AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
1 like386 views
The document provides an overview of OAuth 2.0 and OpenID Connect, detailing their roles, authorization flows, and key features such as access tokens and security best practices. It emphasizes that OAuth 2.0 is not an authentication protocol, contrasts it with OpenID Connect, and outlines various implementation options and best practices for secure deployment. Additionally, it includes references and resources for further understanding and implementation of these frameworks.
![{
"alg": "RS256",
"typ": "JWT",
"kid": "lp_FcMZ8D7U6EEUCiZyWAF21NcwjX_ddwJ5a3eCPMwQ"
}
JSON Web Token (JWT) - Decoded Form
24
{
"exp": 1571745342,
"iat": 1571745042,
"iss": "http://localhost:8080/auth/realms/workshop",
"aud": ["library-service","account"],
"sub": "08d3bcaa-5ffd-4b8d-909e-bb567881384b"
}
HEADER
PAYLOAD](https://image.slidesharecdn.com/allthetalks2020basicsofoauth2openidconnect-200415141428/85/AllTheTalks-Online-2020-Basics-of-OAuth-2-0-and-OpenID-Connect-24-320.jpg)
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
- 1. 1 Basics of OAuth 2.0 and OpenID Connect Andreas Falk / Novatec Consulting
- 2. Our #AppSec Offerings: ▪ OAuth 2.0 & OpenID Connect Trainings and Consulting ▪ Security for Developers Trainings https://www.novatec-gmbh.de/en/consulting/agile-security About Me 2 Andreas Falk Novatec Consulting (Germany) andreas.falk@novatec-gmbh.de @andifalk
- 3. RFC 6749: OAuth 2.0 Authorization Framework RFC 6750: OAuth 2.0 Bearer Token Usage 3 Introduction to OAuth 2.0
- 4. Do you like it implementing your own Authentication? 4 Password Policies MFA Secure Password Storage Different Clients Brute Force Prevention Reset Password Process
- 5. Using Multiple Services before OAuth 2.0 5 Client Resource Owner (i.e. the user) Resource Server 1.Resource owner authenticates to the client 2.Client requests the protected resource Credentials Credentials
- 6. “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf ” RFC 6749: OAuth 2.0 6
- 7. OAuth 2.0 Roles 7 Client Resource Owner Authorization Server Access Token Resource Server
- 8. Basic OAuth 2.0 Protocol Flow 8 Client Resource Owner Authorization Server Access Token Resource Server 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token 4.Client requests the protected resource
- 9. Protocol Flow (1): Resource owner authorizes client 9 Resource Owner Authorization Server 1.Resource owner authorizes the client
- 10. Protocol Flow (2): Client receives authorization grant 10 Client Resource Owner Authorization Server 1.Resource owner authorizes the client 2.Client receives authorization grant Authorization grant: ▪ Credential representing the resource owner's authorization ▪ Exchange for access token
- 11. Protocol Flow (3): Client exchanges grant for access token 11 Client Resource Owner Authorization Server Access Token 1.Resource owner authorizes the client 2.Client receives authorization grant 3.Client exchanges grant for access token HTTP/1.1 200 OK Content-Type: application/json { "access_token": "2YotnFZFEjr1zC", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Q" }
- 12. Protocol Flow: Client requests the protected resource 12 Client Access Token Resource Server 4.Client requests the protected resource GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer 2YotnFZFEjr1zC
- 13. OAuth 2.0 Protocol Endpoints 13 Client Resource Owner Resource Server Authorization ServerToken Endpoint Authorization Endpoint Token Introspection Endpoint Resource Owner Client Authorization Retrieve Authorization Grant Exchange Authorization Grant into Access Token Validate Access Token
- 15. 2007 OAuth 1.0 Protocol 2010 RFC 5849: The OAuth 1.0a Protocol 2012 RFC 6749: The OAuth 2.0 Authorization Framework 2013 RFC 6819: OAuth 2.0 Threat Model 2015 RFC 7519: JSON Web Token (JWT) 2015 RFC 7636: Proof Key for Code Exchange (PKCE) 2019-2020 OAuth 2.0 Security Best Current Practice OAuth History 15 2020,... OAuth 2.1 TxAuth
- 16. ▪ Authorization Code grant is extended with PKCE ▪ Implicit grant is omitted from the spec ▪ RO Password Credentials grant is omitted from the spec ▪ Redirect URIs must be compared by exact string matching ▪ Refresh tokens must be sender-constrained or one-time use ▪ Bearer token must not be sent in the query string of URIs The OAuth 2.1 Authorization Framework 16 https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1/
- 17. “OAuth 2.1” Authorization Grant Types 17 Resource Owner Client Type Authorization Grant Refresh Token Web Client (Confidential) Authorization Code + PKCE Mobile Client (Public) Authorization Code + PKCE SPA Client (Public) Authorization Code + PKCE Resource Owner Client (Confidential) Client Credentials https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics https://datatracker.ietf.org/doc/draft-parecki-oauth-v2-1
