Security Avalanche

Michele Leroux Bustamante
michelebusta@solliance.net
Hello World!
1992
Hello World!
Hello World!
1995-2007
Rich
Client

Web Services

Web App

Web Services
Industry-Specific Standards

Reliable
Messaging

Transactions

Messaging

XML
Transport Protocols

Management/QOS

Securit...
Industry-Specific Standards

Transactions

Messaging

XML
Transport Protocols
Transport Protocols
HTTP

HTTPS

SMTP

Manag...
Industry-Specific Standards

Transactions

Messaging
XML Schema
XML

XML
XML
Transport Protocols

XML Digital Signatures
X...
Industry-Specific Standards

Reliable
Messaging

Messaging

WS-Enumeration
WS-Eventing
WS-Transfer

Transactions

MTOM
sWa...
Industry-Specific Standards
WS-PolicyAttachment

Reliable
Messaging

Transactions

WS-Discovery

Management/QOS

Security
...
Industry-Specific Standards

Security

Reliable
WS-RM Policy
Messaging

Transactions

WS-RX
WSRM

Messaging

XML
Transport...
Industry-Specific Standards
Workflow

Security

Reliable
Messaging

WS-Coordination

Transactions
WS-TX
WS-BusinessActivit...
Industry-Specific Standards

Reliable
Messaging

Transactions

Messaging

XML
Transport Protocols

Management/QOS

Securit...
Industry-Specific Standards
WSDM

Reliable
Messaging

Transactions

Messaging

XML
Transport Protocols

Management/QOS

Se...
Industry-Specific Standards
Insurance

Industry-Specific Law Enforcement
Standards
Financial Services

Goverment

Reliable...
Industry-Specific Standards
Workflow

WS-SecureConversation
WS-Trust

WS-Federation

Security

SAML

WS-SecurityPolicy

Re...
WS-Federation
WS-ReliableMessaging

WS-PolicyAttachment
OASIS Web Services Security

WS*
HELL

WS-Coordination

WS-CAF

WS...
Hello World!
1992
Rich
Client

Web Services

Web App

Web Services
Rich
Client

Windows
Phone 8
Windows
Phone 7

iPhone

Windows
8/Surface

Android

Mobile
Browsers

iPad

Web
API

Web API
...
Simple Web
Token (SWT)
JSON Web
Token (JWT)

Open ID 1.0

OAuth 1.0a

Open ID 2.0

OAuth WRAP

OpenID Connect
1.0

OAuth 2...
SIMPLICITY
WINS
Security Standards: Goals
•
•
•
•
•

Single Sign-On (Passive Federation)
Partner Federation (home realm redirection)
Activ...
Session Agenda
•
•
•
•

Review the relevant standards of today
Practical applications
Trends
Implementation and architectu...
Passive Federation
Browser

1

3

Login
Page

5

4
2

Web
Application

STS
Active Federation
Rich
Client

1

2

STS

3

Web Service
WS-Federation
• HTTPS
• SAML bearer tokens

SignIn Response
RequestedSecurityToken

– Signed by issuer
– Unencrypted and n...
WS-Federation
Browser

RSTR

HTTP GET
wa=wsignIn1.0
wctx=[context]
wreq=[tokentype]

HTTP POST
wctx=[context]
wresult=RSTR...
Home Realm Discovery
Browser
(requestor)
SignIn Response
RequestedSecurityToken
SAML 2 Token
Signature

Subject Confirmati...
WS-Trust
• HTTPS or Message Security (WS-Security)
• SAML holder-of-key tokens
– Signed by issuer
– Encrypted for relying ...
Message Headers
Signature = Proof Key
SAML Token

3
Client

1

RP

2

RST

RSTR

RequestType = Issue

Lifetime

AppliesTo ...
Delegation / On Behalf Of
Client

Bearer token

Web
Application

Holder-of-key token

Service

STS

Credentials
SAML
• Security Assertion Markup Language
– OASIS standard
– Several versions 1.0, 1.1, 2.0

• Describes an XML security t...
SAML 2 SP-Initiated
Browser

1

3

Login
Page

5

4
2

Service
Provider

Identity
Provider
(STS)
Claims
• Identity providers typically issue claims based
on the user’s identity

Authenticate
Claims
• Applications may transform identity claims
into application-specific claims

