Introduction to using OpenID for securing applications
Bálint Hegyi BE-CSS-SET 30/04/2021 Outline of this talk
Motivation
What is OpenID Connect?
● Quick introduction to AuthN/AuthZ
● Basic principles
● Tokens
How to use OpenID Connect? ● Web-based authentication ● CLI-based authentication
Introduction to using OpenID 2 Motivation
Whole industry is moving to centralized SSO platforms
● Instead of implementing log-in in every service, a central service takes care of it
CERN IT would like to consolidate their authentication platform
● OpenID is in the center of this consolidation
Explore the possibilities
● The sooner we establish the knowledge on how to handle OpenID based SSO logins, the better
● Learn something, which can be transferred to internal solutions
● We are not late to provide feedback
Introduction to using OpenID 3 What is OpenID Connect?
Introduction to using OpenID 4 Authentication and authorization basics
Authentication (AuthN) Authorization (AuthZ) Who are you? What can you do?
OpenID Kerberos OAuth
Role-Based Access Control (RBAC)
OpenID Connect (OIDC)
Introduction to using OpenID 5 What is OpenID Connect (OIDC)?
Expansion of the OpenID specification ● Mainly with authorization parts
Nowadays widely used for AuthN/AuthZ, lots of implementations exists ● Keycloak, Auth0, Okta, and many others [0]
Keycloak was selected as the next system used by CERN [1]
● Aim: one system to provide all authentication tasks for the WLCG
[0] - https://openid.net/certification/ [1] - https://malt.web.cern.ch/malt/project/blog/paper/CERN-Authentication-White-Paper
Introduction to using OpenID 6 Principles of OpenID Connect
1)Have only one place, where you trust entering your password to E.g. the well-known CERN SSO login page
2)Provides services tokens about you Contains all information about you, to authenticate, and authorize you
3)Provides a way to manage all of this Using either a web interface [0], or APIs [1]
[0] - https://application-portal.web.cern.ch/ [1] - https://auth.docs.cern.ch/authzsvc/overview/
Introduction to using OpenID 7 OIDC and JWT tokens
JSON Web Tokens (JWT) is the method of transferring information [0]
Tokens come in different shapes and sizes
● Access token: short living token, containing all service-oriented information about you. You can give this to services to access resources.
● Refresh token: long living token, contains information about who you are. With this, you can get a new access token.
[0] - https://jwt.io/introduction [1] - https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs
Introduction to using OpenID 8 Use cases
Introduction to using OpenID 9 OIDC – Browser-based integration 1/2
Main use-case of OIDC
● Wide support for easy integration, e.g. Spring’s own openid-client library
● OIDC soon supported by Accsoft Common Web Framework
● Only tricky point: role mapping [1]
● CERN SSO role mapping needs some custom code
● Spring provides the framework for mapping roles easily
Introduction to using OpenID 10 OIDC – Browser-based integration 2/2
Server applications are technically “clients” to the authentication system.
Introduction to using OpenID 11 OIDC – CLI-based integration 1/3
Challenge: How to authenticate without a browser
Remember: SSO systems would really like you to log-in though their secure page
So what can we do?
● We need to detach the login from getting the tokens
● Authorization Code Flow to the rescue! [0]
[0] - https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
Introduction to using OpenID 12 OIDC – CLI-based integration 2/3
CLI Login SSO Login Get auth code Cont. CLI Login
…
Login link: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth?... Code:
Introduction to using OpenID 13 OIDC – CLI-based integration 2/3
CLI Login SSO Login Get auth code Cont. CLI Login
Introduction to using OpenID 14 OIDC – CLI-based integration 2/3
CLI Login SSO Login Get auth code Cont. CLI Login
Introduction to using OpenID 15 OIDC – CLI-based integration 2/3
CLI Login SSO Login Get auth code Cont. CLI Login
…
Login link: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth?... Code: b03f57e6-8e47-4edb-9149-874784ff730a…
Authentication completed…
…
Introduction to using OpenID 16 OIDC – CLI-based integration 3/3
So I need to copy a link every time? No way…
We can request a so called “offline token”
● Very long living refresh token (lives for weeks instead of a day)
● If this token is stored, we can request a new access token every time.
Can be done – with a library, a common solution can be provided
● User only needs to log-in again, if they are inactive for a long time.
Introduction to using OpenID 17 Conclusion
Introduction to using OpenID 18 Conclusion
● OpenID and OIDC are widely used standard
● Lots of external products support it out of the box
● Keycloak’s management interface is easy to handle
● Especially for browser applications, OIDC provides an easy to use solution
● There are challenges if you are not in the browser – but solutions to this can be shared
● CERN Keycloak runs on IT-SLA, and not TN-SLA
● If your application is critical, then RBAC can be a better solution
Verdict: OIDC provided to be a standard, flexible, yet relatively easy solution to handle our authentication/authorization needs.
Introduction to using OpenID 19 Thank you for your time
Questions?
home.cern