SlideShare a Scribd company logo
1 of 22
Technical Deep Dive -
OpenID-Connect and OAuth 2.0
in UCS IAM
Florian Best, Arvid Requate, Univention
Speakers
» Florian Best
» Univention Management Console (UMC) and Web-Services
» Univention Directory Manager (UDM) + UDM-REST API
» Security Assertion Markup Language (SAML)
» Code Security
» Arvid Requate
» Samba/AD
» OpenLDAP
» OAuth 2.0 / OpenID-Connect in Sovereign Cloud Stack
Let’s dive in – Why OAuth 2.0 / OpenID-Connect?
» UCS migrates from SimpleSAMLphp to Keycloak
» Opens the way to integrate OAuth 2.0 based protocols
» Keycloak is the Identity Provider (IdP) / OpenID-Connect Provider (OP) for both,
SAML and OAuth 2.0 / OpenID-Connect
» Allows seamless protocol mix
» Internal „federation“ of multiple OAuth & SAML providers
» User doesn’t notice, they get a Keycloak session cookie
» OAuth 2.0 protocol is more transparent and lightweight than SAML
» e.g. JSON + JWT vs. base64 encoded compressed XML
» Backchannel operations are possible (not involving browser)
» OAuth 2.0 can be implemented stateless, suitable for use with REST-APIs
OAuth 2.0 & OpenID-Connect: Which is which?
» Open Authorization 2.0 framework
» has a large and active protocol family
» User can permit authorization for the OAuth client to a resource server
» Via several different Grants / Flows based on HTTP + JSON
» By using an Access Token (nowadays with internal structure: JWT)
» Bound to Scopes, which contain the authorized permissions
» OpenID-Connect
» Extends OAuth 2.0
» Authentication protocol
» Introduces ID Token containing user profile information
» communicate the user identity to the client (e.g. UMC)
Who is who?
» OAuth 2.0 has:
» Resource Owner: user
» The User Agent: web browser
» Client: application / service provider
» Authorization Server (AS)
» Keycloak
» Resource Servers (RS)
» UDM-REST-API
» LDAP server
» IMAP server
» OpenID-Connect extends:
» Relying Party (RP)
» Univention Management Console (UMC)
» OpenID Provider (OP)
» Keycloak, Google, github
Who does what (in Authorization Code Flow)?
Who does what (in Authorization Code Flow)?
Who does what (in Authorization Code Flow)?
Who does what (in Authorization Code Flow)?
Who does what (in Authorization Code Flow)?
Who does what (in Authorization Code Flow)?
Where is UCS today?
» SAML is used for user SSO & Federation
» Session refresh a bit complicated, always involving browser
» hidden iframe, requires active connection from user agent and proper timing
» UMC can act as SAML service provider
» may pass SAML token instead of user password to UDM
» UDM uses user credentials to access LDAP directory server
» impersonates the user
» UCS LDAP directory server supports SAML 2.0 as SASL mechanism
» crudesaml plugin
» Simple Authentication and Security Layer (SASL)
» Pluggable Authentication Modules (PAM)
Where do we want to go?
» UMC can be an OAuth 2.0 client and OIDC Relying Party (RP)
» Gets authorization from user via Keycloak to access resources
» Learns user identity from ID Token (OpenID-Connect)
» Uses access token with UMC-PAM stack to check validity
» Passes access token to UDM-UMC module, sends access token to UCS
LDAP directory server
» UDM-REST API can be OAuth 2.0 resource server and gateway to LDAP
» HTTP Bearer authentication
Missing Piece Implemented: SASL & PAM plugin
» UCS LDAP directory server supports OAuth 2.0 as SASL mechanism
» crudeoauth plugin for SASL & PAM auth
» Enabeling clients and servers to exchange
and validate OAuth 2.0 access tokens
» Lightweight: No call to Token introspection endpoint,
no additional process (saslauthd) involved
Current state: LDAP
» We created the project crudeoauth
» SASL plugin providing OAUTHBEARER mechanism
» following RFC 7628 („A Set of SASL Mechanisms for Oauth“)
» PAM module
» First OAUTHBEARER implementation for the Cyrus-SASL2 framework
» SASL plugin allows clients and resource servers to support OAuth 2.0 Access Tokens easily
» PAM allows services to offload token validation, service doesn’t need to implement
» Could even be used for arbitrary services like SSH
» SASL + PAM module validates JWT signature, validity ranges, issuer and `aud` claim (audience) as
well as a configurable scope
t
Current state: UDM REST API
» UDM REST API: OAuth 2.0 Resource Server
» Usable with SSO / OAuth 2.0 Access Tokens
» Offers HTTP Bearer-Authentication
» Stateless communication
» Passes Access Token (JWT) to LDAP server
» via SASL bind OAUTHBEARER mechanism
» Potential for service-to-service authorization
Current state: Univention Management Console (and Portal)
» UMC becomes OpenID-Connect Relying Party
» Authorization Code Flow with Proof Key for Code Exchange (PKCE)
» Collects login name from ID-Token claim
» Validates ID-Token incl. Authorized Party claim (“azp“)
» Gives Access Token to UMC modules, e.g. UDM
» which can do LDAP bind via OAUTHBEARER SASL
» Uses Refresh Token to check if the OP session is still alive and retrieve new Access Token
» Global Logout via backchannel logout
» OP initiated (e.g. by another logged in App) or user initiated at UMC / Portal
» Optional: Act as Resource Server via HTTP Bearer Authentication
» For Service-to-service communication? The Portal in the future?
Ideas for the future
» Release crudeoauth as OpenSource project
» Could be useful outside of UCS
» Experiment for use with workload identities / service 2 service auth
» openDesk K8S PODs
» Portal curently uses session shared with UMC
» Should act as a separate service / RP in OAuth 2.0
» As client of UMC, sends Access Token to UMC, which is protected resource
» Clearer separation of services, allowing running on separate nodes / web origins
VIELEN DANK!
Florian Best, Arvid Requate
Univention
best@univention.de, requate@univention.de