Transform
Where are we now?
Motivation for OAuth
• No password sharing (valet key)
• Reduced risk of compromised credentials
• Ability to revoke acces...
History
• OAuth 1.0a
– Complicated workflows
– Required signatures
– BUT, no SSL required

• OAuth 2
– Simplified workflow...
OAuth2 Participants
•
•
•
•

Resource Owner
Client
Authorization Server
Resource Server
OAuth2 Abstract Flow
• Client requests authorization from Resource
Owner to access resources
• Resource Owner grants acces...
OAuth 2 Abstract Flow
Authorization Request

Authorization Request

Resource
Owner
Authorization Response

Authorization R...
OAuth 2 Abstract Flow
Credentials

Authorization Request

Authentication Token

Resource
Owner

Authorization Response

Cl...
Authorization Grant
• Represents Resource Owner authorization
• Types of grants
– Authorization Code
– Implicit
– Resource...
Endpoints

Redirection
Endpoint
POST

Client

Authorization
Endpoint
GET/POST

Token
Endpoint

Authorization Server
OAuth2 Flows
• Authorization Code Grant
– Redirect based, web server redirect endpoint

• Implicit Grant
– Browser based (...
Authorization Code
• User agent redirection (I.e., browser)
• Resource Owner must authenticate to
Authorization Server
– C...
Authorization Code Grant
Authorization Request

Authorization Request

Resource
Owner
Authorization Response

Authorizatio...
Authorization Code Flow
Browser

3

5
1

code
state*

5

Login
Page

response_type
client_id
redirect_uri*
scope*
state*

...
Implicit
• Optimized for JavaScript clients
• Access token issued to Client directly
– No authorization code (intermediate...
Implicit Grant
Authorization Request

Authorization Request

Resource
Owner
Access Token Response

Access Token Response

...
Implicit Flow
Browser

2

4
5

access_token

Client
Application

acess_token
token_type
expires_in*
scope*
state*

Login
P...
Resource Owner Password Credentials
• Resource Owner credentials supplied to
request access token
• Client is tightly coup...
Resource Owner Password
Credentials Grant
Access Token Request

Resource Owner
Password Credentials

Resource
Owner
Access...
Resource Owner Password
Credentials Grant
Login
Page

1

2

3
Client
Application

grant_type
Username
password
scope*

ace...
Client Credentials
• Client is also Resource Owner
• Present client credentials to request access
Client Credentials Grant
Access Token Request

Access Token Response

Authorization
Server
Client
Resource
Owner
Resource ...
Client Credentials Grant

1
Client
Application

grant_type
client_id*
scope*

acess_token
token_type
expires_in*
scope*
st...
Extension Grant Flow
• Client requests access token by presenting a
token and specifying its kind
– I.e., OAuth-SAML2 spec...
Client Registration
• Establishing trust with Authorization Server
– Provide a client type
– Provide a Url
– Provide other...
Client Authentication
• Clients may register a password (secret) with
the Authorization Server
• Pass with Basic Authentic...
Client Authentication
• Basic Authentication (recommended)
POST /token HTTP/1.1
Host: server.example.com
Authorization: Ba...
Access Token
• Represents authorization to resources
• May be signed
• Format described by accompanying
specifications
– I...
Access Token Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cach...
Refresh Token
• Optional, Authorization Server decides
• Sent to Authorization Server to retrieve another
access token
– D...
Facebook Examples
Authorization Request
GET https://www.facebook.com/dialog/oauth?
client_id=438893679548466&
redirect_uri=http%3A%2F%2Fdemo...
Response w/ Grant
GET
http://demo.snapboard.com/SnapBoardDemo/Account/ExternalLoginCallback?__prov
ider__=facebook&
__sid_...
Request Access Token
GET
https://graph.facebook.com/oauth/access_token?client_id=438893679548466&redirec
t_uri=http%3A%2F%...
Access Token Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Cache-Control: private, no-cache, no-store, must-reva...
Request Profile Info
GET
https://graph.facebook.com/me?access_token=CAAGPKZBXdGDIBAImEo6Pf6GthtiEdj
QoAGWUBiNSwUeTuZAbztAS...
Profile Response
HTTP/1.1 200 OK
…
Content-Length: 609
{"id":"574847493","name":"Michele Leroux
Bustamante","first_name":"...
Invalid Access Token
GET
https://graph.facebook.com/574847493/friends?access_token=CAAGPKZBXdGDIBAGt
zITGJq3ykpbuSDF6xQlDx...
And now, for a creepy
image of the original
OpenID
http://openidexplained.com/
OpenID Connect vs. OAuth 2
OpenID ID Token Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access...
ID Token
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 13...
Where are we now?
Suggested Implementations
• Thinktecture
– Authorization Server and Identity Provider
– All but SAML 2
– Open Source

