Modern Applications need Modern Security
OpenID Connect & OAuth 2.0
Tuesday, January 29, 2018 12 - 1 PM EST
(#) Peter Carson
• President, Extranet User Manager • SharePoint MVP • Partner Seller, Microsoft Canada • [email protected] • http://blog.petercarson.ca • www.extranetusermanager.com • Twitter @carsonpeter • VP Toronto SharePoint User Group
http://eum.co(#) Brock Allen
• http://brockallen.com • [email protected] • Twitter @BrockLAllen
http://eum.co(#) In the Beginning…
Web Applications
http://eum.co(#) ...then came Federation
SAML, WS-Federation
WS-Trust/Security Web Applications
http://eum.co(#) Then this happened…
No SOAP No SAML No WS* HTTP No Windows JSON No Enterprise
http://eum.co(#) Modern Applications
Security Token Service Browser Web App Web API
Native App
Web API Web API
Server App "Thing"
http://eum.co(#) Security Protocols (I)
* Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App Web API
* Native App
Web API Web API Server App "Thing"
http://eum.co(#) Security Protocols (II)
* Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App OAuth 2.0 Web API
* OAuth 2.0 Native App OAuth 2.0
Web API OAuth 2.0 Web API Server App OAuth 2.0 "Thing"
OAuth 2.0
http://eum.co(#) What's wrong with SAML (& WS-Federation)
Craig Burton (#CIS2012):
“SAML is the Windows XP of Identity.”
“No funding. No innovation. People still use it. But it has no future
SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”
http://eum.co(#) What’s wrong with OAuth 2.0
http://eum.co(#) http://openid.net/connect/
http://eum.co(#) Libraries & Implementations
http://eum.co(#) http://eum.co(#) IdentityServer
http://eum.co(#) OpenID Connect in a Nutshell
Browser Web App
Authenticate Users Native App Web API
Request Access Tokens for APIs
http://eum.co(#) Endpoints
Authorize Token Endpoint Endpoint
http://eum.co(#) Flows
• Implicit/Hybrid/Code Flow – interactive applications – user authentication
• Client Credentials Flow – server to server communication – headless devices / IoT
http://eum.co(#) Implicit Flow – Web Applications
GET /authorize
?client_id=app1 &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email
http://eum.co(#) Authentication
http://eum.co(#) Consent
http://eum.co(#) Response
POST /callback
http://eum.co(#) Identity Token { Header "typ": "JWT", "alg": "RS256", "kid": "mj399j…" }
Claims { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "d89ui3jk33",
"sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": [ "password" ], "auth_time": 12340819300 } eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature http://eum.co(#) Discovery
http://eum.co(#) Accessing APIs
client identity
user identity
user identity
http://eum.co(#) Calling an API using Client Identity
POST /token grant_type=client_credentials scope=api1 client_id=client client_secret=secret
Authorization: Bearer
http://eum.co(#) Web Applications
• OpenID Connect Hybrid Flow combines – user authentication (identity token) – access to APIs (access token)
• Additional Security Features – access tokens not exposed to the browser – (optional) long-lived API access
http://eum.co(#) Hybrid Flow Request
GET /authorize
?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 api2
http://eum.co(#) Hybrid Flow Response
POST /cb
http://eum.co(#) Retrieving the Access Token
• Exchange code for access token – using client id and secret
code (client_id:client_secret)
{ access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }
http://eum.co(#) Client-side Applications
• OpenID Connect Code Flow – Better suited for public clients – Still obtain id token and access token • Proof key for code exchange (PKCE) – Acts as dynamic client secret – Protects against common attacks
http://eum.co(#) Requesting tokens from JavaScript
GET /authorize
?client_id=app1 &redirect_uri=https://app.com/cb.html &response_type=code &nonce=j1y…a23 &scope=openid email api1 api2 &code_challenge=x929..1921
http://eum.co(#) Authorize Response
GET /callback.html?code=238…823j
http://eum.co(#) Token Endpoint Exchange • Aajx used to exchange code for tokens – using client id and code verifier
client_id, code, code verifier
{ id_token: "abc…123", access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }
http://eum.co(#) Native Applications
GET /authorize
?client_id=native.app &scope=openid email api1 api2 offline_access &redirect_uri=com.mycompany://native.app/cb &response_type=code &code_challenge=x929..1921
http://eum.co(#) Response
GET com.mycompany://native.app/cb
?code=8128…1299
http://eum.co(#) Token Endpoint Exchange
client_id, code, code verifier
{ id_token: "abc…123", access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: bearer }
http://eum.co(#) Resources
• http://openid.net/connect/ • http://openid.net/developers/libraries/ • http://oauth.net/articles/authentication/
• https://github.com/identityserver • https://github.com/identitymodel
http://eum.co(#) Upcoming Events
Valo Teamwork and Extranet User Manager Developing Custom Connectors for the May 21-23, 2019 Feb 21, 2019 Microsoft Power Platform Las Vegas 12-1 PM EST Feb 28, 2019 12-1PM EST www.sharepointna.com eum.co/events eum.co/events
http://eum.co(#) Thank you!
Questions?
http://eum.co(#)