Add to collection(s) Add to saved
  1. No category
Uploaded by mohammad modaresi

OAuth OpenID

advertisement 
OAuth / OpenID Connect
MOHAMMAD MODARESI
1
Delegated Authorization
• Problem
•
How to let a website access my data?(without giving the password)
2
Delegated Authorization With OAuth 2.0
Facebook
I trust Gmail and I kind of trust
facebook. I want Facebook to have
access to my contacts only.
Connect with Gmail
3
Delegated Authorization With OAuth 2.0
Accounts.google.com
Facebook
Email
Connect with Gmail
Password
Contacts.google.com
Facebook.com/callback
Accounts.google.com
Loading …
Allow Facebook to access your
public profile and contacts?
No
Yes
4
OAuth 2.0 Terminology
• Resource Owner
• Client
• Authorization Server (AS)
• Resource Server
• Authorization Grant
• Redirect URI
• Access Token
• Refresh Token
5
OAuth 2.0 Authorization Code Flow
Client
Facebook
Authorization Server
Accounts.google.com
Go to Authorization Server
Connect with Gmail
Redirect URI: facebook.com/callback
Response type: Code
Email
Password
Resource owner
Contacts.google.com
Talk to resourse server
with access token
Facebook.com/callback
Accounts.google.com
Back to redirect URI
Loading …
With authorization code
Allow Facebook to access your
public profile and contacts?
No
Yes
6
More OAuth 2.0 Terminology
• Scope
• Consent
7
OAuth 2.0 Authorization Code Flow
Client
Facebook
Authorization Server
Accounts.google.com
Go to Authorization Server
Connect with Gmail
Redirect URI: facebook.com/callback
Response type: Code
Scope: profile contacts
Resource owner
Email
Password
Contacts.google.com
Talk to resourse server
with access token
Request consent
From resource owner
Facebook.com/callback
Accounts.google.com
Back to redirect URI
Loading …
With authorization code
Allow Facebook to access your
public profile and contacts?
No
Yes
8
Even More OAuth 2.0 Terminology
• Back channel (highly secure channel)
• Front channel (less secure channel)
9
OAuth 2.0 Authorization Code Flow
Client
Facebook
Authorization Server
Accounts.google.com
Connect with Gmail
Go to Authorization Server
(front channel)
Redirect URI: facebook.com/callback
Response type: Code
Scope: profile contacts
Resource owner
Email
Password
Contacts.google.com
Talk to resourse server
with access token
(back channel)
Request consent
From resource owner
Facebook.com/callback
Accounts.google.com
Back to redirect URI
Loading …
With authorization code
(front channel)
Allow Facebook to access your
public profile and contacts?
No
Yes
10
Types of Client
• Confidential Client – An application that runs on a protected server and can securely store confidential
secrets to authenticate itself to an authorization server or use another secure authentication mechanism
for that purpose.
•
Web application
• Public Client – An application that executes primarily on the user’s client device (native application) or in
the client browser and cannot securely store a secret or use other means to authenticate itself to an
authorization server.
•
native application
•
most browser applications
11
Proof Key for Code Exchange (PKCE)
1) The client creates and records a secret named the code_verifier
2) The client then computes code_challenge based on the code_verifier
3) The client sends the code_challenge and an optional code_challenge_ method (a keyword
for plain or SHA-256 hash) along with the regular authorization request parameters to the authorization
server
4) The authorization server responds as usual but records code_challenge and the
code_challenge_method (if present). These are associated with the authorization code that was
issued by the authorization server
5) When the client receives the authorization code, it makes a token request as usual and includes the
code_verifier secret that it previously generated
6) The server recomputes the code_challenge, and checks to see whether it matches the original .An
error response is returned if they aren’t equal, and the transaction continues as normal if they are
12
Starting the flow
https://accounts.google.com/o/oauth2/v2/auth?
client_id=abc123&
redirect_uri=https://facebook.com/callback&
scope=profile&
response_type=code&
state=foobar&
code_challenge = XXXXXXX&
code_challenge_method = S256
13
Calling back
https://facebook.com/callback?
error=access_denied&
error_description=the user did not consent.
https://facebook.com/callback?
code=oMsCeLvIaQm6bTrgtp7&
state=foobar
14
Exchange code for an access token
POST www.googleapis.com/oauth/v4/token
error=access_denied&
Content_Type= application/x-www-form-urlencoded
https://facebook.com/callback?
code=oMsCeLvIaQm6bTrgtp7&
Client_id=abc123&
Client_secret=secret123&
grant_type=authorization_code
Code_verifier = XXXXXXX
Confidential clients
Public clients
15
Authorization server returns an access token
{
"access_token ": "fFAGRNJru1FTz70BzhT3Zg" ,
"expires_in ": 3920 ,
" token_type " : "Bearer " ,
" scope " = " profile "
}
16
Use the access token
GET api.google.com/some/endpoint
Authorization: Bearer fFAGRNJru1FTz70BzhT3Zg
Token
Client
API
•
•
Validate token
Use token scope
for authorization
17
Refresh Token
18
OAuth 2.0 flows
• Authorization code (front channel + back channel)
Web applications
• Native apps (with PKCE)
•
• Implicit (front channel only)
•
browser-based app (SPA or JS app with API backend)
• Resource owner password credentials (back channel only)
• Client credentials (back channel only)
19
OAuth 2.0 Implicit Flow
Client
sample app
Authorization Server
Accounts.google.com
Go to Authorization Server
Connect with Gmail
Redirect URI: facebook.com/callback
Response type: Token
Scope: profile contacts
Resource owner
Email
Password
Contacts.google.com
Talk to resourse server
with access token
(front channel)
Request consent
From resource owner
sample app
Accounts.google.com
Back to redirect URI
Hello!