• Au...
References
• Conference resources to be referenced here:
– http://michelebusta.com

• See my snapboards:
– Currently at th...
Michele Leroux Bustamante
Managing Partner
Solliance (solliance.net)
CEO and Cofounder
Snapboard (snapboard.com)
Microsoft...
Security Avalanche
Upcoming SlideShare
Loading in …5
×

Security Avalanche

1,965 views

Published on

Session I delivered at Oredev, with some updates, more detail, reviewing all of the security standards including ws-federation, saml, ws-trust, oauth,openID connect.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,965
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
20
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Security Avalanche

  1. 1. Security Avalanche Michele Leroux Bustamante michelebusta@solliance.net
  2. 2. Hello World! 1992
  3. 3. Hello World!
  4. 4. Hello World! 1995-2007
  5. 5. Rich Client Web Services Web App Web Services
  6. 6. Industry-Specific Standards Reliable Messaging Transactions Messaging XML Transport Protocols Management/QOS Security Metadata Workflow
  7. 7. Industry-Specific Standards Transactions Messaging XML Transport Protocols Transport Protocols HTTP HTTPS SMTP Management/QOS Reliable Messaging Security Metadata Workflow
  8. 8. Industry-Specific Standards Transactions Messaging XML Schema XML XML XML Transport Protocols XML Digital Signatures XML Encryption Management/QOS Reliable Messaging Security Metadata Workflow
  9. 9. Industry-Specific Standards Reliable Messaging Messaging WS-Enumeration WS-Eventing WS-Transfer Transactions MTOM sWa WSN Messaging WSRF WS-Addressing DIME SOAP XML Transport Protocols Management/QOS Security Metadata Workflow
  10. 10. Industry-Specific Standards WS-PolicyAttachment Reliable Messaging Transactions WS-Discovery Management/QOS Security Metadata Metadata WS-Policy Workflow WS-MetadataExchange Messaging XML Transport Protocols WSDL
  11. 11. Industry-Specific Standards Security Reliable WS-RM Policy Messaging Transactions WS-RX WSRM Messaging XML Transport Protocols Management/QOS Reliable Messaging Metadata Workflow
  12. 12. Industry-Specific Standards Workflow Security Reliable Messaging WS-Coordination Transactions WS-TX WS-BusinessActivity WS-AtomicTransaction Messaging XML Transport Protocols Management/QOS WS-CAF Metadata Transactions
  13. 13. Industry-Specific Standards Reliable Messaging Transactions Messaging XML Transport Protocols Management/QOS Security WS-Choreography Metadata BPEL Workflow Workflow
  14. 14. Industry-Specific Standards WSDM Reliable Messaging Transactions Messaging XML Transport Protocols Management/QOS Security Management/QOS Metadata WS-Manageability Workflow
  15. 15. Industry-Specific Standards Insurance Industry-Specific Law Enforcement Standards Financial Services Goverment Reliable Messaging Transactions Messaging XML Transport Protocols Management/QOS Security Metadata Workflow
  16. 16. Industry-Specific Standards Workflow WS-SecureConversation WS-Trust WS-Federation Security SAML WS-SecurityPolicy Reliable Messaging Transactions OASIS Web Services Security Messaging XML Transport Protocols Management/QOS WS-SX Metadata Security
  17. 17. WS-Federation WS-ReliableMessaging WS-PolicyAttachment OASIS Web Services Security WS* HELL WS-Coordination WS-CAF WSDL MTOM WS-Transfer WS-Eventing WS-BusinessActivity WS-ResourceTransfer WSRF DIME WS-Addressing SOAP
  18. 18. Hello World! 1992
  19. 19. Rich Client Web Services Web App Web Services
  20. 20. Rich Client Windows Phone 8 Windows Phone 7 iPhone Windows 8/Surface Android Mobile Browsers iPad Web API Web API (mobile) (ajax) Web API (business) Web App
