SlideShare a Scribd company logo

Token-based uthentication

Download as PPTX, PDF
W
Will Adams

Slide deck from Orlando Code Camp 2015

Software
1 of 14
Token-based Authentication IN SINGLE-PAGE AND MOBILE APPLICATIONS SATURDAY, MARCH 28TH, 2015 WillAdams Senior Software Engineer Fiserv, Inc.
Agenda • Overview of token-based authentication. • Types of tokens. • Anti-CSRF. • Access. • Refresh. • Token formats. • Standards and Guidelines. • Demo. • Resources
Overview • Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. • Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.
Anti-CSRF “sync” Tokens • Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. • Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. • Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.
Anti-CSRF Tokens – cont’d • In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. • Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; • OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET. • ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />
Access Tokens • An access token is just an opaque string representing an authorization granted to a client application. • Access tokens can be Bearer or Holder-of-Key tokens. • Bearer tokens can be used as-is without requiring proof of ownership. • Used by passive, browser-based clients. • Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. • Refer to OAuth spec: https://tools.ietf.org/html/rfc6750. • Holder-of-Key tokens require supporting cryptographic material to prove token ownership. • Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. • Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.
Access Tokens – cont’d • Format explained: access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. • Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
Refresh Tokens • An opaque string containing an unique identifier used to retrieve authorization information for a specific client. • Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. • Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. • Refresh tokens should be able to be revoked in case an access token is compromised.
Refresh Tokens – cont’d • Example: • {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}
Token Formats • SAML – Security Assertion Markup Language. • JWT – JSONWebToken. • SWT – Simple WebToken. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST REST Default WIF Implementation Yes No No Protocols WS-Trust &WS-Federation OAuth 2.0 OAuth 2.0 Support for Signing Yes Yes Yes Support for Encrypting Yes No Yes
Standards and Guidelines • OpenID Connect is the authentication spec built on top of OAuth 2.0. It covers the use and format of the JSONWebToken. Refer to: http://openid.net/specs/openid-connect-core-1_0.html. • OWASP has good coverage of topics related to security and authentication: • https://www.owasp.org/index.php/Authentication_Cheat_Sheet. • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. • JSONWebToken specification: https://tools.ietf.org/html/draft-ietf- oauth-json-web-token-32.
Demo
Resources • Books: • Pro ASP.NETWeb API Security By Badrinarayanan Lakshmiraghavan - http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c. • ProgrammingWindows Identity Foundation byVittorio Bertocci - http://www.amazon.com/Programming-Identity-Foundation-Developer- Reference/dp/0735627185. • Blog Posts & Articles: • Enable OAuth RefreshTokens in AngularJSApp using ASP .NETWeb API 2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs- app-using-asp-net-web-api-2-owin/. • WIF 4.5 Overview - https://msdn.microsoft.com/en- us/library/hh291066%28v=vs.110%29.aspx.
Resource – cont’d • PluralSight Courses: • Claims-based Identity forWindows: The Big Picture - http://www.pluralsight.com/courses/claims-based-identity-big-picture. • Windows Identity Foundation Patterns: On-Premise and Cloud - http://www.pluralsight.com/courses/wif-patterns-premise-cloud. • AngularJS Security Fundamentals - http://www.pluralsight.com/courses/angularjs-security-fundamentals. • Thinktecture IdentityServer: https://github.com/IdentityServer/IdentityServer3.

Recommended

Guide to MFA
Guide to MFAGuide to MFA
Guide to MFAJack Forbes
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 

Recommended

Guide to MFA
Guide to MFAGuide to MFA
Guide to MFAJack Forbes
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnRiddhi Sood
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos pptOECLIB Odisha Electronics Control Library
 
802.1x
802.1x802.1x
802.1xakruthi k
 
SSL
SSLSSL
SSLtheekuchi
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Api security
Api security Api security
Api security teodorcotruta
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Kerberos
KerberosKerberos
KerberosSparkbit
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Web Security
Web SecurityWeb Security
Web SecurityDipika Bambhaniya
 
PIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckPIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckAndrew Lau
 
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogReveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogITrust - Cybersecurity as a Service
 

More Related Content

What's hot

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnRiddhi Sood
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 

What's hot (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
SSL
SSLSSL
SSL
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos ppt
 
802.1x
802.1x802.1x
802.1x
 
SSL
SSLSSL
SSL
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Api security
Api security Api security
Api security
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Kerberos
KerberosKerberos
Kerberos
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Authentication
AuthenticationAuthentication
Authentication
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Viewers also liked

PIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckPIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckAndrew Lau
 
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogReveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogITrust - Cybersecurity as a Service
 
13. colocacion bata esteril
13. colocacion bata esteril13. colocacion bata esteril
13. colocacion bata esterilcaedhmh
 
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister
 
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...PriceMinister
 
Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Edgar Gonzalez Allegre
 
Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Bryan Chung
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud PlatformSujai Prakasam
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Ali Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo
 
15. toma de muestras orina de rutina
15. toma de muestras orina de rutina15. toma de muestras orina de rutina
15. toma de muestras orina de rutinacaedhmh
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
MVA Presentation 2
MVA Presentation 2MVA Presentation 2
MVA Presentation 2Bryan Chung
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Andrew Petukhov
 

