SlideShare a Scribd company logo

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

V
Vladimir Bychkov

Slides for Tech Talk DC Meetup: Token-based security for web applications using OAuth2 and OpenID Connect by Vladimir Bychkov

Software
1 of 26
Download to read offline
TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
OAuth 2.0 - Protocol Flow 10
OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
JWT – JSON Web Token 14
OpenID Connect Protocol Suite
DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
DEMO – Implicit Flow https://docs.pivotal.io
Authorization Code Interception Attack 20
RFC7636 - Proof Key for Code Exchange (PKCE) 21
Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM

Recommended

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 

Recommended

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID ManagementMiguel García González
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 

More Related Content

What's hot

Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 

What's hot (20)

Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Scott Brady
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Api security
Api security Api security
Api security
 

Recently uploaded

KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 

Recently uploaded (20)

KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

  • 1. TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
  • 2. About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
  • 3. EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
  • 4. Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
  • 5. Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
  • 6. Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
  • 7. Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
  • 8. OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
  • 9. OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
  • 10. OAuth 2.0 - Protocol Flow 10
  • 11. OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
  • 12. OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
  • 13. OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
  • 14. JWT – JSON Web Token 14
  • 16. DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
  • 17. DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
  • 18. DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
  • 19. DEMO – Implicit Flow https://docs.pivotal.io
  • 21. RFC7636 - Proof Key for Code Exchange (PKCE) 21
  • 22. Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
  • 23. Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
  • 24. Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
  • 25. STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
  • 26. THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM