Full stack security

D
DPC Consulting LtdDPC Consulting Ltd
Full Stack Security
OAuth/OpenID Connect and JWT
connecting frontend and backend
DPC, Oct 2015
Peter.Varga
@thevrg
http://dpc.hu
DPC Consulting Ltd
Agenda
● OAuth 2.0
● OpenID Connect
● JSON Web Token (JWT)
● Demo
● Q&A
OAuth 2.0
OAuth 2.0
● Open standard for authorization (RFC 6749)
● Provides a method for a third-party to access
resources on behalf of a resource owner
● OAuth 2.0 token are also used to imply
authentication
● OAuth 2.0 process consists of:
1. Obtaining an authorization grant
2. Obtaining an access token
3. Using the access token to make requests
Problems Addressed by OAuth 2.0
● In traditional model, a third-party given access to a
resource owner resources means:
– Third-party must store the resource owner credentials
– Third-party access is not limited in scope
– Third-party access is not limited in time
– The resource owner cannot revoke access to one third-
party only; the only way to revoke access being a change
in credentials
● OAuth2 presents an alternative solution addressing
each of these issues
OAuth 2.0 Roles
● Client
● Resource Owner
● Authorization Server
● Resource Server
OAuth 2.0 Terminology
● Authorization Grant:
– credentials representing the resource owner’s
authorization
– used by the client to obtain an access token
● Access Token:
– credentials used to access protected resources
– represents specific scopes and durations of access
● Refresh Token:
– credentials used to obtain a new access token when
current access token becomes invalid
● Scope:
– determines the specific resources that can be accessed
and the duration of the grant
OAuth 2.0 Clients
● Confidential: can protect their credentials
– web applications
● Public: risk to expose their credentials
– mobile phone apps
– desktop clients
– web-browsers
● Before OAuth2 process can take place, the client
must register to the authorization server
Obtaining Access Token
● There are different ways to obtain an access token:
– Authorization Code
– Implicit
– Resource Owner Password Credentials
– Client Credentials
– Extension Mechanism; e.g. SAML2 Token Insertion
● All communication must be performed through a
secure channel
Authorization Code Flow
Authorization Code Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=rea
d
● response_type= code
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=read
3: User authorizes request
● User authenticates if not authenticated yet
Authorization Code Flow (4-7)
4-5: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE
● code=AUTHORIZATION_CODE
6: Client requests Access Token
POST https://oauthprovider.example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c
ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL
7: Client receives Access Token
{"access_token":" ACCESS_TOKEN","token_type":"bearer","expires_in":3872,"
refresh_token":" REFRESH_TOKEN","scope":"read","uid":,"info":{"name":"Peter
Varga","email":"peter.varga@dpc.hu"}}
Implicit Flow
Implicit Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=token&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=re
ad
● response_type= token
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=read
3: User authorizes request
● User authenticates if not authenticated yet
Implicit Flow (4-6)
4: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback #token=ACCESS_TOKEN
● #token=ACCESS_TOKEN
5: Client loads javascript which will extract token from hash
● The web server does not get access token directly
6: Script extracts Access Token from URL’s hash
● Now the script can share it with the client
Access Token
● The access token is a “bearer token”; anyone
presenting it can obtain access:
– The access token is sent through TLS/SSL from the