Viewers also liked (20)

PIC Philosophy and Credentials Deck
PIC Philosophy and Credentials DeckPIC Philosophy and Credentials Deck
PIC Philosophy and Credentials Deck
 
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlogReveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
Reveelium, solution innovante pour analyser les cyber menaces @ITrustBlog
 
13. colocacion bata esteril
13. colocacion bata esteril13. colocacion bata esteril
13. colocacion bata esteril
 
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produitPriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
PriceMinister Rakuten Campus 2013 : Comment l’image vend votre produit
 
4P Business
4P Business4P Business
4P Business
 
PC63 Remedial Drawing
PC63 Remedial DrawingPC63 Remedial Drawing
PC63 Remedial Drawing
 
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
Rakuten Campus 2014 (PriceMinister) : optimisez vos frais de port pour attire...
 
Marketing function
Marketing function Marketing function
Marketing function
 
Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016Flashtennis semanario 5 diciembre 2016
Flashtennis semanario 5 diciembre 2016
 
Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01Extended Context/Extended Media - Class 01
Extended Context/Extended Media - Class 01
 
Linea del tiempo
Linea del tiempoLinea del tiempo
Linea del tiempo
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
 
Ali Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirtAli Murtadlo Life Style_Short_TShirt
Ali Murtadlo Life Style_Short_TShirt
 
15. toma de muestras orina de rutina
15. toma de muestras orina de rutina15. toma de muestras orina de rutina
15. toma de muestras orina de rutina
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3
 
MVA Presentation 2
MVA Presentation 2MVA Presentation 2
MVA Presentation 2
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 

Similar to Token-based uthentication

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 

Similar to Token-based uthentication (20)

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Presentation
PresentationPresentation
Presentation
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
otp crid cards
otp crid cardsotp crid cards
otp crid cards
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 

Recently uploaded

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 

Recently uploaded (20)

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 

Token-based uthentication

  • 1. Token-based Authentication IN SINGLE-PAGE AND MOBILE APPLICATIONS SATURDAY, MARCH 28TH, 2015 WillAdams Senior Software Engineer Fiserv, Inc.
  • 2. Agenda • Overview of token-based authentication. • Types of tokens. • Anti-CSRF. • Access. • Refresh. • Token formats. • Standards and Guidelines. • Demo. • Resources
  • 3. Overview • Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. • Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.
  • 4. Anti-CSRF “sync” Tokens • Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. • Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. • Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.
  • 5. Anti-CSRF Tokens – cont’d • In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. • Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; • OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET. • ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />
  • 6. Access Tokens • An access token is just an opaque string representing an authorization granted to a client application. • Access tokens can be Bearer or Holder-of-Key tokens. • Bearer tokens can be used as-is without requiring proof of ownership. • Used by passive, browser-based clients. • Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. • Refer to OAuth spec: https://tools.ietf.org/html/rfc6750. • Holder-of-Key tokens require supporting cryptographic material to prove token ownership. • Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. • Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.
  • 7. Access Tokens – cont’d • Format explained: access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. • Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
  • 8. Refresh Tokens • An opaque string containing an unique identifier used to retrieve authorization information for a specific client. • Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. • Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. • Refresh tokens should be able to be revoked in case an access token is compromised.
  • 9. Refresh Tokens – cont’d • Example: • {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}
  • 10. Token Formats • SAML – Security Assertion Markup Language. • JWT – JSONWebToken. • SWT – Simple WebToken. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST REST Default WIF Implementation Yes No No Protocols WS-Trust &WS-Federation OAuth 2.0 OAuth 2.0 Support for Signing Yes Yes Yes Support for Encrypting Yes No Yes
  • 11. Standards and Guidelines • OpenID Connect is the authentication spec built on top of OAuth 2.0. It covers the use and format of the JSONWebToken. Refer to: http://openid.net/specs/openid-connect-core-1_0.html. • OWASP has good coverage of topics related to security and authentication: • https://www.owasp.org/index.php/Authentication_Cheat_Sheet. • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. • JSONWebToken specification: https://tools.ietf.org/html/draft-ietf- oauth-json-web-token-32.
  • 12. Demo
  • 13. Resources • Books: • Pro ASP.NETWeb API Security By Badrinarayanan Lakshmiraghavan - http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c. • ProgrammingWindows Identity Foundation byVittorio Bertocci - http://www.amazon.com/Programming-Identity-Foundation-Developer- Reference/dp/0735627185. • Blog Posts & Articles: • Enable OAuth RefreshTokens in AngularJSApp using ASP .NETWeb API 2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs- app-using-asp-net-web-api-2-owin/. • WIF 4.5 Overview - https://msdn.microsoft.com/en- us/library/hh291066%28v=vs.110%29.aspx.
  • 14. Resource – cont’d • PluralSight Courses: • Claims-based Identity forWindows: The Big Picture - http://www.pluralsight.com/courses/claims-based-identity-big-picture. • Windows Identity Foundation Patterns: On-Premise and Cloud - http://www.pluralsight.com/courses/wif-patterns-premise-cloud. • AngularJS Security Fundamentals - http://www.pluralsight.com/courses/angularjs-security-fundamentals. • Thinktecture IdentityServer: https://github.com/IdentityServer/IdentityServer3.