CloudIDSummit, profile picture
Uploaded byCloudIDSummit
PDF, PPTX3,226 views

CIS14: Working with OAuth and OpenID Connect

The document provides an overview of OAuth 2.0 and OpenID Connect, detailing how OAuth 2.0 enables limited access to HTTP services through various authorization flows. It describes the differences between OAuth and OpenID Connect, highlighting the additional identity layer and the processes for provider discovery and client registration. Key components such as authorization requests, access tokens, and ID tokens are also elaborated, emphasizing the importance of authentication and information claims.

Embed presentation

Download as PDF, PPTX
OAuth 2.0 and OpenID Connect Basics From OAuth2 to OpenID Connect by Roland Hedberg
Let’s start with OAuth2
❖ The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ! ❖ either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, ! ❖ or by allowing the third-party application to obtain access on its own behalf.
The players Authorization Server Resource ServerClient
Authorization Request Authorization Server Resource Server Client Authorization request
Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Authorization Response Authorization Server Resource Server Client Authorization response
Authorization Response - details Authorization Server Resource Server Client Authorization response GET! https://example.org/authz_cb?state=1521671980316802035&! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6 Parameters code! state access_token! token_type! expires_in! scope! state
Access Token Request Authorization Server Resource Server Client Access token request
Access Token Request - details POST! http://example.com/token! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6&! ! grant_type=authorization_code&! ! redirect_uri=https://example.org/authz_cb Authorization Server Resource Server Client Access token request Parameters! client_id! code! grant_type! redirect_uri
Access Token Response Authorization Server Resource Server Client Access token response
Access Token Response - details {! ! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', ! ! 'expires_in': 3600, ! ! 'refresh_token': ’s87BT60pp2U+bNX2HnkWpVCnDYPsy8EOpI’! ! 'state': ’STATE0’,! ! 'token_type': 'Bearer', ! } Authorization Server Resource Server Client Access token response Parameters! access_token! expires_in! refresh_token scope! token_type
Resource Access Authorization Server Resource Server Client Resource request/response
Resource Access - details Authorization Server Resource Server Client Resource request/response GET! https://example.com/resource! ! Header:! ! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
The whole Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Flows ❖ Authorization Code Grant! ❖ Implicit Grant! ❖ Resource Owner Password Credentials Grant! ❖ Client Credentials Grant
Implicit grant Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Resource Owner Password Credentials Grant & Client Credentials Grant Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response
From OAuth2 to OpenID Connect
❖ OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. ! ❖ It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
The differences ❖ Only authorization grant and implicit grant flows! ❖ Dynamic provider discovery and client registration! ❖ ID Token! ❖ Additions/Clarifications/Constrictions! ❖ UserInfo endpoint
Flows ❖ Authorization code! ❖ Implicit! ❖ Hybrid (authorization code with a twist)! ❖ code id_token! ❖ code token! ❖ code id_token token
Dynamic provider discovery and client registration
Dynamic discovery and registration 1. Find the provider! 2. Discover provider info! 3. Register client
1.Find the provider ❖ Webfinger (RFC 7033)! ❖ User identifier -> URL! ❖ carol@example.org ->! ! GET /.well-known/webfinger?! resource=acct:carol@example.com&! rel=http://openid.net/specs/connect/1.0/issuer! HTTP/1.1! Host: example.com
Webfinger response HTTP/1.1 200 OK! Access-Control-Allow-Origin: *! Content-Type: application/jrd+json! ! {! "subject" : "acct:carol@example.com",! "links" :! [ {! "rel" : "http://openid.net/specs/connect/1.0/issuer",! "href" : "https://openid.example.com"! } ]! }
2.Discover provider info - query GET /.well-known/openid-configuration HTTP/1.1! Host: openid.example.com
2. Discover provider info - response ❖ issuer! ❖ jwks_uri! ❖ endpoints! ❖ functions supported! ❖ support for signing/encrypting algorithms! ❖ policy/tos
Required information ❖ issuer! ❖ jwks_uri! ❖ authorization_endpoint! ❖ token_endpoint (*)! ❖ response_types_supported! ❖ subject_types_supported! ❖ id_token_signing_alg_supported
3. Client registration ❖ uris! ❖ application information! ❖ support for signing/encrypting algorithms! ❖ key material! ❖ server behavior! ❖ client behavior
required information ❖ redirect_uris
Client registration response ❖ client_id! ❖ possibly client_secret and if so client_secret_experies_at! ❖ and the Authorization servers view of things
An Authorization Server ❖ MAY add fields the client didn’t include.! ❖ MAY reject or replace any of the Client's requested field values and substitute them with suitable values.! ❖ MAY ignore values provided by the client, and MUST ignore any fields sent by the Client that it does not understand.
A Client can not ❖ modify a registration! ❖ delete a registration
ID Token
ID Token ❖ Have to make a detour into JWT/K/A/S/E land
JWT ❖ Jason Web Token! ❖ a compact URL-safe means of representing claims to be transferred between two parties! ❖ Suggested pronunciation: ’jot’
JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. JWE represents encrypted content using JavaScript Object Notation (JSON) based data structures.
JWK a JavaScript Object Notation (JSON) data structure that represents a cryptographic key JWA registers cryptographic algorithms and identifiers to be used with the JSON Web Signature(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications
ID Token ❖a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. ! ❖is represented as a JSON Web Token (JWT)
ID Token claims -required ❖ iss - Issuer Identifier for the Issuer of the response! ❖ sub - Subject Identifier! ❖ aud - Intended audience! ❖ exp - Expiration time! ❖ iat - Issued at! ❖ auth_time - Authentication time! ❖ nonce
ID Token claims - optional ❖ acr - Authentication Context Class Reference! ❖ amr - Authentication Method References! ❖ azp - Authorized party
Additions/ Clarifications/ Constrictions
OAuth2 Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
Authentication Request - OpenID Connect extensions ❖ response_mode - The mechanism to use for returning parameters! ❖ nonce - Associates client session with ID Token! ❖ Signed/encrypted Authentication Request! ❖ End-user interactions! ❖ Response details
Signed/encrypted Authentication Request ❖ request - by value! ❖ request_uri - by reference! ! ❖ Single self-contained parameter! ❖ Signed and/or encrypted (JWT)
End-user interactions ❖ display - How to display pages to End-User! ❖ prompt - If the End-User should be prompted for re-authentication/ consent! ❖ max_age - allowed max time since last authentication! ❖ ui_locales - End-User’s preferred languages and scripts! ❖ id_token_hint - ID Token previously issued ! ❖ login_hint - login identifier the End-User might want to use! ❖ acr_values - requested Authentication Context Class Reference values
Response details ❖ claims! ❖ user_info! ❖ id_token! ! ❖ claims specification! ❖ null! ❖ essential! ❖ value! ❖ values
UserInfo endpoint
User info ❖ sub! ❖ name! ❖ given_name! ❖ family_name! ❖ middle_name! ❖ nickname! ❖ preferred_username Set of standard claims ❖ profile! ❖ picture! ❖ website! ❖ email! ❖ email_verified! ❖ gender! ❖ birthdate ❖ zoneinfo! ❖ locale! ❖ phone_number! ❖ phone_number_verfied! ❖ address! ❖ updated_at!
claims types ❖ Normal! ❖ Aggregated! ❖ Distributed
Summary ❖ OAuth2 is about authorization! ❖ OpenID Connect adds authentication and identity information
Questions ?

