SlideShare a Scribd company logo

Secure OAuth Device Flow for Printers

Download as PPTX, PDF
S
Scott Brady

Slides from DevSum 2018. Read more at https://www.identityserver.com/articles/an-introduction-to-the-oauth-device-flow/

Technology
1 of 25
Secure Authorization for your Printer – The OAuth Device Flow Scott Brady @scottbrady91 – Rock Solid Knowledge #devsum18
Introductions • Identity & Access Control Lead @ Rock Solid Knowledge • Commercial side of the IdentityServer OSS project • AdminUI • SAML2P & WS-Federation • IdentityServer European Partner • Development, consultancy, support, and training • Helps fund the IdentityServer project @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Problem • SOLVED: Delegating an application access to protected resources on behalf of user (OAuth 2.0) • SOLVED: Verifying the identity of the resource owner who delegated access (OpenID Connect 1.0) • How to delegate access to: • Browserless devices • Input constrained devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Browserless Devices • Smart TVs • Internet of Things • Printers • Fridges • Sensors @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Input Constrained Devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
User Client Protected Resource Authorization Server Authorization Request Authorization Grant Authorization Grant Access Token Request Protected Resource Trust Authentication @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Resource Owner Password Credentials? @scottbrady91 – Rock Solid Knowledge (identityserver.com) POST /token grant_type=password &client_id=oauth_client &username=scott &password=Password123! { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
Resource Owner Password Credentials? • No browser necessary • Impersonation • No scoped access • Exposes user credentials to device • Breaks when we add phishing resistant credentials • No federation (unless using “benevolent phishing”) @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Solution The OAuth Device Flow • Uses an external browser to bridge the gap • (your smartphone) • User authentication external to the device • Currently in draft 9: • datatracker.ietf.org/doc/draft-ietf-oauth-device-flow • Already in use by Google • Similar implementations available, but now there’s a spec! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Demo! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Device User Secondary Device Authorization Server
The Protocol Device Authorization (Request) POST /device_authorization HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Device Authorization (Response) { "device_code": "GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8", "verification_uri": "https://www.example.com/device", "user_code": "WDJB-MJHT", "verification_uri_complete": "https://www.example.com/device?user_code=WDJB-MJHT", "expires_in": 1800, "interval": 5 } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol User Interaction +-----------------------------------------------+ | | | Using a browser on another device, visit: | | https://example.com/device | | | | And enter the code: | | WDJB-MJHT | | | +-----------------------------------------------+ @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol User Interaction @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Token Request POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:device_code &device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8 &client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Token Request { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Extras • OpenID Connect • Refresh tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Proof of Concept Code @scottbrady91 – Rock Solid Knowledge (identityserver.com)
IdentityServer4 & Device Flow • Open Source (part of the core repository) • Hopefully available in v2.next • Consent page may have to come later… • Otherwise v3 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
@scottbrady91 – Rock Solid Knowledge (identityserver.com) IdentityServer4 & Device Flow
Security Considerations User Codes • Shorter codes are better for the user • Longer codes are better for security • Numeric is better for the user • Alphanumeric is better for security • What’s the worst that could happen? • Breach of privacy • Something embarrassing… @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Security Considerations User Interaction • Phishing for credentials • Phishing for tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Further Use Cases • Public printers • Bringing strong authentication to native devices • Screenless devices • Virtual assistants? • Device Pairing @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Don’t forget to evaluate this session in the DevSum app! @scottbrady91 – Rock Solid Knowledge #devsum18 Thanks! @scottbrady91 www.identityserver.com

Recommended

Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Scott Brady
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Scott Brady
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosOpenCredo
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 

Recommended

Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...Scott Brady
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Scott Brady
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosOpenCredo
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & PrivacyChris Adriaensen
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainAltoros
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Code signing and trust
Code signing and trustCode signing and trust
Code signing and trustJapneet Singh
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchainCeline George
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumNagib Aouini
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenIDMax Manders
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
 
Authentication in microservice systems
Authentication in microservice systemsAuthentication in microservice systems
Authentication in microservice systemsDavid Borsos
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeHorea Porutiu
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsNagib Aouini
 
Bitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open SourceBitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open SourceAll Things Open
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 

More Related Content

What's hot

Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...SecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & PrivacyChris Adriaensen
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainAltoros
 
