Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures. The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC). In this talk, you will get a concise introduction into OAuth 2.0 and OIDC. We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group. So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.

1. 1
Basics of OAuth 2.0 and OpenID Connect
Andreas Falk / Novatec Consulting

2. Our #AppSec Offerings:
▪ OAuth 2.0 & OpenID Connect Trainings and Consulting
▪ Security for Developers Trainings
https://www.novatec-gmbh.de/en/consulting/agile-security
About Me
2
Andreas Falk
Novatec Consulting
(Germany)
andreas.falk@novatec-gmbh.de
@andifalk

3. RFC 6749: OAuth 2.0 Authorization Framework
RFC 6750: OAuth 2.0 Bearer Token Usage
3
Introduction to OAuth 2.0

4. Do you like it implementing your own Authentication?
4
Password
Policies
MFA
Secure Password
Storage
Different
Clients
Brute Force
Prevention
Reset
Password
Process

5. Using Multiple Services before OAuth 2.0
5
Client
Resource Owner
(i.e. the user)
Resource Server
1.Resource owner
authenticates to the client
2.Client requests the protected resource
Credentials
Credentials

6. “The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to
an HTTP service, either on behalf of a resource
owner by orchestrating an approval interaction between the
resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf
”
RFC 6749: OAuth 2.0
6

7. OAuth 2.0 Roles
7
Client
Resource Owner Authorization Server
Access Token
Resource Server

8. Basic OAuth 2.0 Protocol Flow
8
Client
Resource Owner Authorization Server
Access Token
Resource Server
1.Resource owner authorizes the client
2.Client receives authorization grant
3.Client exchanges grant for access token
4.Client requests the protected resource

9. Protocol Flow (1): Resource owner authorizes client
9
Resource Owner Authorization Server
1.Resource owner authorizes the client

10. Protocol Flow (2): Client receives authorization grant
10
Client
Resource Owner Authorization Server
1.Resource owner authorizes the client
2.Client receives authorization grant
Authorization grant:
▪ Credential representing the resource
owner's authorization
▪ Exchange for access token

11. Protocol Flow (3): Client exchanges grant for access token
11
Client
Resource Owner Authorization Server
Access Token
1.Resource owner authorizes the client
2.Client receives authorization grant
3.Client exchanges grant for access token
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "2YotnFZFEjr1zC",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Q"
}

12. Protocol Flow: Client requests the protected resource
12
Client
Access Token
Resource Server
4.Client requests the protected resource
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer 2YotnFZFEjr1zC

13. OAuth 2.0 Protocol Endpoints
13
Client
Resource Owner
Resource Server
Authorization ServerToken
Endpoint
Authorization
Endpoint
Token Introspection
Endpoint
Resource Owner Client Authorization
Retrieve Authorization Grant
Exchange Authorization Grant
into Access Token
Validate Access Token

14. Authorization Grant Types
14

15. 2007
OAuth 1.0
Protocol
2010
RFC 5849: The
OAuth 1.0a
Protocol
2012
RFC 6749:
The OAuth 2.0
Authorization
Framework
2013
RFC 6819:
OAuth 2.0
Threat
Model
2015
RFC 7519:
JSON Web
Token
(JWT)
2015
RFC 7636:
Proof Key for
Code Exchange
(PKCE)
2019-2020
OAuth 2.0
Security Best
Current
Practice
OAuth History
15
2020,...
OAuth 2.1
TxAuth

16. ▪ Authorization Code grant is extended with PKCE
▪ Implicit grant is omitted from the spec
▪ RO Password Credentials grant is omitted from the spec
▪ Redirect URIs must be compared by exact string matching
▪ Refresh tokens must be sender-constrained or one-time use
▪ Bearer token must not be sent in the query string of URIs
The OAuth 2.1 Authorization Framework
16
https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1/

17. “OAuth 2.1” Authorization Grant Types
17
Resource
Owner
Client Type Authorization Grant Refresh
Token
Web Client (Confidential) Authorization Code + PKCE
Mobile Client (Public) Authorization Code + PKCE
SPA Client (Public) Authorization Code + PKCE
Resource Owner Client
(Confidential)
Client Credentials
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics
https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1

18. ▪ RFC 7636: PKCE = Proof Key for Code Exchange (“pixy”)
▪ Mitigates authorization code interception attack
▪ Public clients cannot keep static secrets (“client_secret”)
▪ PKCE adds dynamic secret instead:
− Cryptographically random key: The “Code Verifier”
− Hashed code verifier (SHA-256): The “Code Challenge”
Authorization Code + PKCE Grant Type
18
https://tools.ietf.org/html/rfc7636

19. OpenID Connect Foundation
19
OpenID Connect 1.0

20. OAuth 2.0 is NOT an Authentication Protocol!
20
OAuth 2.0 is not an authentication protocol

21. OAuth 2.0 vs. OpenID Connect 1.0
21
Hotel
Valet
Parking
Identification
Permission /
Delegation
OpenID
Connect
1.0
OAuth
2.0

22. OpenID Connect 1.0 Standards Layer
22
JSON Web Algorithms (JWA)
JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK)
JSON Web Token (JWT)
Javascript Object Signing and Encryption (JOSE)
OAuth 2.0 Authorization Framework (RFC 6749)
OpenID Connect 1.0

