Introduction to using OpenID for securing applications

Bálint Hegyi BE-CSS-SET 30/04/2021 Outline of this talk

 Motivation

 What is OpenID Connect?

● Quick introduction to AuthN/AuthZ

● Basic principles

● Tokens

 How to use OpenID Connect? ● Web-based ● CLI-based authentication

Introduction to using OpenID 2 Motivation

Whole industry is moving to centralized SSO platforms

● Instead of implementing log-in in every service, a central service takes care of it

CERN IT would like to consolidate their authentication platform

● OpenID is in the center of this consolidation

Explore the possibilities

● The sooner we establish the knowledge on how to handle OpenID based SSO logins, the better

● Learn something, which can be transferred to internal solutions

● We are not late to provide feedback

Introduction to using OpenID 3 What is OpenID Connect?

Introduction to using OpenID 4 Authentication and basics

Authentication (AuthN) Authorization (AuthZ) Who are you? What can you do?

OpenID OAuth

Role-Based Access Control (RBAC)

OpenID Connect (OIDC)

Introduction to using OpenID 5 What is OpenID Connect (OIDC)?

Expansion of the OpenID specification ● Mainly with authorization parts

Nowadays widely used for AuthN/AuthZ, lots of implementations exists ● Keycloak, Auth0, Okta, and many others [0]

Keycloak was selected as the next system used by CERN [1]

● Aim: one system to provide all authentication tasks for the WLCG

[0] - https://openid.net/certification/ [1] - https://malt.web.cern.ch/malt/project/blog/paper/CERN-Authentication-White-Paper

Introduction to using OpenID 6 Principles of OpenID Connect

1)Have only one place, where you trust entering your password to E.g. the well-known CERN SSO login page

2)Provides services tokens about you Contains all information about you, to authenticate, and authorize you

3)Provides a way to manage all of this Using either a web interface [0], or APIs [1]

[0] - https://application-portal.web.cern.ch/ [1] - https://auth.docs.cern.ch/authzsvc/overview/

Introduction to using OpenID 7 OIDC and JWT tokens

JSON Web Tokens (JWT) is the method of transferring information [0]

Tokens come in different shapes and sizes

● Access token: short living token, containing all service-oriented information about you. You can give this to services to access resources.

● Refresh token: long living token, contains information about who you are. With this, you can get a new access token.

[0] - https://jwt.io/introduction [1] - https://auth.cern.ch/auth/realms/cern/protocol/-connect/certs

Introduction to using OpenID 8 Use cases

Introduction to using OpenID 9 OIDC – Browser-based integration 1/2

Main use-case of OIDC

● Wide support for easy integration, e.g. Spring’s own openid-client library

● OIDC soon supported by Accsoft Common Web Framework

● Only tricky point: role mapping [1]

● CERN SSO role mapping needs some custom code

● Spring provides the framework for mapping roles easily

Introduction to using OpenID 10 OIDC – Browser-based integration 2/2

Server applications are technically “clients” to the authentication system.

Introduction to using OpenID 11 OIDC – CLI-based integration 1/3

Challenge: How to authenticate without a browser

Remember: SSO systems would really like you to log-in though their secure page

So what can we do?

● We need to detach the login from getting the tokens

● Authorization Code Flow to the rescue! [0]

[0] - https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type

Introduction to using OpenID 12 OIDC – CLI-based integration 2/3

CLI Login SSO Login Get auth code Cont. CLI Login

Login link: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth?... Code:

Introduction to using OpenID 13 OIDC – CLI-based integration 2/3

CLI Login SSO Login Get auth code Cont. CLI Login

Introduction to using OpenID 14 OIDC – CLI-based integration 2/3

CLI Login SSO Login Get auth code Cont. CLI Login

Introduction to using OpenID 15 OIDC – CLI-based integration 2/3

CLI Login SSO Login Get auth code Cont. CLI Login

Login link: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth?... Code: b03f57e6-8e47-4edb-9149-874784ff730a…

Authentication completed…

Introduction to using OpenID 16 OIDC – CLI-based integration 3/3

So I need to copy a link every time? No way…

We can request a so called “offline token”

● Very long living refresh token (lives for weeks instead of a day)

● If this token is stored, we can request a new access token every time.

Can be done – with a library, a common solution can be provided

● User only needs to log-in again, if they are inactive for a long time.

Introduction to using OpenID 17 Conclusion

Introduction to using OpenID 18 Conclusion

● OpenID and OIDC are widely used standard

● Lots of external products support it out of the box

● Keycloak’s management interface is easy to handle

● Especially for browser applications, OIDC provides an easy to use solution

● There are challenges if you are not in the browser – but solutions to this can be shared

● CERN Keycloak runs on IT-SLA, and not TN-SLA

● If your application is critical, then RBAC can be a better solution

Verdict: OIDC provided to be a standard, flexible, yet relatively easy solution to handle our authentication/authorization needs.

Introduction to using OpenID 19 Thank you for your time

Questions?

home.cern