Knock knock - who's there?

2,090 views

Published on

Adam Renberg & Jonas Oscarsson, Valtech
Vi pratar inloggning och OAuth 2 på en teknisk nivå. Do you GET it?

GET /oauth/authorize
?response_type=code
&client_id=se.ettforum
&redirect_uri=...
&scope=profile HTTP/1.1
Host: example.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,090
On SlideShare
0
From Embeds
0
Number of Embeds
1,590
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Knock knock - who's there?

  1. 1. Delegerad autentisering Knock knock - who's there?
  2. 2. Delegerad autentisering Knock knock - who's there?
  3. 3. OAuth 2
  4. 4. Adam Renberg Jonas Oscarsson
  5. 5. Sony Mobile account.sonymobile.com
  6. 6. • Eran Hammer • OAuth 1.0 2007 • OAuth 1.0a 2009 • OAuth 2.0 2012
  7. 7. • Resource Owner 
 user@example.com • Client
 ettforum.se • Authorization Server
 Resource Server
 example.com
  8. 8. • Resource Owner 
 user@example.com • Client
 ettforum.se • Authorization Server
 Resource Server
 example.com
  9. 9. Webbläsare Resource Owner Client Authorization Server example.comettforum.se 302 GET /oauth/authorize GET /write-post
  10. 10. GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
  11. 11. GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
  12. 12. GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
  13. 13. GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
  14. 14. GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
  15. 15. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  16. 16. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  17. 17. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  18. 18. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  19. 19. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  20. 20. CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  21. 21. Webbläsare Resource Owner Client Authorization Server example.comettforum.se GET /sign-in 302 GET /oauth/authorize 302 GET /login/callback Inloggning
  22. 22. GET /login/callback?code=HXbKPYnMx7 HTTP/1.1 Host: www.ettforum.se
  23. 23. Webbläsare Resource Owner Client Authorization Server example.comettforum.se 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /write-post Inloggning
  24. 24. POST /oauth/token HTTP/1.1 Host: example.com ! grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback
  25. 25. POST /oauth/token HTTP/1.1 Host: example.com ! grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback
  26. 26. POST /oauth/token HTTP/1.1 Host: example.com ! grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback
  27. 27. POST /oauth/token HTTP/1.1 Host: example.com ! grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback
  28. 28. grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  29. 29. grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  30. 30. grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  31. 31. grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  32. 32. grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se %2Flogin%2Fcallback CODE HXbKPYnMx7 USER_ID user@example.com CLIENT_ID se.ettforum SCOPE profile REDIRECT_URI http://www.ettforum.se/login/callback
  33. 33. HTTP/1.1 200 OK Content-Type: application/json ! { "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
  34. 34. HTTP/1.1 200 OK Content-Type: application/json ! { "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
  35. 35. HTTP/1.1 200 OK Content-Type: application/json ! { "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
  36. 36. HTTP/1.1 200 OK Content-Type: application/json ! { "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
  37. 37. Webbläsare Resource Owner Client Server example.comettforum.se 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user GET /write-post Inloggning
  38. 38. GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4
  39. 39. GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4
  40. 40. HTTP/1.1 200 OK Content-Type: application/json ! { "email": "user@example.com", "name": "Example User", "profile_image": "http://example.com/img/12134.jpg" }
  41. 41. Webbläsare Resource Owner Client Server example.comettforum.se GET /write-post 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user 302 GET /write-post 200 Inloggning
  42. 42. Mission Accomplished
  43. 43. Webbläsare Resource Owner Client Server example.comettforum.se GET /write-post 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user 302 GET /write-post 200 Inloggning
  44. 44. Webbläsare Resource Owner Client Server example.comettforum.se GET /write-post 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user 302 GET /write-post 200 Inloggning
  45. 45. Webbläsare Resource Owner Client Server example.comettforum.se GET /write-post 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user 302 GET /write-post 200 Inloggning
  46. 46. Webbläsare Resource Owner Client Server example.comettforum.se GET /write-post 302 GET /oauth/authorize 302 GET /login/callback POST /oauth/token GET /user 302 GET /write-post 200
  47. 47. Hur gör vi?
  48. 48. Valtech IDP HerokuappHerokuappHerokuapp HerokuappHerokuappAzureapp HerokuappHerokuapp... AD Valtech ......... OAuth 2OAuth 2 OAuth 2 LDAP
  49. 49. • Redirecta till /oauth/authorize • Ta emot en code • Byt code mot access_token
  50. 50. [AllowAnonymous] public class LoginController : Controller { private readonly ValtechIdpClient client; ! public LoginController() { client = new ValtechIdpClient() { ClientIdentifier = Config.GetOAuthClientId(), ClientCredentialApplicator = DotNetOpenAuth.OAuth2.ClientCredentialApplicator.NetworkCredential( Config.GetOAuthClientSecret()) }; } ! public ActionResult Index() { if (Request.IsAuthenticated) return RedirectToAction("Index", "Consultants"); client.RequestUserAuthorization(new string[] { "none" }, new Uri(Config.GetOAuthClientRedirectUri())); return null; } ! public ActionResult Callback() { DotNetOpenAuth.OAuth2.IAuthorizationState auth = client.ProcessUserAuthorization(); FormsAuthentication.SetAuthCookie(auth.AccessToken, false); return RedirectToAction("Index", "Consultants"); } }
  51. 51. • RFC6749 (OAuth 2.0) • RFC6750 (Bearer Tokens) • RFC6819 (Threat Model)
  52. 52. • RFC6749 (OAuth 2.0) • RFC6750 (Bearer Tokens) • RFC6819 (Threat Model) adam.renberg@valtech.se jonas.oscarsson@valtech.se

×