23. ▪ Based on OAuth 2.0
▪ Additions:
− ID Token (JWT format is Mandatory)
− User Info Endpoint (Mandatory)
− Hybrid Grant Flow (Mandatory)
− OpenID Provider Configuration Information
(Discovery, Optional)
https://openid.net/specs/openid-connect-core-1_0.html
https://openid.net/specs/openid-connect-registration-1_0.html
https://openid.net/specs/openid-connect-discovery-1_0.html
OpenID Connect 1.0 (OIDC)
23

24. {
"alg": "RS256",
"typ": "JWT",
"kid": "lp_FcMZ8D7U6EEUCiZyWAF21NcwjX_ddwJ5a3eCPMwQ"
}
JSON Web Token (JWT) - Decoded Form
24
{
"exp": 1571745342,
"iat": 1571745042,
"iss": "http://localhost:8080/auth/realms/workshop",
"aud": ["library-service","account"],
"sub": "08d3bcaa-5ffd-4b8d-909e-bb567881384b"
}
HEADER
PAYLOAD

25. OpenID Connect 1.0: Access Token Types
25
JWT Token (Self-contained) Opaque Token (Reference)
Offline-Validation (Signature/Expiration) Validation call to introspection-endpoint
Contains all required information Additional call to get required information
Protocol agnostic Bound to Http
Cannot be revoked May be revoked
Mandatory for Id Tokens Must not be used for Id Tokens
May be used for Access Tokens May be used for Access Tokens

26. ▪ Use OpenID Connect for Authentication
▪ Authorization Grant Types
− With End User: Use Authorization Code + PKCE
− Without End User: Use Client Credentials
▪ Do NOT use Implicit or Resource Owner Password Grants
▪ ID Token must be JWT, Access Token may be JWT
▪ Always validate Tokens and keep Lifetime short
OAuth 2.0 and OpenID Connect: Summary
26

27. Thank You very much!
Questions?
27

28. Novatec Consulting GmbH
Dieselstraße 18/1
D-70771 Leinfelden-Echterdingen
T. +49 711 22040-700
info@novatec-gmbh.de
www.novatec-gmbh.de
28
Managing Consultant
Andreas Falk
Mobil: +49 151 46146778
E-Mail: andreas.falk@novatec-gmbh.de

29. OpenID Connect Implementations
29

30. ▪ RedHat/JBoss Keycloak (https://www.keycloak.org)
▪ Auth0 (https://auth0.com)
▪ Okta (https://www.okta.com)
▪ ForgeRock (https://www.forgerock.com/platform/identity-management)
▪ CloudFoundry UAA (https://github.com/cloudfoundry/uaa)
▪ PingFederate
(https://www.pingidentity.com/en/platform/single-sign-on/sso-overview.html)
▪ Azure Active Directory
(https://azure.microsoft.com/en-us/services/active-directory)
▪ ...
See: https://openid.net/developers/certified/#OPServices
OpenID Connect Identity Providers
30

31. ▪ oidc-client (Javascript) https://github.com/IdentityModel/oidc-client-js
▪ angular-oauth2-oidc (Typescript)
https://github.com/manfredsteyer/angular-oauth2-oidc
▪ angular-auth-oidc-client (Typescript)
https://github.com/damienbod/angular-auth-oidc-client
▪ IdentityModel.OidcClient (C#/.Net)
https://github.com/IdentityModel/IdentityModel.OidcClient
▪ Nimbus OAuth 2.0 SDK (Java)
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk
▪ OIDC RP library (Python) https://github.com/openid/JWTConnect-Python-OidcRP
▪ ...
See: https://openid.net/developers/certified/#OPServices
OpenID Connect Libraries
31

32. Books and Online References
32

33. ▪ Justin Richer et.al: OAuth2 in Action (Manning, 2017, ISBN 978-1617293276)
▪ Michael Schwartz et.al: Securing the Perimeter (Apress, 2018, ISBN
978-1484226001)
▪ RFC 6749: The OAuth 2.0 Authorization Framework
▪ RFC 6750: OAuth 2.0 Bearer Token Usage
▪ RFC 6819: OAuth 2.0 Threat Model and Security Considerations
▪ RFC 7636: Proof Key for Code Exchange ("Pixy")
▪ OpenID Connect Core 1.0 Specification
▪ OpenID Connect Dynamic Client Registration 1.0
▪ OpenID Connect Discovery 1.0
▪ RFC 7519: JSON Web Token (JWT)
▪ JSON Web Token Best Current Practices
Books and Online References (1)
33

34. ▪ Why you should stop using the OAuth implicit grant
▪ OAuth 2.0 Security Best Current Practice
▪ OAuth 2.0 for Browser-Based Apps
▪ OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens
▪ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
▪ OAuth 2.0 Token Exchange
Books and Online References (2)
34

35. ▪ Resource Indicators for OAuth 2.0
▪ Spring Security 5.2 Reference Documentation
▪ Microservices Security Patterns & Protocols with Spring Security (Devoxx Video)
▪ Microservices Security Patterns & Protocols (SpringOne Platform 2019 Video)
▪ How to secure your Spring apps with Keycloak by Thomas Darimont (Video)
Books and Online References (3)
35