 1470041444 }
  47. 47. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Full Circle 49
  48. 48. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Implicit Grant 50
  49. 49. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51 Implicit Grant
  50. 50. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OpenID Connect 53
  51. 51. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OpenID Connect 1.0 54
  52. 52. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OpenID Connect Flow - Simple 55 Load Application Request Login Authenticate User Identity Provider Application Send Authorization Code Exchange code with client credentials for ID Token Send ID Token Request ID Token
  53. 53. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OpenID Connect Flow - Hybrid 56 Load Application Request Login/Authorize Authenticate & Grant Authorization Request ID + Access Token User Identity Provider RSApplication Send Authorization Code Exchange code with client credentials for ID + AT Send ID + AT Exchange AT for Protected Resource
  54. 54. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OpenID Connect - ID Token 57 { "sub" : "22a55160-01b7-4208-a9fe-b99cc5f1542e", "user_name" : "marissa", "iss" : "http://localhost:8080/uaa/oauth/token", "aud" : [ "c980ec9f-23c5-472f-8e15-7552d5802250" ], "scope" : [ "openid" ], "auth_time" : 1470109898, "exp" : 1470153098, "iat" : 1470109898, "email" : “xxx@gmail.com", “phone_number” : “xxx xxx xxxx” }
  55. 55. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Summary • Clients are applications • Authorization servers grant tokens • to applications • on behalf of users 58
  56. 56. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Summary • Users approve token grants • Implied consent - password • Explicit - authorization code/implicit • Tokens can be • JWT or opaque • Validated offline or with the authorization server 59
  57. 57. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Summary • access_token is used for • Accessing endpoints over HTTP • Carried in the Authorization header • id_token is used for • Authenticate and identify a user • Access user information endpoint 60
  58. 58. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • Can be opaque or JWT (JSON Web Token) • JWT offers offline validation • Opaque tokens solve token explosion • Can be granted with or without sharing user credentials • Approvals can be implied or explicit • Expire or revoked • Explicit revocation • Revocation due to changed password/secret 61 Access Token Summary
  59. 59. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO 62
  60. 60. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Use case Setup 63 Todo API ApplicationEnterprise User Store Authenticate Access
  61. 61. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security Model 64 Access Application List Todo Items Add Todo Items • All enterprise users can access the application • Only Users in Group1 can list Items • Only Users in Group 2 can add items
  62. 62. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Thank You 65

×