  21. 21. Simple Web Token (SWT) JSON Web Token (JWT) Open ID 1.0 OAuth 1.0a Open ID 2.0 OAuth WRAP OpenID Connect 1.0 OAuth 2.0
  22. 22. SIMPLICITY WINS
  23. 23. Security Standards: Goals • • • • • Single Sign-On (Passive Federation) Partner Federation (home realm redirection) Active Federation Delegation (on behalf of) Delegated Authorization
  24. 24. Session Agenda • • • • Review the relevant standards of today Practical applications Trends Implementation and architecture scenarios
  25. 25. Passive Federation Browser 1 3 Login Page 5 4 2 Web Application STS
  26. 26. Active Federation Rich Client 1 2 STS 3 Web Service
  27. 27. WS-Federation • HTTPS • SAML bearer tokens SignIn Response RequestedSecurityToken – Signed by issuer – Unencrypted and no proof key – Requires transport protection • Core Messages – SignIn request and response – Sign out and clean up 27 SAML 2 Token Signature Subject Confirmation Token Lifetime Attributes (Claims = name, role)
  28. 28. WS-Federation Browser RSTR HTTP GET wa=wsignIn1.0 wctx=[context] wreq=[tokentype] HTTP POST wctx=[context] wresult=RSTR Passive STS Passive RP RequestedSecurityToken SAML 2 Token Signature Subject Confirmation Token Lifetime Attributes (Claims = name, role) RST RSTR Active STS
  29. 29. Home Realm Discovery Browser (requestor) SignIn Response RequestedSecurityToken SAML 2 Token Signature Subject Confirmation Token Lifetime HTTP POST wresult={Signin Response} wctx=[context] 2 1 HTTP GET wa=wsignIn1.0 wtrealm=[Uri] whr=[Uri] wreply=[Uri] wctx=[context] Attributes (Claims = name, role) Web Site (RP) IP-STS (IdP)
  30. 30. WS-Trust • HTTPS or Message Security (WS-Security) • SAML holder-of-key tokens – Signed by issuer – Encrypted for relying party – Includes proof key • Core Messages (WS-Federation also uses) – RST and RSTR – Token validation, renewal or cancellation 30
  31. 31. Message Headers Signature = Proof Key SAML Token 3 Client 1 RP 2 RST RSTR RequestType = Issue Lifetime AppliesTo = /RelyingParty RST RSTR Proof Key TokenType = SAML 2 Claims = name, role RequestedProofToken WS-Trust / Issue() RequestedSecurityToken SAML 2 Token Signature Active STS Subject Confirmation Token Lifetime Attributes (Claims = name, role) Proof Key
  32. 32. Delegation / On Behalf Of Client Bearer token Web Application Holder-of-key token Service STS Credentials
  33. 33. SAML • Security Assertion Markup Language – OASIS standard – Several versions 1.0, 1.1, 2.0 • Describes an XML security token format and message exchange protocol – Tokens are also used in federated security scenarios for web services – Message exchange is primarily browserbased
  34. 34. SAML 2 SP-Initiated Browser 1 3 Login Page 5 4 2 Service Provider Identity Provider (STS)
  35. 35. Claims • Identity providers typically issue claims based on the user’s identity Authenticate
  36. 36. Claims • Applications may transform identity claims into application-specific claims Transform
  37. 37. Where are we now?
  38. 38. Motivation for OAuth • No password sharing (valet key) • Reduced risk of compromised credentials • Ability to revoke access without changing password
  39. 39. History • OAuth 1.0a – Complicated workflows – Required signatures – BUT, no SSL required • OAuth 2 – Simplified workflows – Rely on SSL for transfer protection – Signatures NOT required
  40. 40. OAuth2 Participants • • • • Resource Owner Client Authorization Server Resource Server
  41. 41. OAuth2 Abstract Flow • Client requests authorization from Resource Owner to access resources • Resource Owner grants access through Authorization Server • Client uses access token to request resources from Resource Server • Resource Server returns resource if access token is valid