authorization server to the client
– The access token usually has a short life span and is
renewed through refresh tokens
● A client can query the resource server endpoints to
access resources/information
Accessing Resources
● Once in possession of an access token, the client
presents the token to the resource server
● The resource server validates the token, its scope
and its expiry date
● The validation generally requires interaction or
coordination with the authorization server
GET /protected/resource HTTP/1.1
Host: resource.example.com
Authorization: Bearer ACCESS_TOKEN
Access Token Information
● The specification does not include the
communication between the resource server and
the authorization server
● There are proprietary mechanisms/implementations
– The authorization server has an endpoint which can be
used to get info about the presented access token
GET /openam/oauth2/tokeninfo HTTP/1.1
Host: login.example.com
Authorization: Bearer ACCESS_TOKEN
Bearer Token Recommendations
● Safeguard bearer tokens
● Validate TLS certificate chains
● Always use TLS (https)
● Don’t store bearer tokens in cookies
● Issue short-lived bearer tokens
● Issue scoped bearer tokens
● Don’t pass bearer tokens in URLs
OpenID Connect
OAuth 2.0 is NOT an Authentication Protocol
OpenID Connect
● OpenID connect = Identity, Authentication + OAuth2
● OAuth 2.0 is an authorization protocol; when a
client receives an access token it does not know the
identity of the user
● OpenID Connect leverages the OAuth 2.0
handshake to provide Identity assertion through an
ID token
● With OAuth 2.0 the client requests an access token;
with OpenID Connect the client requests an access
token and an ID token
OpenID Connect Flow
OpenID Connect Flow (1-3)
1-2: Authorization Request
https://oauthprovider.example.com/oauth/authorize?
response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=ope
nid%20profile
● response_type= code
● client_id=CLIENT_ID
● redirect_uri=CALLBACK_URL
● scope=openid%20profile
3: User authorizes request
● User authenticates if not authenticated yet
OpenID Connect Flow (4-7)
4-5: Browser is redirected to Client’s CALLBACK_URL
https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE
● code=AUTHORIZATION_CODE
6: Client requests Access Token
POST https://www.googleapis.com/oauth2/v3/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c
ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL
7: Client receives Access Token
{"access_token": "ya29.JgEXH5-koEv0wnizPyikm8qdpRG",
"token_type": "Bearer","expires_in": 3597," id_token":
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc0ZWIyNDY1MGE0NzViNDkz.
ZGQzZjFiMjU2MmM5MTZmOTA1MzIyOTAifQ.
eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3Vi"}
OpenID Connect ID Token
● Signed claim about user identity
● In Standard JSON Web Token (JWT) format
● Client must validate it:
– Signature
– Audience
– Expiry
– Nonce
JSON Web Token
JSON Web Token
● Compact, URL-safe means of representing
claims to be transferred between two parties
● IETF Standard
– https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-
32
– http://jwt.io/
● Simple Structure:
– Header
– Payload
– Signature
JSON Web Token (JWT) Structure
User Information Endpoint
● OpenID Connect specifies it
● Retrieves the user info about the current session
represented by the access token
GET /openam/oauth2/userinfo HTTP/1.1
Host: login.example.com
Authorization: Bearer ACCESS_TOKEN
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "janedoe@example.com"
}
Demo
Starting Implicit Flow with OpenID
Connect
Processing Tokens Passed by the
Authorization Server
Summary
● OAuth 2.0
● OpenID Connect
● JSON Web Token (JWT)
● Demo
● Q&A
Q & A
1 of 35

