You've used OpenID Connect. You know a thing or two about OAuth. But have you ever wondered how to achieve Single Sign-On between Angular & ASP.NET Core MVC apps, and automated Single Sign-Out? How, and why, to work with reference tokens? How to create a custom grant, and for what use case that might be a good idea?
In this in-depth session we'll cover all of these topics, extensively using IdentityServer4 in the process. Note that some previous knowledge on securing ASP.NET Core applications with OpenID Connect is a must.
14. KEVINDOCKX
MARVIN
SELF-CONTAINED VS REFERENCE TOKENS
14
A self-contained token (JWT) is a protected data structure
with claims and an expiration
• Once the API knows about the public key to verify the signature, no
additional communication with the IDP is required
• A self-contained token potentially grants access for as long as that
token hasn’t expired
• There is no mechanism to revoke self-contained tokens
15. KEVINDOCKX
MARVIN
SELF-CONTAINED VS REFERENCE TOKENS
15
A reference token is an identifier for the actual token
• It references a grant result (token) stored at IDP level
• Remove the grant result to revoke access ad hoc
• It requires communication with the IDP on each request
• The communication requirement is often tackled by caching the grant
result
25. KEVINDOCKX
MARVIN
API TOAPIACCESS ON BEHALF OF THE USER
25
We need a custom flow
• OAuth2 was built with extensibility in mind
Token Exchange (proposed standard)
• https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19
• Describes how to safely exchange tokens for other tokens, including
how to request tokens for employing impersonation and delegation
• We can use impersonation semantics for this – we’re simply
“impersonating” our self
26. KEVINDOCKX
MARVIN
API TOAPIACCESS ON BEHALF OF THE USER
26
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&subject_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiOiJodHRwc
zovL2FzLmV4YW1wbGUuY29tIiwiaXNzIjoiaHR0cHM6Ly9vcmlnaW5hbC1pc3N1ZXI
uZXhhbXBsZS5uZXQiLCJleHAiOjE0NDE5MTA2MDAsIm5iZiI6MTQ0MTkwOTAwMCwic
3ViIjoiYmRjQGV4YW1wbGUubmV0Iiwic2NvcGUiOiJvcmRlcnMgcHJvZmlsZSBoaXN
0b3J5In0.PRBg-jXn4cJuj1gmYXFiGkZzRuzbXZ_sDxdE98ddW44ufsbWLKd3JJ1VZ
hF64pbTtfjy4VXFVBDaQpKjn5JzAw
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token