  42. 42. OAuth 2 Abstract Flow Authorization Request Authorization Request Resource Owner Authorization Response Authorization Response (return authorization code/grant) Access Token Request (send authorization code) Client Authorization Server Access Token Response (return access_token / refresh_token) Resource Request (send access_token) Resource Server Protected Resource
  43. 43. OAuth 2 Abstract Flow Credentials Authorization Request Authentication Token Resource Owner Authorization Response Client Identity Provider Authorization Request Authorization Response Access Token Request Authorization Server Access Token Response Resource Request Resource Server Protected Resource
  44. 44. Authorization Grant • Represents Resource Owner authorization • Types of grants – Authorization Code – Implicit – Resource Owner Password Credentials – Client Credentials
  45. 45. Endpoints Redirection Endpoint POST Client Authorization Endpoint GET/POST Token Endpoint Authorization Server
  46. 46. OAuth2 Flows • Authorization Code Grant – Redirect based, web server redirect endpoint • Implicit Grant – Browser based (JavaScript), Mobile • Resource Owner Password Credentials Grant – Resource owner username/password known to client • Client Credentials Grant – Application based • Extension Grant
  47. 47. Authorization Code • User agent redirection (I.e., browser) • Resource Owner must authenticate to Authorization Server – Credentials never shared with Client – Authorization code sent to Client • Client requests access token using authorization code – Access token never passed to user agent
  48. 48. Authorization Code Grant Authorization Request Authorization Request Resource Owner Authorization Response Authorization Response Access Token Request Client Authorization Server Access Token Response Resource Request Resource Server Protected Resource
  49. 49. Authorization Code Flow Browser 3 5 1 code state* 5 Login Page response_type client_id redirect_uri* scope* state* 4 code state* 2 6 Client Application grant_type code redirect_uri client_id acess_token token_type expires_in* scope* state* refresh_token* 7 Authorization Server Credentials Resource Server
  50. 50. Implicit • Optimized for JavaScript clients • Access token issued to Client directly – No authorization code (intermediate credential) – Access token may be visible to resource owner, user agent
  51. 51. Implicit Grant Authorization Request Authorization Request Resource Owner Access Token Response Access Token Response Authorization Server Client Resource Request Resource Server Protected Resource
  52. 52. Implicit Flow Browser 2 4 5 access_token Client Application acess_token token_type expires_in* scope* state* Login Page response_type client_id redirect_uri* scope* state* 3 1 Authorization Server Credentials Resource Server
  53. 53. Resource Owner Password Credentials • Resource Owner credentials supplied to request access token • Client is tightly coupled to Resource Owner – High degree of trust – Client collects credentials to get access token • Can exchange credentials for access token – Dispose of passwords in memory
  54. 54. Resource Owner Password Credentials Grant Access Token Request Resource Owner Password Credentials Resource Owner Access Token Response Authorization Server Client Resource Request Resource Server Protected Resource
  55. 55. Resource Owner Password Credentials Grant Login Page 1 2 3 Client Application grant_type Username password scope* acess_token token_type expires_in* scope* state* refresh_token* 7 Authorization Server Credentials Resource Server