More Related Content

PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
PDF
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
PPT
Understanding OpenID
byPrabath Siriwardena
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
Understanding OpenID
byPrabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
Full stack security
byDPC Consulting Ltd
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 

What's hot

PPTX
OpenID Connect 1.0 Explained
byEugene Siow
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
KEY
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 
PPTX
OpenID Connect: An Overview
byPat Patterson
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Spring security oauth2
byaxykim00
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
bySalesforce Developers
 
PDF
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PDF
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PPTX
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
PDF
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
byHermann Burgmeier
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
OpenID Connect 1.0 Explained
byEugene Siow
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 
OpenID Connect: An Overview
byPat Patterson
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Spring security oauth2
byaxykim00
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
bySalesforce Developers
 
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
Single-Page-Application & REST security
byIgor Bossenko
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
byHermann Burgmeier
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 

Viewers also liked

PDF
Dataporten intro (workshop with Difi)
byAndreas Åkre Solberg
 
PDF
[LDAPCon 2015] The OpenID Connect Protocol
byClément OUDOT
 
PPTX
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
byBrian Campbell
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
PDF
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
PDF
OpenID Connect - Nat Sakimura at OpenID TechNight #7
byOpenID Foundation Japan
 
PDF
OAuth 2.0 & OpenID Connect #MA7
byNov Matake
 
PDF
Introduction to FIDO Authentication
byFIDO Alliance
 
PDF
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
byFIDO Alliance
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
PPTX
Fido U2F Protocol by Ather Ali
byOWASP Delhi
 
PDF
Introduction to SAML 2.0
byMika Koivisto
 
Dataporten intro (workshop with Difi)
byAndreas Åkre Solberg
 
[LDAPCon 2015] The OpenID Connect Protocol
byClément OUDOT
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
byBrian Campbell
 
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
byOpenID Foundation Japan
 
OAuth 2.0 & OpenID Connect #MA7
byNov Matake
 
Introduction to FIDO Authentication
byFIDO Alliance
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
byFIDO Alliance
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
Fido U2F Protocol by Ather Ali
byOWASP Delhi
 
Introduction to SAML 2.0
byMika Koivisto
 

Similar to CIS14: Working with OAuth and OpenID Connect

PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
PDF
Introducing OpenID 1.0 Protocol: Security and Performance
byAmin Saqi
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
byGood Dog Labs, Inc.
 
