Modern Applications need Modern Security OpenID Connect & OAuth 2.0 Tuesday, January 29, 2018 12 - 1 PM EST (#) Peter Carson • President, Extranet User Manager • SharePoint MVP • Partner Seller, Microsoft Canada • [email protected] • http://blog.petercarson.ca • www.extranetusermanager.com • Twitter @carsonpeter • VP Toronto SharePoint User Group http://eum.co(#) Brock Allen • http://brockallen.com • [email protected] • Twitter @BrockLAllen http://eum.co(#) In the Beginning… Web Applications http://eum.co(#) ...then came Federation SAML, WS-Federation WS-Trust/Security Web Applications http://eum.co(#) Then this happened… No SOAP No SAML No WS* HTTP No Windows JSON No Enterprise http://eum.co(#) Modern Applications Security Token Service Browser Web App Web API Native App Web API Web API Server App "Thing" http://eum.co(#) Security Protocols (I) * Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App Web API * Native App Web API Web API Server App "Thing" http://eum.co(#) Security Protocols (II) * Security Token Service Browser WS-Fed, SAML 2.0, OpenID Connect* Web App OAuth 2.0 Web API * OAuth 2.0 Native App OAuth 2.0 Web API OAuth 2.0 Web API Server App OAuth 2.0 "Thing" OAuth 2.0 http://eum.co(#) What's wrong with SAML (& WS-Federation) Craig Burton (#CIS2012): “SAML is the Windows XP of Identity.” “No funding. No innovation. People still use it. But it has no future SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.” http://eum.co(#) What’s wrong with OAuth 2.0 http://eum.co(#) http://openid.net/connect/ http://eum.co(#) Libraries & Implementations http://eum.co(#) http://eum.co(#) IdentityServer http://eum.co(#) OpenID Connect in a Nutshell Browser Web App Authenticate Users Native App Web API Request Access Tokens for APIs http://eum.co(#) Endpoints Authorize Token Endpoint Endpoint http://eum.co(#) Flows • Implicit/Hybrid/Code Flow – interactive applications – user authentication • Client Credentials Flow – server to server communication – headless devices / IoT http://eum.co(#) Implicit Flow – Web Applications GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email http://eum.co(#) Authentication http://eum.co(#) Consent http://eum.co(#) Response POST /callback <form> <input type="hidden" name="id_token" value="xjsj…aas" /> </form> http://eum.co(#) Identity Token { Header "typ": "JWT", "alg": "RS256", "kid": "mj399j…" } Claims { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "d89ui3jk33", "sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": [ "password" ], "auth_time": 12340819300 } eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature http://eum.co(#) Discovery http://eum.co(#) Accessing APIs client identity user identity user identity http://eum.co(#) Calling an API using Client Identity POST /token grant_type=client_credentials scope=api1 client_id=client client_secret=secret <token> Authorization: Bearer <token> http://eum.co(#) Web Applications • OpenID Connect Hybrid Flow combines – user authentication (identity token) – access to APIs (access token) • Additional Security Features – access tokens not exposed to the browser – (optional) long-lived API access http://eum.co(#) Hybrid Flow Request GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 api2 http://eum.co(#) Hybrid Flow Response POST /cb <form> <input type="hidden" name="id_token" value="xjsj…aas" /> <input type="hidden" name="code" value="i8j1…jj19" /> </form> http://eum.co(#) Retrieving the Access Token • Exchange code for access token – using client id and secret code (client_id:client_secret) { access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" } http://eum.co(#) Client-side Applications • OpenID Connect Code Flow – Better suited for public clients – Still obtain id token and access token • Proof key for code exchange (PKCE) – Acts as dynamic client secret – Protects against common attacks http://eum.co(#) Requesting tokens from JavaScript GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb.html &response_type=code &nonce=j1y…a23 &scope=openid email api1 api2 &code_challenge=x929..1921 http://eum.co(#) Authorize Response GET /callback.html?code=238…823j http://eum.co(#) Token Endpoint Exchange • Aajx used to exchange code for tokens – using client id and code verifier client_id, code, code verifier { id_token: "abc…123", access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" } http://eum.co(#) Native Applications GET /authorize ?client_id=native.app &scope=openid email api1 api2 offline_access &redirect_uri=com.mycompany://native.app/cb &response_type=code &code_challenge=x929..1921 http://eum.co(#) Response GET com.mycompany://native.app/cb ?code=8128…1299 http://eum.co(#) Token Endpoint Exchange client_id, code, code verifier { id_token: "abc…123", access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: bearer } http://eum.co(#) Resources • http://openid.net/connect/ • http://openid.net/developers/libraries/ • http://oauth.net/articles/authentication/ • https://github.com/identityserver • https://github.com/identitymodel http://eum.co(#) Upcoming Events Valo Teamwork and Extranet User Manager Developing Custom Connectors for the May 21-23, 2019 Feb 21, 2019 Microsoft Power Platform Las Vegas 12-1 PM EST Feb 28, 2019 12-1PM EST www.sharepointna.com eum.co/events eum.co/events http://eum.co(#) Thank you! Questions? http://eum.co(#).