Modern Applications Need Modern Security

Modern Applications need Modern Security

OpenID Connect & OAuth 2.0

Tuesday, January 29, 2018 12 - 1 PM EST

(#) Peter Carson

• President, Extranet User Manager • SharePoint MVP • Partner Seller, Microsoft Canada • [email protected] • http://blog.petercarson.ca • www.extranetusermanager.com • Twitter @carsonpeter • VP Toronto SharePoint User Group

http://eum.co(#) Brock Allen

• http://brockallen.com • [email protected] • Twitter @BrockLAllen

http://eum.co(#) In the Beginning…

Web Applications

http://eum.co(#) ...then came Federation

SAML, WS-Federation

WS-Trust/Security Web Applications

http://eum.co(#) Then this happened…

No SOAP No SAML No WS* HTTP No Windows JSON No Enterprise

http://eum.co(#) Modern Applications

Security Token Service Browser Web App Web API

Native App

Web API Web API

Server App "Thing"

http://eum.co(#) Security Protocols (I)

* Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App Web API

* Native App

Web API Web API Server App "Thing"

http://eum.co(#) Security Protocols (II)

* Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App OAuth 2.0 Web API

* OAuth 2.0 Native App OAuth 2.0

Web API OAuth 2.0 Web API Server App OAuth 2.0 "Thing"

OAuth 2.0

http://eum.co(#) What's wrong with SAML (& WS-Federation)

Craig Burton (#CIS2012):

“SAML is the Windows XP of Identity.”

“No funding. No innovation. People still use it. But it has no future

SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”

http://eum.co(#) What’s wrong with OAuth 2.0

http://eum.co(#) http://openid.net/connect/

http://eum.co(#) Libraries & Implementations

http://eum.co(#) http://eum.co(#) IdentityServer

http://eum.co(#) OpenID Connect in a Nutshell

Browser Web App

Authenticate Users Native App Web API

Request Access Tokens for APIs

http://eum.co(#) Endpoints

Authorize Token Endpoint Endpoint

http://eum.co(#) Flows

• Implicit/Hybrid/Code Flow – interactive applications – user authentication

• Client Credentials Flow – server to server communication – headless devices / IoT

http://eum.co(#) Implicit Flow – Web Applications

GET /authorize

?client_id=app1 &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email

http://eum.co(#) Authentication

http://eum.co(#) Consent

http://eum.co(#) Response

POST /callback

http://eum.co(#) Identity Token { Header "typ": "JWT", "alg": "RS256", "kid": "mj399j…" }

Claims { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "d89ui3jk33",

"sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": [ "password" ], "auth_time": 12340819300 } eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt

Header Claims Signature http://eum.co(#) Discovery

http://eum.co(#) Accessing APIs

client identity

user identity

http://eum.co(#) Calling an API using Client Identity

POST /token grant_type=client_credentials scope=api1 client_id=client client_secret=secret

Authorization: Bearer

http://eum.co(#) Web Applications

• OpenID Connect Hybrid Flow combines – user authentication (identity token) – access to APIs (access token)

• Additional Security Features – access tokens not exposed to the browser – (optional) long-lived API access

http://eum.co(#) Hybrid Flow Request

GET /authorize

?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 api2

http://eum.co(#) Hybrid Flow Response

POST /cb

http://eum.co(#) Retrieving the Access Token

• Exchange code for access token – using client id and secret

code (client_id:client_secret)

{ access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }

http://eum.co(#) Client-side Applications

• OpenID Connect Code Flow – Better suited for public clients – Still obtain id token and access token • Proof key for code exchange (PKCE) – Acts as dynamic client secret – Protects against common attacks

http://eum.co(#) Requesting tokens from JavaScript

GET /authorize

?client_id=app1 &redirect_uri=https://app.com/cb.html &response_type=code &nonce=j1y…a23 &scope=openid email api1 api2 &code_challenge=x929..1921

http://eum.co(#) Authorize Response

GET /callback.html?code=238…823j

http://eum.co(#) Token Endpoint Exchange • Aajx used to exchange code for tokens – using client id and code verifier

client_id, code, code verifier

{ id_token: "abc…123", access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }

http://eum.co(#) Native Applications

GET /authorize

?client_id=native.app &scope=openid email api1 api2 offline_access &redirect_uri=com.mycompany://native.app/cb &response_type=code &code_challenge=x929..1921

http://eum.co(#) Response

GET com.mycompany://native.app/cb

?code=8128…1299

http://eum.co(#) Token Endpoint Exchange

client_id, code, code verifier

{ id_token: "abc…123", access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: bearer }

http://eum.co(#) Resources

• http://openid.net/connect/ • http://openid.net/developers/libraries/ • http://oauth.net/articles/authentication/

• https://github.com/identityserver • https://github.com/identitymodel

http://eum.co(#) Upcoming Events

Valo Teamwork and Extranet User Manager Developing Custom Connectors for the May 21-23, 2019 Feb 21, 2019 Microsoft Power Platform Las Vegas 12-1 PM EST Feb 28, 2019 12-1PM EST www.sharepointna.com eum.co/events eum.co/events

http://eum.co(#) Thank you!

Questions?

http://eum.co(#)