PDF
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
PPTX
Wso2 is integration with .net core
byIsmaeel Enjreny
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PDF
The OpenID Connect Protocol
byClément OUDOT
 
PPTX
Creating a Sign On with Open id connect
byDerek Binkley
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PPTX
OAuth 2
byChrisWood262
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Distributed Identities with OpenID
byBastian Hofmann
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
Distributed Identities with OpenID
byBastian Hofmann
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
Introducing OpenID 1.0 Protocol: Security and Performance
byAmin Saqi
 
Demystifying OAuth 2.0
byKarl McGuinness
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
byGood Dog Labs, Inc.
 
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
Wso2 is integration with .net core
byIsmaeel Enjreny
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
The OpenID Connect Protocol
byClément OUDOT
 
Creating a Sign On with Open id connect
byDerek Binkley
 
When and Why Would I use Oauth2?
byDave Syer
 
OAuth 2
byChrisWood262
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
OAuth2 + API Security
byAmila Paranawithana
 

More from CloudIDSummit

PPTX
CIS 2016 Content Highlights
byCloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
byCloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 
CIS 2016 Content Highlights
byCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
byCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 

Recently uploaded

PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 

CIS14: Working with OAuth and OpenID Connect

  • 1.
    OAuth 2.0 andOpenID Connect Basics From OAuth2 to OpenID Connect by Roland Hedberg
  • 2.
  • 3.
    ❖ The OAuth2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ! ❖ either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, ! ❖ or by allowing the third-party application to obtain access on its own behalf.
  • 4.
  • 5.
    Authorization Request Authorization Server ResourceServer Client Authorization request
  • 6.
    Authorization Request -details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  • 7.
    Authorization Server Resource Server Client AUTHENTICATIONHAPPENS & End-user consent/authorization
  • 8.
    Authorization Response Authorization Server ResourceServer Client Authorization response
  • 9.
    Authorization Response -details Authorization Server Resource Server Client Authorization response GET! https://example.org/authz_cb?state=1521671980316802035&! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6 Parameters code! state access_token! token_type! expires_in! scope! state
  • 10.
    Access Token Request AuthorizationServer Resource Server Client Access token request
  • 11.
    Access Token Request- details POST! http://example.com/token! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6&! ! grant_type=authorization_code&! ! redirect_uri=https://example.org/authz_cb Authorization Server Resource Server Client Access token request Parameters! client_id! code! grant_type! redirect_uri
  • 12.
    Access Token Response AuthorizationServer Resource Server Client Access token response
  • 13.
    Access Token Response- details {! ! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', ! ! 'expires_in': 3600, ! ! 'refresh_token': ’s87BT60pp2U+bNX2HnkWpVCnDYPsy8EOpI’! ! 'state': ’STATE0’,! ! 'token_type': 'Bearer', ! } Authorization Server Resource Server Client Access token response Parameters! access_token! expires_in! refresh_token scope! token_type
  • 14.
    Resource Access Authorization Server ResourceServer Client Resource request/response
  • 15.
    Resource Access -details Authorization Server Resource Server Client Resource request/response GET! https://example.com/resource! ! Header:! ! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
  • 16.
    The whole Authorization Server ResourceServer Client Authorization request Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  • 17.
    Flows ❖ Authorization CodeGrant! ❖ Implicit Grant! ❖ Resource Owner Password Credentials Grant! ❖ Client Credentials Grant
  • 18.
    Implicit grant Authorization Server ResourceServer Client Authorization request Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  • 19.
    Resource Owner PasswordCredentials Grant & Client Credentials Grant Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response
  • 20.
    From OAuth2 toOpenID Connect
  • 21.
    ❖ OpenID Connect1.0 is a simple identity layer on top of the OAuth 2.0 protocol. ! ❖ It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  • 22.
    The differences ❖ Onlyauthorization grant and implicit grant flows! ❖ Dynamic provider discovery and client registration! ❖ ID Token! ❖ Additions/Clarifications/Constrictions! ❖ UserInfo endpoint