More Related Content

Similar to Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best & Arvid Requate - Univention Summit 2024

CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
The FaaS and the Curious™
The FaaS and the Curious™The FaaS and the Curious™
The FaaS and the Curious™Bryan McAninch
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMPaul Madsen
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSatSistemas
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAmazon Web Services Korea
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 

Similar to Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best & Arvid Requate - Univention Summit 2024 (20)

CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
The FaaS and the Curious™
The FaaS and the Curious™The FaaS and the Curious™
The FaaS and the Curious™
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
Technical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWSTechnical considerations for Blockchain networks with AWS
Technical considerations for Blockchain networks with AWS
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
 
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim CruseAWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
AWS Innovate: Building an Internet Connected Camera with AWS IoT- Tim Cruse
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 

More from Univention GmbH

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Univention GmbH
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention GmbH
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Univention GmbH
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Univention GmbH
 
Modularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCSModularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCSUnivention GmbH
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Univention GmbH
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Univention GmbH
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Univention GmbH
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Univention GmbH
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022Univention GmbH
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...Univention GmbH
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Univention GmbH
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022Univention GmbH
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Univention GmbH
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Univention GmbH
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Univention GmbH
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Univention GmbH
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Univention GmbH
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Univention GmbH
 
Alles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne VerwaltungAlles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne VerwaltungUnivention GmbH
 

More from Univention GmbH (20)

Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
Status des Rollen- und Rechtemodells in UCS und UCS@school - Daniel Tröder - ...
 
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
Univention IAM and Portal for Kubernetes - Ingo Steuwer - Univention Summit 2024
 
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
Outlook on UCS 5.2 - Ingo Steuwer - Univention Summit 2024
 
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
Wohin entwickelt sich UCS? Ingo Steuwer - Univention Summit 2022
 
Modularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCSModularisierung und Containerisierung von UCS
Modularisierung und Containerisierung von UCS
 
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
Barrierefreiheit in UCS - Univention GmbH - Univention Summit 2022
 
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
Digitale Souveränität für die zivile Seenotrettung von Sea-Watch - Sea-Watch ...
 