  56. 56. Client Credentials • Client is also Resource Owner • Present client credentials to request access
  57. 57. Client Credentials Grant Access Token Request Access Token Response Authorization Server Client Resource Owner Resource Request Resource Server Protected Resource
  58. 58. Client Credentials Grant 1 Client Application grant_type client_id* scope* acess_token token_type expires_in* scope* state* refresh_token* 2 Authorization Server Credentials Resource Server
  59. 59. Extension Grant Flow • Client requests access token by presenting a token and specifying its kind – I.e., OAuth-SAML2 specification
  60. 60. Client Registration • Establishing trust with Authorization Server – Provide a client type – Provide a Url – Provide other optional information • Required for public and for implicit grants Client Profile Client Type Web Application Confidential User-Agent Based Public Native Application Public
  61. 61. Client Authentication • Clients may register a password (secret) with the Authorization Server • Pass with Basic Authentication • If not supported, pass as form parameters
  62. 62. Client Authentication • Basic Authentication (recommended) POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA • Parameters POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  63. 63. Access Token • Represents authorization to resources • May be signed • Format described by accompanying specifications – I.e., SAML2, JWT
  64. 64. Access Token Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  65. 65. Refresh Token • Optional, Authorization Server decides • Sent to Authorization Server to retrieve another access token – Different scope – Additional time • If access token is expired, can use refresh token to request another one – Without prompting Resource Owner – Unless scope increases beyond what was approved
  66. 66. Facebook Examples
  67. 67. Authorization Request GET https://www.facebook.com/dialog/oauth? client_id=438893679548466& redirect_uri=http%3A%2F%2Fdemo.snapboard.com%2FSnapBoardDemo%2FAccount %2FExternalLoginCallback%3F__provider__%3Dfacebook%26__sid__%3D9fbc4fb2ac4 34930a78e50c895271a0f& scope=email%20user_about_me%20user_birthday%20user_friends%20publish_actio ns HTTP/1.1
  68. 68. Response w/ Grant GET http://demo.snapboard.com/SnapBoardDemo/Account/ExternalLoginCallback?__prov ider__=facebook& __sid__=9fbc4fb2ac434930a78e50c895271a0f& code=AQCxVpduOEybUZVpB74wFCzZZVCPgBfpnBj7tvxSDVGag9u9zV9yX268Wf0eB1rb 6nZYmoFRlweasCIKksFQkwzEzE0aWYuzstA_ciHbhJSTmMb0ZsrlZ9jjXLMHrdirigIOz13WC 8nWgbXQzuwG1DmmJFEv2KtupZl8KMAIZBSVsu9aewPT5R2lNgSgfg_SW53Qt2qliVP32NEuq0BiuvdphDDSjwWCjSHtW4SMC73DdL9O7Bjt2vzlumDq9b5asuuxFvx_KQknhFRhAX15W8CYBOEWZ0vVYsFjI5tCSMEAYZ6EAm62HEbNZTj9aJw HTTP/1.1
  69. 69. Request Access Token GET https://graph.facebook.com/oauth/access_token?client_id=438893679548466&redirec t_uri=http%3A%2F%2Fdemo.snapboard.com%2FSnapBoardDemo%2FAccount%2FExter nalLoginCallback%3F__provider__%3Dfacebook%26__sid__%3D9fbc4fb2ac434930a78 e50c895271a0f& client_secret=8022ba46243c1becc5e4020f72f08bd7& code=AQCxVpduOEybUZVpB74wFCzZZVCPgBfpnBj7tvxSDVGag9u9zV9yX268Wf0eB1rb6 nZYmoFRlweasCIKksFQkwzEzE0aWYuzstA_ciHbhJSTmMb0ZsrlZ9jjXLMHrdirigIOz13WC8n WgbXQzuwG1DmmJFEv2KtupZl8KMAIZBSVsu9aewPT5R2lNgSgfg_SW53Qt2qliVP32NEuq0BiuvdphDDSjwWCjSHtW4SMC73DdL9O7Bjt2vzlumDq9b5asuuxFvx_KQknhFRhAX15W8CYBOEWZ0vVYsFjI5tCSMEAYZ6EAm62HEbNZTj9aJw& scope=email HTTP/1.1
  70. 70. Access Token Response HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-Control: private, no-cache, no-store, must-revalidate Content-Type: text/plain; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache X-FB-Rev: 997953 X-FB-Debug: b8sYgk6apQZlsdJEXdTuEN+gisLdVvOQ15CK8o3cLSA= Date: Thu, 07 Nov 2013 11:47:59 GMT Connection: keep-alive Content-Length: 215 access_token=CAAGPKZBXdGDIBAImEo6Pf6GthtiEdjQoAGWUBiNSwUeTuZAbztASscJKp NZCsuKUSBDQqwJ9ZAPUF7tugWkgbaUqh8vQkHwZCsARz7rEu0j8EfDA0tZA8CIW2ZAbS Qh4fNDTNpUm0B4zZAxqycQsYjLhY8BarPp9izFZBUVeAsYQCfoVBqK4WwSxq