Recommended

OpenID Connect 1.0 Explained by
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
1.1K views7 slides
Mit 2014 introduction to open id connect and o-auth 2 by
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
15.2K views202 slides
OpenID Connect - An Emperor or Just New Cloths? by
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
11.3K views32 slides
OpenID Connect: An Overview by
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
13.2K views17 slides
OAuth 2.0 and OpenId Connect by
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
3K views39 slides
CIS14: Working with OAuth and OpenID Connect by
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
3.2K views54 slides

More Related Content

What's hot

Authentication and Authorization Architecture in the MEAN Stack by
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
5.2K views20 slides
CIS14: OAuth and OpenID Connect in Action by
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
615 views31 slides
OpenID Connect: The new standard for connecting to your Customers, Partners, ... by
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
12.1K views41 slides
OpenID Connect and Single Sign-On for Beginners by
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
22.7K views30 slides
Protecting web APIs with OAuth 2.0 by
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
1.2K views22 slides
Stateless authentication with OAuth 2 and JWT - JavaZone 2015 by
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
28.3K views81 slides

What's hot(20)

Authentication and Authorization Architecture in the MEAN Stack by FITC
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC5.2K views
CIS14: OAuth and OpenID Connect in Action by CloudIDSummit
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit615 views
OpenID Connect: The new standard for connecting to your Customers, Partners, ... by Salesforce Developers
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers12.1K views
Stateless authentication with OAuth 2 and JWT - JavaZone 2015 by Alvaro Sanchez-Mariscal
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
The Client is not always right! How to secure OAuth authentication from your... by Mike Schwartz
The Client is not always right!  How to secure OAuth authentication from your...The Client is not always right!  How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz2K views
Stateless Auth using OAuth2 & JWT by Gaurav Roy
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy11.5K views
OpenID Connect vs. OpenID 1 & 2 by Mike Schwartz
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz10.4K views
OAuth 2.0 Updates #technight by Nov Matake
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technight
Nov Matake3.9K views
Securing your APIs with OAuth, OpenID, and OpenID Connect by Manish Pandit
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit4K views
An Authentication and Authorization Architecture for a Microservices World by VMware Tanzu
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu12.6K views
Single Sign On with OAuth and OpenID by Gasperi Jerome
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome5.2K views
FIDO2 Specifications Overview by FIDO Alliance
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance1.4K views
Stateless token-based authentication for pure front-end applications by Alvaro Sanchez-Mariscal
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
LASCON 2017: SAML v. OpenID v. Oauth by Mike Schwartz
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz1.8K views

Viewers also liked

Idcon11 implicit demo by
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demoRyo Ito
4.1K views62 slides
Java 9 and Project Jigsaw by
Java 9 and Project JigsawJava 9 and Project Jigsaw
Java 9 and Project JigsawDPC Consulting Ltd
1.7K views27 slides
Jsonp coding dojo by
Jsonp coding dojoJsonp coding dojo
Jsonp coding dojoDPC Consulting Ltd
355 views23 slides
Docker+java by
Docker+javaDocker+java
Docker+javaDPC Consulting Ltd
1.2K views30 slides
Két Java fejlesztő első Scala projektje by
Két Java fejlesztő első Scala projektjeKét Java fejlesztő első Scala projektje
Két Java fejlesztő első Scala projektjeDPC Consulting Ltd
1.1K views24 slides
Federation Lab and OpenID Connect by
Federation Lab and OpenID ConnectFederation Lab and OpenID Connect
Federation Lab and OpenID ConnectAndreas Åkre Solberg
2K views17 slides

Viewers also liked(16)

Idcon11 implicit demo by Ryo Ito
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
Ryo Ito4.1K views
Két Java fejlesztő első Scala projektje by DPC Consulting Ltd
Két Java fejlesztő első Scala projektjeKét Java fejlesztő első Scala projektje
Két Java fejlesztő első Scala projektje
DPC Consulting Ltd1.1K views
OpenID ConnectとAndroidアプリのログインサイクル by Masaru Kurahayashi
OpenID ConnectとAndroidアプリのログインサイクルOpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクル
Masaru Kurahayashi14.9K views
OpenID Foundation Foundation Financial API (FAPI) WG by Nat Sakimura
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura13.9K views
ID連携概要 - OpenID TechNight vol.13 by Nov Matake
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13
Nov Matake37.1K views
Securing RESTful APIs using OAuth 2 and OpenID Connect by Jonathan LeBlanc
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc49.2K views
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜 by Masaru Kurahayashi
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi146.9K views
今更聞けないOAuth2.0 by Takahiro Sato
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
Takahiro Sato68.9K views
これからのネイティブアプリにおけるOpenID Connectの活用 by Masaru Kurahayashi
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi25.8K views
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu... by Amazon Web Services
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Amazon Web Services34.4K views

Similar to Full stack security

Oauth2 and OWSM OAuth2 support by
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
4K views45 slides
Oauth 2.0 security by
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
942 views20 slides
OAuth and Open-id by
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
179 views25 slides
Accessing APIs using OAuth on the federated (WordPress) web by
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
251 views31 slides
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo... by
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
2.2K views27 slides
An introduction to OAuth 2 by
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
733 views31 slides

Similar to Full stack security(20)

