1. Full Stack Security
OAuth/OpenID Connect and JWT
connecting frontend and backend
DPC, Oct 2015
Peter.Varga
@thevrg
http://dpc.hu
DPC Consulting Ltd

2. Agenda
● OAuth 2.0
● OpenID Connect
● JSON Web Token (JWT)
● Demo
● Q&A

3. OAuth 2.0

4. OAuth 2.0
● Open standard for authorization (RFC 6749)
● Provides a method for a third-party to access
resources on behalf of a resource owner
● OAuth 2.0 token are also used to imply
authentication
● OAuth 2.0 process consists of:
1. Obtaining an authorization grant
2. Obtaining an access token
3. Using the access token to make requests

5. Problems Addressed by OAuth 2.0
● In traditional model, a third-party given access to a
resource owner resources means:
– Third-party must store the resource owner credentials
– Third-party access is not limited in scope
– Third-party access is not limited in time
– The resource owner cannot revoke access to one third-
party only; the only way to revoke access being a change
in credentials
● OAuth2 presents an alternative solution addressing
each of these issues

6. OAuth 2.0 Roles
● Client
● Resource Owner
● Authorization Server
● Resource Server

7. OAuth 2.0 Terminology
● Authorization Grant:
– credentials representing the resource owner’s
authorization
– used by the client to obtain an access token
● Access Token:
– credentials used to access protected resources
– represents specific scopes and durations of access
● Refresh Token:
– credentials used to obtain a new access token when
current access token becomes invalid
● Scope:
– determines the specific resources that can be accessed
and the duration of the grant

8. OAuth 2.0 Clients
● Confidential: can protect their credentials
– web applications
● Public: risk to expose their credentials
– mobile phone apps
– desktop clients
– web-browsers
● Before OAuth2 process can take place, the client
must register to the authorization server

9. Obtaining Access Token
● There are different ways to obtain an access token:
– Authorization Code
– Implicit
– Resource Owner Password Credentials
– Client Credentials
– Extension Mechanism; e.g. SAML2 Token Insertion
● All communication must be performed through a
secure channel

10. Authorization Code Flow

11. Authorization Code Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=rea
d
● response_type= code
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=read
3: User authorizes request
● User authenticates if not authenticated yet

12. Authorization Code Flow (4-7)
4-5: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE
● code=AUTHORIZATION_CODE
6: Client requests Access Token
POST https://oauthprovider.example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c
ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL
7: Client receives Access Token
{"access_token":" ACCESS_TOKEN","token_type":"bearer","expires_in":3872,"
refresh_token":" REFRESH_TOKEN","scope":"read","uid":,"info":{"name":"Peter
Varga","email":"peter.varga@dpc.hu"}}

13. Implicit Flow

14. Implicit Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=token&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=re
ad
● response_type= token
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=read
3: User authorizes request
● User authenticates if not authenticated yet

15. Implicit Flow (4-6)
4: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback #token=ACCESS_TOKEN
● #token=ACCESS_TOKEN
5: Client loads javascript which will extract token from hash
● The web server does not get access token directly
6: Script extracts Access Token from URL’s hash
● Now the script can share it with the client

16. Access Token
● The access token is a “bearer token”; anyone
presenting it can obtain access:
– The access token is sent through TLS/SSL from the
authorization server to the client
– The access token usually has a short life span and is
renewed through refresh tokens
● A client can query the resource server endpoints to
access resources/information

17. Accessing Resources
● Once in possession of an access token, the client
presents the token to the resource server
● The resource server validates the token, its scope
and its expiry date
● The validation generally requires interaction or
coordination with the authorization server
GET /protected/resource HTTP/1.1
Host: resource.example.com
Authorization: Bearer ACCESS_TOKEN

18. Access Token Information
● The specification does not include the
communication between the resource server and
the authorization server
● There are proprietary mechanisms/implementations
– The authorization server has an endpoint which can be
used to get info about the presented access token
GET /openam/oauth2/tokeninfo HTTP/1.1
Host: login.example.com
Authorization: Bearer ACCESS_TOKEN

19. Bearer Token Recommendations
● Safeguard bearer tokens
● Validate TLS certificate chains
● Always use TLS (https)
● Don’t store bearer tokens in cookies
● Issue short-lived bearer tokens
● Issue scoped bearer tokens
● Don’t pass bearer tokens in URLs

20. OpenID Connect

21. OAuth 2.0 is NOT an Authentication Protocol

22. OpenID Connect
● OpenID connect = Identity, Authentication + OAuth2
● OAuth 2.0 is an authorization protocol; when a
client receives an access token it does not know the
identity of the user
● OpenID Connect leverages the OAuth 2.0
handshake to provide Identity assertion through an
ID token
● With OAuth 2.0 the client requests an access token;
with OpenID Connect the client requests an access
token and an ID token

23. OpenID Connect Flow

24. OpenID Connect Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=ope
nid%20profile
● response_type= code
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=openid%20profile
3: User authorizes request
● User authenticates if not authenticated yet

25. OpenID Connect Flow (4-7)
4-5: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE
● code=AUTHORIZATION_CODE
6: Client requests Access Token
POST https://www.googleapis.com/oauth2/v3/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c
ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL
7: Client receives Access Token
{"access_token": "ya29.JgEXH5-koEv0wnizPyikm8qdpRG",
"token_type": "Bearer","expires_in": 3597," id_token":
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc0ZWIyNDY1MGE0NzViNDkz.
ZGQzZjFiMjU2MmM5MTZmOTA1MzIyOTAifQ.
eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3Vi"}

26. OpenID Connect ID Token
● Signed claim about user identity
● In Standard JSON Web Token (JWT) format
● Client must validate it:
– Signature
– Audience
– Expiry
– Nonce

27. JSON Web Token

28. JSON Web Token
● Compact, URL-safe means of representing
claims to be transferred between two parties
● IETF Standard
– https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-
32
– http://jwt.io/
● Simple Structure:
– Header
– Payload
– Signature

29. JSON Web Token (JWT) Structure

30. User Information Endpoint
● OpenID Connect specifies it
● Retrieves the user info about the current session
represented by the access token
GET /openam/oauth2/userinfo HTTP/1.1
Host: login.example.com
Authorization: Bearer ACCESS_TOKEN
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "janedoe@example.com"
}

31. Demo

32. Starting Implicit Flow with OpenID
Connect

33. Processing Tokens Passed by the
Authorization Server

34. Summary
● OAuth 2.0
● OpenID Connect
● JSON Web Token (JWT)
● Demo
● Q&A

35. Q & A