Code signing and trust
Code signing and trustCode signing and trust
Code signing and trustJapneet Singh
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchainCeline George
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumNagib Aouini
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenIDMax Manders
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
 
Authentication in microservice systems
Authentication in microservice systemsAuthentication in microservice systems
Authentication in microservice systemsDavid Borsos
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeHorea Porutiu
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsNagib Aouini
 
Bitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open SourceBitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open SourceAll Things Open
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 

What's hot (20)

Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & Privacy
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Code signing and trust
Code signing and trustCode signing and trust
Code signing and trust
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
 
Security and privacy with blockchain
Security and privacy with blockchainSecurity and privacy with blockchain
Security and privacy with blockchain
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public Ethereum
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
 
Authentication in microservice systems
Authentication in microservice systemsAuthentication in microservice systems
Authentication in microservice systems
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOs
 
Bitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open SourceBitcoin, the Blockchain, and Open Source
Bitcoin, the Blockchain, and Open Source
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 

Similar to Secure OAuth Device Flow for Printers

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardtapidays
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT PlatformWSO2
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 

Similar to Secure OAuth Device Flow for Printers (20)

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Secure OAuth Device Flow for Printers

  • 1. Secure Authorization for your Printer – The OAuth Device Flow Scott Brady @scottbrady91 – Rock Solid Knowledge #devsum18
  • 2. Introductions • Identity & Access Control Lead @ Rock Solid Knowledge • Commercial side of the IdentityServer OSS project • AdminUI • SAML2P & WS-Federation • IdentityServer European Partner • Development, consultancy, support, and training • Helps fund the IdentityServer project @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 3. The Problem • SOLVED: Delegating an application access to protected resources on behalf of user (OAuth 2.0) • SOLVED: Verifying the identity of the resource owner who delegated access (OpenID Connect 1.0) • How to delegate access to: • Browserless devices • Input constrained devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 4. Browserless Devices • Smart TVs • Internet of Things • Printers • Fridges • Sensors @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 5. Input Constrained Devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 7. Resource Owner Password Credentials? @scottbrady91 – Rock Solid Knowledge (identityserver.com) POST /token grant_type=password &client_id=oauth_client &username=scott &password=Password123! { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
  • 8. Resource Owner Password Credentials? • No browser necessary • Impersonation • No scoped access • Exposes user credentials to device • Breaks when we add phishing resistant credentials • No federation (unless using “benevolent phishing”) @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 9. Solution The OAuth Device Flow • Uses an external browser to bridge the gap • (your smartphone) • User authentication external to the device • Currently in draft 9: • datatracker.ietf.org/doc/draft-ietf-oauth-device-flow • Already in use by Google • Similar implementations available, but now there’s a spec! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 10. Demo! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 12. The Protocol Device Authorization (Request) POST /device_authorization HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 13. The Protocol Device Authorization (Response) { "device_code": "GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8", "verification_uri": "https://www.example.com/device", "user_code": "WDJB-MJHT", "verification_uri_complete": "https://www.example.com/device?user_code=WDJB-MJHT", "expires_in": 1800, "interval": 5 } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 14. The Protocol User Interaction +-----------------------------------------------+ | | | Using a browser on another device, visit: | | https://example.com/device | | | | And enter the code: | | WDJB-MJHT | | | +-----------------------------------------------+ @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 15. The Protocol User Interaction @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 16. The Protocol Token Request POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:device_code &device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8 &client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 18. Extras • OpenID Connect • Refresh tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 19. Proof of Concept Code @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 20. IdentityServer4 & Device Flow • Open Source (part of the core repository) • Hopefully available in v2.next • Consent page may have to come later… • Otherwise v3 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 21. @scottbrady91 – Rock Solid Knowledge (identityserver.com) IdentityServer4 & Device Flow
  • 22. Security Considerations User Codes • Shorter codes are better for the user • Longer codes are better for security • Numeric is better for the user • Alphanumeric is better for security • What’s the worst that could happen? • Breach of privacy • Something embarrassing… @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 23. Security Considerations User Interaction • Phishing for credentials • Phishing for tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 24. Further Use Cases • Public printers • Bringing strong authentication to native devices • Screenless devices • Virtual assistants? • Device Pairing @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 25. Don’t forget to evaluate this session in the DevSum app! @scottbrady91 – Rock Solid Knowledge #devsum18 Thanks! @scottbrady91 www.identityserver.com