VB
Uploaded byVladimir Bychkov
57 views

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

The document provides an overview of token-based security for web applications using OAuth 2.0 and OpenID Connect, presented by Vladimir Bychkov. It explains the architecture, protocols, and flows involved in delegated authorization and includes details on various grant types and security concerns for web applications. A demo section illustrates the practical applications of these concepts, showcasing different authorization flows and endpoints.

Embed presentation

Download to read offline
TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
OAuth 2.0 - Protocol Flow 10
OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
JWT – JSON Web Token 14
OpenID Connect Protocol Suite
DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
DEMO – Implicit Flow https://docs.pivotal.io
Authorization Code Interception Attack 20
RFC7636 - Proof Key for Code Exchange (PKCE) 21
Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM

More Related Content

PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
PPTX
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PDF
Full stack security
byDPC Consulting Ltd
 
KEY
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 
OAuth 2.0
byUwe Friedrichsen
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
Full stack security
byDPC Consulting Ltd
 
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 

What's hot

PDF
Authentication and Authorization Architecture in the MEAN Stack
byFITC
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PDF
Json web token api authorization
byGiulio De Donato
 
PDF
Implementing OAuth
byleahculver
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
PDF
FIWARE ID Management
byMiguel García González
 
PDF
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
byWorteks
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
byFernando Lopez Aguilar
 
Authentication and Authorization Architecture in the MEAN Stack
byFITC
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
An Introduction to OAuth2
byAaron Parecki
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
2016 pycontw web api authentication
byMicron Technology
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
Json web token api authorization
byGiulio De Donato
 
Implementing OAuth
byleahculver
 
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
Single-Page-Application & REST security
byIgor Bossenko
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
FIWARE ID Management
byMiguel García González
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
byWorteks
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Adding Identity Management and Access Control to your Application, Authorization
byFernando Lopez Aguilar
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PPTX
OAuth2 and OpenID with Spring Boot
byGeert Pante
 
PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PPTX
Identity, authentication and authorization
byMithun Shanbhag
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
PPTX
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
byCodemotion
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
PPTX
Y U No OAuth?!?
byJason Robert
 
PDF
RFC6749 et alia 20130504
byMattias Jidhage
 
PDF
The OpenID Connect Protocol
byClément OUDOT
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PPTX
OAuth 2
byChrisWood262
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
OAuth2 and OpenID with Spring Boot
byGeert Pante
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
Identity, authentication and authorization
byMithun Shanbhag
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
OAuth Base Camp
byOliver Pfaff
 
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
byCodemotion
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
Y U No OAuth?!?
byJason Robert
 
RFC6749 et alia 20130504
byMattias Jidhage
 
The OpenID Connect Protocol
byClément OUDOT
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
Distributed Identities with OpenID
byBastian Hofmann
 
OAuth 2
byChrisWood262
 

Recently uploaded

PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PPTX
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Ultimate Guide to CMMS An In-Depth Analysis - Zapium
byhello208828
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Odoo ERP Implementation Setup: Step-by-Step Process
byShiv Technolabs Pvt. Ltd.
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

  • 1.
    TOKEN-BASED SECURITY FOR WEBAPPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
  • 2.
    About Vladimir Bychkov •SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
  • 3.
    EastBanc Technologies |Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
  • 4.
    Agenda • AUTHORIZATION FORWEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
  • 5.
    Form-based authentication 5 Username Password Login Web server Set-Cookie:id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
  • 6.
    Modern Application Landscape 6 Browser Mobile ServerApp Web App Web Service Web Service Web Service Enterprise IdP Social IdP
  • 7.
    Delegated Authorization 7 https +cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
  • 8.
    OAuth 2.0 -Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
  • 9.
    OAuth 2.0 –Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
  • 10.
    OAuth 2.0 -Protocol Flow 10
  • 11.
    OAuth 2.0 -Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
  • 12.
    OAuth 2.0 -Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
  • 13.
    OpenID Connect • IDTOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
  • 14.
    JWT – JSONWeb Token 14
  • 15.
  • 16.
    DEMO – ClientCredentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
  • 17.
    DEMO – ResourceOwner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
  • 18.
    DEMO – AuthorizationCode Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
  • 19.
    DEMO – ImplicitFlow https://docs.pivotal.io
  • 20.
  • 21.
    RFC7636 - ProofKey for Code Exchange (PKCE) 21
  • 22.
    Web Apps –Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
  • 23.
    Web Apps –Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
  • 24.
    Auth Middleware Federation gateway(Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
  • 25.
    STS Federation gateway (Afterimpl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
  • 26.
    THANK YOU VLADIMIR BYCHKOV SOFTWARECRAFTSMAN BYCHKOV@GMAIL.COM