Oauth2 and OWSM OAuth2 support by Gaurav Sharma
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma4K views
Accessing APIs using OAuth on the federated (WordPress) web by Felix Arntz
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz251 views
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo... by Good Dog Labs, Inc.
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.2.2K views
(1) OAuth 2.0 Overview by anikristo
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo560 views
Stateless Auth using OAUTH2 & JWT by Mobiliya
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya1K views
OAuth [noddyCha] by noddycha
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha980 views
Introduction to OAuth by Wei-Tsung Su
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su1.3K views
The OpenID Connect Protocol by Clément OUDOT
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT1.8K views
OAuth 2.0 and OpenID Connect by Jacob Combs
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs247 views
OAuth - Alex Bilbie by Eduserv
OAuth - Alex BilbieOAuth - Alex Bilbie
OAuth - Alex Bilbie
Eduserv585 views
Amazon Cognito OAuth 2.0 Grants by Sibtay Abbas
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas13 views
Spring security oauth2 by axykim00
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00343 views
Kaunas jug presentation by Adamsus
Kaunas jug presentationKaunas jug presentation
Kaunas jug presentation
Adamsus203 views
Microservice security with spring security 5.1,Oauth 2.0 and open id connect by Nilanjan Roy
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy75 views

More from DPC Consulting Ltd

Scaling on AWS by
Scaling on AWSScaling on AWS
Scaling on AWSDPC Consulting Ltd
229 views27 slides
Microservices and modularity with java by
Microservices and modularity with javaMicroservices and modularity with java
Microservices and modularity with javaDPC Consulting Ltd
1.2K views48 slides
Garbage First Garbage Collector Algorithm by
Garbage First Garbage Collector AlgorithmGarbage First Garbage Collector Algorithm
Garbage First Garbage Collector AlgorithmDPC Consulting Ltd
589 views62 slides
Power tools in Java by
Power tools in JavaPower tools in Java
Power tools in JavaDPC Consulting Ltd
1K views51 slides
Server in your Client by
Server in your ClientServer in your Client
Server in your ClientDPC Consulting Ltd
852 views19 slides
OSGi as Enterprise Integration Platform by
OSGi as Enterprise Integration PlatformOSGi as Enterprise Integration Platform
OSGi as Enterprise Integration PlatformDPC Consulting Ltd
938 views16 slides

More from DPC Consulting Ltd(6)

Recently uploaded

NTGapps NTG LowCode Platform by
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform Mustafa Kuğu
437 views30 slides
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueShapeBlue
207 views54 slides
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023BookNet Canada
44 views19 slides
Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
36 views68 slides
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...BookNet Canada
41 views16 slides
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...ShapeBlue
183 views18 slides

Recently uploaded(20)

NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu437 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue207 views
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by BookNet Canada
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
BookNet Canada44 views
Transcript: Redefining the book supply chain: A glimpse into the future - Tec... by BookNet Canada
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
Transcript: Redefining the book supply chain: A glimpse into the future - Tec...
BookNet Canada41 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue183 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 -  Week 4 Session 8Business Analyst Series 2023 -  Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri39 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash162 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue224 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue152 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue129 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
"Package management in monorepos", Zoltan Kochan by Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays34 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10146 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue265 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue141 views