  71. 71. Request Profile Info GET https://graph.facebook.com/me?access_token=CAAGPKZBXdGDIBAImEo6Pf6GthtiEdj QoAGWUBiNSwUeTuZAbztASscJKpNZCsuKUSBDQqwJ9ZAPUF7tugWkgbaUqh8vQkHwZ CsARz7rEu0j8EfDA0tZA8CIW2ZAbSQh4fNDTNpUm0B4zZAxqycQsYjLhY8BarPp9izFZBUV eAsYQCfoVBqK4WwSxq HTTP/1.1 Host: graph.facebook.com
  72. 72. Profile Response HTTP/1.1 200 OK … Content-Length: 609 {"id":"574847493","name":"Michele Leroux Bustamante","first_name":"Michele","middle_name":"Leroux","last_name": "Bustamante","link":"https://www.facebook.com/michelebusta","username":"mich elebusta","birthday":”LA LA LA LA","bio":"I'm a geek. Wait, no I'm not. Wait, yes I am...","quotes":"Never complain, never explain. -Katherine Hepburn”,"gender":"female","email":"michelebustau0040gmail.com","timezone":1,"l ocale":"en_US","verified":true,"updated_time":"2013-11-07T11:44:01+0000"}
  73. 73. Invalid Access Token GET https://graph.facebook.com/574847493/friends?access_token=CAAGPKZBXdGDIBAGt zITGJq3ykpbuSDF6xQlDxonZCGW15CKCgq4fmfKH5QK7pYq374C9uWcZAZBnJrqZAEpx4 gp73U9bGNmJlb0dvby3LkvuVrzGZCxBvZCbWrXWyHuouAil15sm76Q5g4uQ5myiCFRaR aMEOHXLNPCTClK2IApKEkB7A51qe7F&limit=5000&fields=%5B%22id%22%2C%22nam e%22%2C%22link%22%5D HTTP/1.1 HTTP/1.1 400 Bad Request … WWW-Authenticate: OAuth "Facebook Platform" "invalid_token" "Error validating access token: User 574847493 has not authorized application 438893679548466." … Content-Length: 172 {"error":{"message":"Error validating access token: User 574847493 has not authorized application 438893679548466.","type":"OAuthException","code":190,"error_subcode":458}}
  74. 74. And now, for a creepy image of the original OpenID
  75. 75. http://openidexplained.com/
  76. 76. OpenID Connect vs. OAuth 2
  77. 77. OpenID ID Token Response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiJ9.ew0KICAgICJpc3MiOiAiaHR0cDovL 3NlcnZlci5leGFtcGxlLmNvbSIsDQogICAgInVzZXJfaWQiOiAiMjQ4Mjg5NzYxM DAxIiwNCiAgICAiYXVkIjogInM2QmhkUmtxdDMiLA0KICAgICJub25jZSI6ICJuL TBTNl9XekEyTWoiLA0KICAgICJleHAiOiAxMzExMjgxOTcwLA0KICAgICJpYXQiO iAxMzExMjgwOTcwDQp9.lsQI_KNHpl58YY24G9tUHXr3Yp7OKYnEaVpRL0KI4szT D6GXpZcgxIpkOCcajyDiIv62R9rBWASV191Akk1BM36gUMm8H5s8xyxNdRfBViCa xTqHA7X_vV3U-tSWl6McR5qaSJaNQBpg1oGPjZdPG7zWCG-yEJC4-Fbx2FPOS7-h 5V0k33O5Okd-OoDUKoFPMd6ur5cIwsNyBazcsHdFHqWlCby5nl_HZdW-PHq0gjzy JydB5eYIvOfOHYBRVML9fKwdOLM2xVxJsPwvy3BqlVKc593p2WwItIg52ILWrc6A tqkqHxKsAXLVyAoVInYkl_NDBkCqYe2KgNJFzfEC8g" }
  78. 78. ID Token { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng" }
  79. 79. Where are we now?
  80. 80. Suggested Implementations • Thinktecture – Authorization Server and Identity Provider – All but SAML 2 – Open Source • Auth0 – Hosted model or appliance – Affordable, from small bus to enterprise – All protocols – FREE version for dev
  81. 81. References • Conference resources to be referenced here: – http://michelebusta.com • See my snapboards: – Currently at the alpha site: http://snapboardalpha.cloudapp.net/michelebusta – Will move these to snapboard.com/michelebusta when we go live on the main site (SOON watch my blog for announcement) • Contact me: – michelebusta@solliance.net – @michelebusta
  82. 82. Michele Leroux Bustamante Managing Partner Solliance (solliance.net) CEO and Cofounder Snapboard (snapboard.com) Microsoft Regional Director Microsoft MVP Author, Speaker Pluralsight courses on the way! Blog: michelebusta.com michelebusta@solliance.net @michelebusta

×