  • 23.
    Flows ❖ Authorization code! ❖Implicit! ❖ Hybrid (authorization code with a twist)! ❖ code id_token! ❖ code token! ❖ code id_token token
  • 24.
    Dynamic provider discovery andclient registration
  • 25.
    Dynamic discovery andregistration 1. Find the provider! 2. Discover provider info! 3. Register client
  • 26.
    1.Find the provider ❖Webfinger (RFC 7033)! ❖ User identifier -> URL! ❖ carol@example.org ->! ! GET /.well-known/webfinger?! resource=acct:carol@example.com&! rel=http://openid.net/specs/connect/1.0/issuer! HTTP/1.1! Host: example.com
  • 27.
    Webfinger response HTTP/1.1 200OK! Access-Control-Allow-Origin: *! Content-Type: application/jrd+json! ! {! "subject" : "acct:carol@example.com",! "links" :! [ {! "rel" : "http://openid.net/specs/connect/1.0/issuer",! "href" : "https://openid.example.com"! } ]! }
  • 28.
    2.Discover provider info- query GET /.well-known/openid-configuration HTTP/1.1! Host: openid.example.com
  • 29.
    2. Discover providerinfo - response ❖ issuer! ❖ jwks_uri! ❖ endpoints! ❖ functions supported! ❖ support for signing/encrypting algorithms! ❖ policy/tos
  • 30.
    Required information ❖ issuer! ❖jwks_uri! ❖ authorization_endpoint! ❖ token_endpoint (*)! ❖ response_types_supported! ❖ subject_types_supported! ❖ id_token_signing_alg_supported
  • 31.
    3. Client registration ❖uris! ❖ application information! ❖ support for signing/encrypting algorithms! ❖ key material! ❖ server behavior! ❖ client behavior
  • 32.
  • 33.
    Client registration response ❖client_id! ❖ possibly client_secret and if so client_secret_experies_at! ❖ and the Authorization servers view of things
  • 34.
    An Authorization Server ❖MAY add fields the client didn’t include.! ❖ MAY reject or replace any of the Client's requested field values and substitute them with suitable values.! ❖ MAY ignore values provided by the client, and MUST ignore any fields sent by the Client that it does not understand.
  • 35.
    A Client cannot ❖ modify a registration! ❖ delete a registration
  • 36.
  • 37.
    ID Token ❖ Haveto make a detour into JWT/K/A/S/E land
  • 38.
    JWT ❖ Jason WebToken! ❖ a compact URL-safe means of representing claims to be transferred between two parties! ❖ Suggested pronunciation: ’jot’
  • 39.
    JWS represents content securedwith digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. JWE represents encrypted content using JavaScript Object Notation (JSON) based data structures.
  • 40.
    JWK a JavaScript ObjectNotation (JSON) data structure that represents a cryptographic key JWA registers cryptographic algorithms and identifiers to be used with the JSON Web Signature(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications
  • 41.
    ID Token ❖a securitytoken that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. ! ❖is represented as a JSON Web Token (JWT)
  • 42.
    ID Token claims-required ❖ iss - Issuer Identifier for the Issuer of the response! ❖ sub - Subject Identifier! ❖ aud - Intended audience! ❖ exp - Expiration time! ❖ iat - Issued at! ❖ auth_time - Authentication time! ❖ nonce
  • 43.
    ID Token claims- optional ❖ acr - Authentication Context Class Reference! ❖ amr - Authentication Method References! ❖ azp - Authorized party
  • 44.
  • 45.
    OAuth2 Authorization Request- details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  • 46.
    Authentication Request -OpenID Connect extensions ❖ response_mode - The mechanism to use for returning parameters! ❖ nonce - Associates client session with ID Token! ❖ Signed/encrypted Authentication Request! ❖ End-user interactions! ❖ Response details
  • 47.
    Signed/encrypted Authentication Request ❖request - by value! ❖ request_uri - by reference! ! ❖ Single self-contained parameter! ❖ Signed and/or encrypted (JWT)
  • 48.
    End-user interactions ❖ display- How to display pages to End-User! ❖ prompt - If the End-User should be prompted for re-authentication/ consent! ❖ max_age - allowed max time since last authentication! ❖ ui_locales - End-User’s preferred languages and scripts! ❖ id_token_hint - ID Token previously issued ! ❖ login_hint - login identifier the End-User might want to use! ❖ acr_values - requested Authentication Context Class Reference values
  • 49.
    Response details ❖ claims! ❖user_info! ❖ id_token! ! ❖ claims specification! ❖ null! ❖ essential! ❖ value! ❖ values
  • 50.
  • 51.
    User info ❖ sub! ❖name! ❖ given_name! ❖ family_name! ❖ middle_name! ❖ nickname! ❖ preferred_username Set of standard claims ❖ profile! ❖ picture! ❖ website! ❖ email! ❖ email_verified! ❖ gender! ❖ birthdate ❖ zoneinfo! ❖ locale! ❖ phone_number! ❖ phone_number_verfied! ❖ address! ❖ updated_at!
  • 52.
    claims types ❖ Normal! ❖Aggregated! ❖ Distributed
  • 53.
    Summary ❖ OAuth2 isabout authorization! ❖ OpenID Connect adds authentication and identity information
  • 54.