With Token
Allow the app to access your
public profile and contacts?
No
Yes
20
Identity use cases (Pre-2014)
• Simple login – OAuth 2.0
Authentication
• Single sign-on across sites – OAuth 2.0
Authentication
• Mobile app login – OAuth 2.0
Authentication
• Delegated authorization – OAuth 2.0
Authorization
21
Problems with OAuth 2.0 for authentication
• No standard way to get the user's information
• Every implementation is a little different
• No common set of scopes
22
OAuth 2.0 and OpenID Connect
23
What OpenID Connect adds
• ID token
• UserInfo endpoint for getting more user information
• Standard set of scopes
• Standardized implementation
24
OpenID Connect Authorization Code Flow
OpenID Provider
Relying party
Accounts.google.com
Facebook
Go to Authorization Server
Log in with Gmail
Redirect URI: facebook.com/callback
Response type: Code
Scope: openid profile
Resource owner
Email
Password
accounts.google.com
/userinfo
Get user info
with access token
Facebook.com/callback
Accounts.google.com
Back to redirect URI
Loading …
With authorization code
Allow Facebook to access your
public profile and contacts?
No
Yes
25
Starting the flow
https://accounts.google.com/o/oauth2/v2/auth?
client_id=abc123&
redirect_uri=https://facebook.com/callback&
scope=openid profile&
response_type=code&
state=foobar
26
Exchange code for an access token and ID token
POST www.googleapis.com/oauth/v4/token
error=access_denied&
Content_Type= application/x-www-form-urlencoded
https://facebook.com/callback?
code=oMsCeLvIaQm6bTrgtp7&
Client_id=abc123&
Client_secret=secret123&
grant_type=authorization_code
27
Authorization server returns access and ID token
{
"access_token ": "fFAGRNJru1FTz70BzhT3Zg" ,
"id_token": "eyJraB03ds3F..."
"expires_in ": 3920 ,
" token_type " : "Bearer " ,
}
28
ID Token (JWT)
eyJhbGciOiJSUzI1NiIsImtpZCI6IkRNa3Itd0JqRU1EYnhOY25xaVJISVhuYUxub
WI3UUpfWF9rWmJyaEtBMGMifQ
Header
.
eyJzdWIiOiIwMHU5bzFuaWtqdk9CZzVabzBoNyIsInZlciI6MSwiaXNzIjoiaHR0c
HM6Ly9kZXYtMzQxNjA3Lm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvYXVzOW84d3ZraG
9ja3c5VEwwaDciLCJhdWQiOiJsWFNlbkx4eFBpOGtRVmpKRTVzNCIsImlhdCI6MTU
wOTA0OTg5OCwiZXhwIjoxNTA5MDUzNDk4LCJqdGkiOiJJRC5oa2RXSXNBSXZTbnBG
YVFHTVRYUGNVSmhhMkgwS2c5Ykl3ZEVvVm1ZZHN3IiwiYW1yIjpbImtiYSIsIm1mY
SIsInB3ZCJdLCJpZHAiOiIwMG85bzFuaWpraWpLeGNpbjBoNyIsIm5vbmNlIjoidW
pwMmFzeHlqN2UiLCJhdXRoX3RpbWUiOjE1MDkwNDk3MTl9
Payload
(claims)
.
dv4Ek8B4BDee1PcQT_4zm7kxDEY1sRIGbLoNtlodZcSzHzXU5GkKyl6sAVmdXOIPUlAIrJAhNfQWQ_XZLBVPjETiZE8CgNg5uqNmeXMUnYnQmvN5oWlXUZ8Gcub-GAbJ8NQuyBmyec1j3gmGzX3wemke8NkuI6SX2L4Wj1PyvkknBtbjfiF9ud1ERKbobaFbnjDFOFTzvL6g34SpMmZWy6uc_Hs--n4IC-ex-_Ps3FcMwRggCW_7o2FpH6rJTOGPZYrOx44n3ZwAu2dGm6axtPIsqU8b6sw7DaHpogD_hxsXgMIOzOBMbYsQEiczoGn71ZFz_1O7FiW4dH6g
Signature
29
ID Token (JWT)
(Header)
.
{
"iss": "https://accounts.google.com",
"sub": "you@gmail.com",
"name": "Mohammad Modaresi"
"aud": "s6BhdRkqt3",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
}
.
(Signature)
30
Calling the userinfo endpoint
GET www.googleapis.com/oauth2/v4/userinfo
Authorization: Bearer fFAGRNJru1FTz70BzhT3Zg
200 OK
Content-Type: application/json
{
"sub": "you@gmail.com",
"name": “Mohammad Modaresi"
"profile_picture": "http://plus.g.co/123"
}
31
Identity use cases (Today)
• Simple login – OpenID Connect
Authentication
• Single sign-on across sites – OpenID Connect
Authentication
• Mobile app login – OpenID Connect
Authentication
• Delegated authorization – OAuth 2.0
Authorization
32
OAuth and OpenID Connect
USE OAUTH 2.0 FOR:
•
•
Granting access to your API
Getting access to user data in other
systems
(Authorization)
USE OPENID CONNECT FOR:
• Logging the user in
• Making your accounts available in other
systems
(Authentication)
33
OAuth 1.0 VS OAuth 2.0
34
References
• OAuth 2 in Action (Justin Richer, Antonio Sanso)
• Solving Identity Management In Modern Applications Demystifying
OAuth 2.0, OpenID Connect, And SAML 2.0 (Yvonne Wilson,
Abhishek Hingnikar)
35
Related documents
HEALTHCARE STATUS AUTHORIZATION
HEALTHCARE STATUS AUTHORIZATION
Download
advertisement