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
Schulische Lernplattformen in Deutschland - Institut für Informationsmanageme...
 
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
Technologie in der Schule: Ein Projektüberblick & Beratungsansatz der Bechtle...
 
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS@school Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
BILDUNGSLOGIN: Mit zwei Klicks die ganze Bandbreite digitaler Bildungsmedien ...
 
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
Schule digital neu denken - Schulstiftung der Ev.-Luth. Landeskriche Sachsens...
 
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
UCS Roadmap 2022 - Univention GmbH - Univention Summit 2022
 
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
Shift happens! Let's create a better IT now! - UNivention GmbH - Univention S...
 
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
Einführung eines zentralen IDM auf Basis der hessischen Landesdatenbank LUSD ...
 
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
Sie serverlose Schule - Stadt Norderstedt - Univention Summit 2022
 
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
Digital Souveräne Collaboration mit Nextcloud - Nextcloud-Univention-Summit-2...
 
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
Enough about Gaia-X theory – Let’s shift towards real use cases! - Plusserver...
 
Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022Get your shift together now! - agorum Software - Univention Summit 2022
Get your shift together now! - agorum Software - Univention Summit 2022
 
Alles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne VerwaltungAlles schon da? IT-Architektur für die digital souveräne Verwaltung
Alles schon da? IT-Architektur für die digital souveräne Verwaltung
 

Recently uploaded

The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionWave PLM
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersEmilyJiang23
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfMehmet Akar
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)Max Lee
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityamy56318795
 

Recently uploaded (20)

5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 

Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM - Florian Best & Arvid Requate - Univention Summit 2024