- 18. ▪ RFC 7636: PKCE = Proof Key for Code Exchange (“pixy”) ▪ Mitigates authorization code interception attack ▪ Public clients cannot keep static secrets (“client_secret”) ▪ PKCE adds dynamic secret instead: − Cryptographically random key: The “Code Verifier” − Hashed code verifier (SHA-256): The “Code Challenge” Authorization Code + PKCE Grant Type 18 https://tools.ietf.org/html/rfc7636
- 19. OpenID Connect Foundation 19 OpenID Connect 1.0
- 20. OAuth 2.0 is NOT an Authentication Protocol! 20 OAuth 2.0 is not an authentication protocol
- 21. OAuth 2.0 vs. OpenID Connect 1.0 21 Hotel Valet Parking Identification Permission / Delegation OpenID Connect 1.0 OAuth 2.0
- 22. OpenID Connect 1.0 Standards Layer 22 JSON Web Algorithms (JWA) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) JSON Web Token (JWT) Javascript Object Signing and Encryption (JOSE) OAuth 2.0 Authorization Framework (RFC 6749) OpenID Connect 1.0
- 23. ▪ Based on OAuth 2.0 ▪ Additions: − ID Token (JWT format is Mandatory) − User Info Endpoint (Mandatory) − Hybrid Grant Flow (Mandatory) − OpenID Provider Configuration Information (Discovery, Optional) https://openid.net/specs/openid-connect-core-1_0.html https://openid.net/specs/openid-connect-registration-1_0.html https://openid.net/specs/openid-connect-discovery-1_0.html OpenID Connect 1.0 (OIDC) 23
- 24. { "alg": "RS256", "typ": "JWT", "kid": "lp_FcMZ8D7U6EEUCiZyWAF21NcwjX_ddwJ5a3eCPMwQ" } JSON Web Token (JWT) - Decoded Form 24 { "exp": 1571745342, "iat": 1571745042, "iss": "http://localhost:8080/auth/realms/workshop", "aud": ["library-service","account"], "sub": "08d3bcaa-5ffd-4b8d-909e-bb567881384b" } HEADER PAYLOAD
- 25. OpenID Connect 1.0: Access Token Types 25 JWT Token (Self-contained) Opaque Token (Reference) Offline-Validation (Signature/Expiration) Validation call to introspection-endpoint Contains all required information Additional call to get required information Protocol agnostic Bound to Http Cannot be revoked May be revoked Mandatory for Id Tokens Must not be used for Id Tokens May be used for Access Tokens May be used for Access Tokens
- 26. ▪ Use OpenID Connect for Authentication ▪ Authorization Grant Types − With End User: Use Authorization Code + PKCE − Without End User: Use Client Credentials ▪ Do NOT use Implicit or Resource Owner Password Grants ▪ ID Token must be JWT, Access Token may be JWT ▪ Always validate Tokens and keep Lifetime short OAuth 2.0 and OpenID Connect: Summary 26
- 27. Thank You very much! Questions? 27
- 28. Novatec Consulting GmbH Dieselstraße 18/1 D-70771 Leinfelden-Echterdingen T. +49 711 22040-700 info@novatec-gmbh.de www.novatec-gmbh.de 28 Managing Consultant Andreas Falk Mobil: +49 151 46146778 E-Mail: andreas.falk@novatec-gmbh.de
- 30. ▪ RedHat/JBoss Keycloak (https://www.keycloak.org) ▪ Auth0 (https://auth0.com) ▪ Okta (https://www.okta.com) ▪ ForgeRock (https://www.forgerock.com/platform/identity-management) ▪ CloudFoundry UAA (https://github.com/cloudfoundry/uaa) ▪ PingFederate (https://www.pingidentity.com/en/platform/single-sign-on/sso-overview.html) ▪ Azure Active Directory (https://azure.microsoft.com/en-us/services/active-directory) ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Identity Providers 30
- 31. ▪ oidc-client (Javascript) https://github.com/IdentityModel/oidc-client-js ▪ angular-oauth2-oidc (Typescript) https://github.com/manfredsteyer/angular-oauth2-oidc ▪ angular-auth-oidc-client (Typescript) https://github.com/damienbod/angular-auth-oidc-client ▪ IdentityModel.OidcClient (C#/.Net) https://github.com/IdentityModel/IdentityModel.OidcClient ▪ Nimbus OAuth 2.0 SDK (Java) https://connect2id.com/products/nimbus-oauth-openid-connect-sdk ▪ OIDC RP library (Python) https://github.com/openid/JWTConnect-Python-OidcRP ▪ ... See: https://openid.net/developers/certified/#OPServices OpenID Connect Libraries 31
- 32. Books and Online References 32
- 33. ▪ Justin Richer et.al: OAuth2 in Action (Manning, 2017, ISBN 978-1617293276) ▪ Michael Schwartz et.al: Securing the Perimeter (Apress, 2018, ISBN 978-1484226001) ▪ RFC 6749: The OAuth 2.0 Authorization Framework ▪ RFC 6750: OAuth 2.0 Bearer Token Usage ▪ RFC 6819: OAuth 2.0 Threat Model and Security Considerations ▪ RFC 7636: Proof Key for Code Exchange ("Pixy") ▪ OpenID Connect Core 1.0 Specification ▪ OpenID Connect Dynamic Client Registration 1.0 ▪ OpenID Connect Discovery 1.0 ▪ RFC 7519: JSON Web Token (JWT) ▪ JSON Web Token Best Current Practices Books and Online References (1) 33
- 34. ▪ Why you should stop using the OAuth implicit grant ▪ OAuth 2.0 Security Best Current Practice ▪ OAuth 2.0 for Browser-Based Apps ▪ OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens ▪ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens ▪ OAuth 2.0 Token Exchange Books and Online References (2) 34
- 35. ▪ Resource Indicators for OAuth 2.0 ▪ Spring Security 5.2 Reference Documentation ▪ Microservices Security Patterns & Protocols with Spring Security (Devoxx Video) ▪ Microservices Security Patterns & Protocols (SpringOne Platform 2019 Video) ▪ How to secure your Spring apps with Keycloak by Thomas Darimont (Video) Books and Online References (3) 35