Full stack security

  • 1. Full Stack Security OAuth/OpenID Connect and JWT connecting frontend and backend DPC, Oct 2015 Peter.Varga @thevrg http://dpc.hu DPC Consulting Ltd
  • 2. Agenda ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
  • 4. OAuth 2.0 ● Open standard for authorization (RFC 6749) ● Provides a method for a third-party to access resources on behalf of a resource owner ● OAuth 2.0 token are also used to imply authentication ● OAuth 2.0 process consists of: 1. Obtaining an authorization grant 2. Obtaining an access token 3. Using the access token to make requests
  • 5. Problems Addressed by OAuth 2.0 ● In traditional model, a third-party given access to a resource owner resources means: – Third-party must store the resource owner credentials – Third-party access is not limited in scope – Third-party access is not limited in time – The resource owner cannot revoke access to one third- party only; the only way to revoke access being a change in credentials ● OAuth2 presents an alternative solution addressing each of these issues
  • 6. OAuth 2.0 Roles ● Client ● Resource Owner ● Authorization Server ● Resource Server
  • 7. OAuth 2.0 Terminology ● Authorization Grant: – credentials representing the resource owner’s authorization – used by the client to obtain an access token ● Access Token: – credentials used to access protected resources – represents specific scopes and durations of access ● Refresh Token: – credentials used to obtain a new access token when current access token becomes invalid ● Scope: – determines the specific resources that can be accessed and the duration of the grant
  • 8. OAuth 2.0 Clients ● Confidential: can protect their credentials – web applications ● Public: risk to expose their credentials – mobile phone apps – desktop clients – web-browsers ● Before OAuth2 process can take place, the client must register to the authorization server
  • 9. Obtaining Access Token ● There are different ways to obtain an access token: – Authorization Code – Implicit – Resource Owner Password Credentials – Client Credentials – Extension Mechanism; e.g. SAML2 Token Insertion ● All communication must be performed through a secure channel
  • 11. Authorization Code Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=rea d ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
  • 12. Authorization Code Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://oauthprovider.example.com/oauth/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token":" ACCESS_TOKEN","token_type":"bearer","expires_in":3872," refresh_token":" REFRESH_TOKEN","scope":"read","uid":,"info":{"name":"Peter Varga","email":"peter.varga@dpc.hu"}}
  • 14. Implicit Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=token&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=re ad ● response_type= token ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
  • 15. Implicit Flow (4-6) 4: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback #token=ACCESS_TOKEN ● #token=ACCESS_TOKEN 5: Client loads javascript which will extract token from hash ● The web server does not get access token directly 6: Script extracts Access Token from URL’s hash ● Now the script can share it with the client
  • 16. Access Token ● The access token is a “bearer token”; anyone presenting it can obtain access: – The access token is sent through TLS/SSL from the authorization server to the client – The access token usually has a short life span and is renewed through refresh tokens ● A client can query the resource server endpoints to access resources/information
  • 17. Accessing Resources ● Once in possession of an access token, the client presents the token to the resource server ● The resource server validates the token, its scope and its expiry date ● The validation generally requires interaction or coordination with the authorization server GET /protected/resource HTTP/1.1 Host: resource.example.com Authorization: Bearer ACCESS_TOKEN
  • 18. Access Token Information ● The specification does not include the communication between the resource server and the authorization server ● There are proprietary mechanisms/implementations – The authorization server has an endpoint which can be used to get info about the presented access token GET /openam/oauth2/tokeninfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN
  • 19. Bearer Token Recommendations ● Safeguard bearer tokens ● Validate TLS certificate chains ● Always use TLS (https) ● Don’t store bearer tokens in cookies ● Issue short-lived bearer tokens ● Issue scoped bearer tokens ● Don’t pass bearer tokens in URLs
  • 21. OAuth 2.0 is NOT an Authentication Protocol
  • 22. OpenID Connect ● OpenID connect = Identity, Authentication + OAuth2 ● OAuth 2.0 is an authorization protocol; when a client receives an access token it does not know the identity of the user ● OpenID Connect leverages the OAuth 2.0 handshake to provide Identity assertion through an ID token ● With OAuth 2.0 the client requests an access token; with OpenID Connect the client requests an access token and an ID token
  • 24. OpenID Connect Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=ope nid%20profile ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=openid%20profile 3: User authorizes request ● User authenticates if not authenticated yet
  • 25. OpenID Connect Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://www.googleapis.com/oauth2/v3/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token": "ya29.JgEXH5-koEv0wnizPyikm8qdpRG", "token_type": "Bearer","expires_in": 3597," id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc0ZWIyNDY1MGE0NzViNDkz. ZGQzZjFiMjU2MmM5MTZmOTA1MzIyOTAifQ. eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3Vi"}
  • 26. OpenID Connect ID Token ● Signed claim about user identity ● In Standard JSON Web Token (JWT) format ● Client must validate it: – Signature – Audience – Expiry – Nonce
  • 28. JSON Web Token ● Compact, URL-safe means of representing claims to be transferred between two parties ● IETF Standard – https://tools.ietf.org/html/draft-ietf-oauth-json-web-token- 32 – http://jwt.io/ ● Simple Structure: – Header – Payload – Signature
  • 29. JSON Web Token (JWT) Structure
  • 30. User Information Endpoint ● OpenID Connect specifies it ● Retrieves the user info about the current session represented by the access token GET /openam/oauth2/userinfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com" }
  • 31. Demo
  • 32. Starting Implicit Flow with OpenID Connect
  • 33. Processing Tokens Passed by the Authorization Server
  • 34. Summary ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
  • 35. Q & A