  • 1. Technical Deep Dive - OpenID-Connect and OAuth 2.0 in UCS IAM Florian Best, Arvid Requate, Univention
  • 2.
  • 3.
  • 4. Speakers » Florian Best » Univention Management Console (UMC) and Web-Services » Univention Directory Manager (UDM) + UDM-REST API » Security Assertion Markup Language (SAML) » Code Security » Arvid Requate » Samba/AD » OpenLDAP » OAuth 2.0 / OpenID-Connect in Sovereign Cloud Stack
  • 5.
  • 6. Let’s dive in – Why OAuth 2.0 / OpenID-Connect? » UCS migrates from SimpleSAMLphp to Keycloak » Opens the way to integrate OAuth 2.0 based protocols » Keycloak is the Identity Provider (IdP) / OpenID-Connect Provider (OP) for both, SAML and OAuth 2.0 / OpenID-Connect » Allows seamless protocol mix » Internal „federation“ of multiple OAuth & SAML providers » User doesn’t notice, they get a Keycloak session cookie » OAuth 2.0 protocol is more transparent and lightweight than SAML » e.g. JSON + JWT vs. base64 encoded compressed XML » Backchannel operations are possible (not involving browser) » OAuth 2.0 can be implemented stateless, suitable for use with REST-APIs
  • 7. OAuth 2.0 & OpenID-Connect: Which is which? » Open Authorization 2.0 framework » has a large and active protocol family » User can permit authorization for the OAuth client to a resource server » Via several different Grants / Flows based on HTTP + JSON » By using an Access Token (nowadays with internal structure: JWT) » Bound to Scopes, which contain the authorized permissions » OpenID-Connect » Extends OAuth 2.0 » Authentication protocol » Introduces ID Token containing user profile information » communicate the user identity to the client (e.g. UMC)
  • 8. Who is who? » OAuth 2.0 has: » Resource Owner: user » The User Agent: web browser » Client: application / service provider » Authorization Server (AS) » Keycloak » Resource Servers (RS) » UDM-REST-API » LDAP server » IMAP server » OpenID-Connect extends: » Relying Party (RP) » Univention Management Console (UMC) » OpenID Provider (OP) » Keycloak, Google, github
  • 9. Who does what (in Authorization Code Flow)?
  • 10. Who does what (in Authorization Code Flow)?
  • 11. Who does what (in Authorization Code Flow)?
  • 12. Who does what (in Authorization Code Flow)?
  • 13. Who does what (in Authorization Code Flow)?
  • 14. Who does what (in Authorization Code Flow)?
  • 15. Where is UCS today? » SAML is used for user SSO & Federation » Session refresh a bit complicated, always involving browser » hidden iframe, requires active connection from user agent and proper timing » UMC can act as SAML service provider » may pass SAML token instead of user password to UDM » UDM uses user credentials to access LDAP directory server » impersonates the user » UCS LDAP directory server supports SAML 2.0 as SASL mechanism » crudesaml plugin » Simple Authentication and Security Layer (SASL) » Pluggable Authentication Modules (PAM)
  • 16. Where do we want to go? » UMC can be an OAuth 2.0 client and OIDC Relying Party (RP) » Gets authorization from user via Keycloak to access resources » Learns user identity from ID Token (OpenID-Connect) » Uses access token with UMC-PAM stack to check validity » Passes access token to UDM-UMC module, sends access token to UCS LDAP directory server » UDM-REST API can be OAuth 2.0 resource server and gateway to LDAP » HTTP Bearer authentication
  • 17. Missing Piece Implemented: SASL & PAM plugin » UCS LDAP directory server supports OAuth 2.0 as SASL mechanism » crudeoauth plugin for SASL & PAM auth » Enabeling clients and servers to exchange and validate OAuth 2.0 access tokens » Lightweight: No call to Token introspection endpoint, no additional process (saslauthd) involved
  • 18. Current state: LDAP » We created the project crudeoauth » SASL plugin providing OAUTHBEARER mechanism » following RFC 7628 („A Set of SASL Mechanisms for Oauth“) » PAM module » First OAUTHBEARER implementation for the Cyrus-SASL2 framework » SASL plugin allows clients and resource servers to support OAuth 2.0 Access Tokens easily » PAM allows services to offload token validation, service doesn’t need to implement » Could even be used for arbitrary services like SSH » SASL + PAM module validates JWT signature, validity ranges, issuer and `aud` claim (audience) as well as a configurable scope t
  • 19. Current state: UDM REST API » UDM REST API: OAuth 2.0 Resource Server » Usable with SSO / OAuth 2.0 Access Tokens » Offers HTTP Bearer-Authentication » Stateless communication » Passes Access Token (JWT) to LDAP server » via SASL bind OAUTHBEARER mechanism » Potential for service-to-service authorization
  • 20. Current state: Univention Management Console (and Portal) » UMC becomes OpenID-Connect Relying Party » Authorization Code Flow with Proof Key for Code Exchange (PKCE) » Collects login name from ID-Token claim » Validates ID-Token incl. Authorized Party claim (“azp“) » Gives Access Token to UMC modules, e.g. UDM » which can do LDAP bind via OAUTHBEARER SASL » Uses Refresh Token to check if the OP session is still alive and retrieve new Access Token » Global Logout via backchannel logout » OP initiated (e.g. by another logged in App) or user initiated at UMC / Portal » Optional: Act as Resource Server via HTTP Bearer Authentication » For Service-to-service communication? The Portal in the future?
  • 21. Ideas for the future » Release crudeoauth as OpenSource project » Could be useful outside of UCS » Experiment for use with workload identities / service 2 service auth » openDesk K8S PODs » Portal curently uses session shared with UMC » Should act as a separate service / RP in OAuth 2.0 » As client of UMC, sends Access Token to UMC, which is protected resource » Clearer separation of services, allowing running on separate nodes / web origins
  • 22. VIELEN DANK! Florian Best, Arvid Requate Univention best@univention.de, requate@univention.de