1. Secure Authorization for your Printer –
The OAuth Device Flow
Scott Brady
@scottbrady91 – Rock Solid Knowledge #devsum18
2. Introductions
• Identity & Access Control Lead @ Rock Solid Knowledge
• Commercial side of the IdentityServer OSS project
• AdminUI
• SAML2P & WS-Federation
• IdentityServer European Partner
• Development, consultancy, support, and training
• Helps fund the IdentityServer project
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
3. The Problem
• SOLVED: Delegating an application access to protected resources on
behalf of user (OAuth 2.0)
• SOLVED: Verifying the identity of the resource owner who delegated
access (OpenID Connect 1.0)
• How to delegate access to:
• Browserless devices
• Input constrained devices
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
4. Browserless Devices
• Smart TVs
• Internet of Things
• Printers
• Fridges
• Sensors
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
8. Resource Owner Password Credentials?
• No browser necessary
• Impersonation
• No scoped access
• Exposes user credentials to device
• Breaks when we add phishing resistant credentials
• No federation (unless using “benevolent phishing”)
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
9. Solution
The OAuth Device Flow
• Uses an external browser to bridge the gap
• (your smartphone)
• User authentication external to the device
• Currently in draft 9:
• datatracker.ietf.org/doc/draft-ietf-oauth-device-flow
• Already in use by Google
• Similar implementations available, but now there’s a spec!
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
19. Proof of Concept Code
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
20. IdentityServer4 & Device Flow
• Open Source (part of the core repository)
• Hopefully available in v2.next
• Consent page may have to come later…
• Otherwise v3
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
22. Security Considerations
User Codes
• Shorter codes are better for the user
• Longer codes are better for security
• Numeric is better for the user
• Alphanumeric is better for security
• What’s the worst that could happen?
• Breach of privacy
• Something embarrassing…
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
24. Further Use Cases
• Public printers
• Bringing strong authentication to native devices
• Screenless devices
• Virtual assistants?
• Device Pairing
@scottbrady91 – Rock Solid Knowledge (identityserver.com)
25. Don’t forget to evaluate this session in the DevSum app!
@scottbrady91 – Rock Solid Knowledge #devsum18
Thanks!
@scottbrady91
www.identityserver.com