OAuth / OpenID Connect MOHAMMAD MODARESI 1 Delegated Authorization • Problem • How to let a website access my data?(without giving the password) 2 Delegated Authorization With OAuth 2.0 Facebook I trust Gmail and I kind of trust facebook. I want Facebook to have access to my contacts only. Connect with Gmail 3 Delegated Authorization With OAuth 2.0 Accounts.google.com Facebook Email Connect with Gmail Password Contacts.google.com Facebook.com/callback Accounts.google.com Loading … Allow Facebook to access your public profile and contacts? No Yes 4 OAuth 2.0 Terminology • Resource Owner • Client • Authorization Server (AS) • Resource Server • Authorization Grant • Redirect URI • Access Token • Refresh Token 5 OAuth 2.0 Authorization Code Flow Client Facebook Authorization Server Accounts.google.com Go to Authorization Server Connect with Gmail Redirect URI: facebook.com/callback Response type: Code Email Password Resource owner Contacts.google.com Talk to resourse server with access token Facebook.com/callback Accounts.google.com Back to redirect URI Loading … With authorization code Allow Facebook to access your public profile and contacts? No Yes 6 More OAuth 2.0 Terminology • Scope • Consent 7 OAuth 2.0 Authorization Code Flow Client Facebook Authorization Server Accounts.google.com Go to Authorization Server Connect with Gmail Redirect URI: facebook.com/callback Response type: Code Scope: profile contacts Resource owner Email Password Contacts.google.com Talk to resourse server with access token Request consent From resource owner Facebook.com/callback Accounts.google.com Back to redirect URI Loading … With authorization code Allow Facebook to access your public profile and contacts? No Yes 8 Even More OAuth 2.0 Terminology • Back channel (highly secure channel) • Front channel (less secure channel) 9 OAuth 2.0 Authorization Code Flow Client Facebook Authorization Server Accounts.google.com Connect with Gmail Go to Authorization Server (front channel) Redirect URI: facebook.com/callback Response type: Code Scope: profile contacts Resource owner Email Password Contacts.google.com Talk to resourse server with access token (back channel) Request consent From resource owner Facebook.com/callback Accounts.google.com Back to redirect URI Loading … With authorization code (front channel) Allow Facebook to access your public profile and contacts? No Yes 10 Types of Client • Confidential Client – An application that runs on a protected server and can securely store confidential secrets to authenticate itself to an authorization server or use another secure authentication mechanism for that purpose. • Web application • Public Client – An application that executes primarily on the user’s client device (native application) or in the client browser and cannot securely store a secret or use other means to authenticate itself to an authorization server. • native application • most browser applications 11 Proof Key for Code Exchange (PKCE) 1) The client creates and records a secret named the code_verifier 2) The client then computes code_challenge based on the code_verifier 3) The client sends the code_challenge and an optional code_challenge_ method (a keyword for plain or SHA-256 hash) along with the regular authorization request parameters to the authorization server 4) The authorization server responds as usual but records code_challenge and the code_challenge_method (if present). These are associated with the authorization code that was issued by the authorization server 5) When the client receives the authorization code, it makes a token request as usual and includes the code_verifier secret that it previously generated 6) The server recomputes the code_challenge, and checks to see whether it matches the original .An error response is returned if they aren’t equal, and the transaction continues as normal if they are 12 Starting the flow https://accounts.google.com/o/oauth2/v2/auth? client_id=abc123& redirect_uri=https://facebook.com/callback& scope=profile& response_type=code& state=foobar& code_challenge = XXXXXXX& code_challenge_method = S256 13 Calling back https://facebook.com/callback? error=access_denied& error_description=the user did not consent. https://facebook.com/callback? code=oMsCeLvIaQm6bTrgtp7& state=foobar 14 Exchange code for an access token POST www.googleapis.com/oauth/v4/token error=access_denied& Content_Type= application/x-www-form-urlencoded https://facebook.com/callback? code=oMsCeLvIaQm6bTrgtp7& Client_id=abc123& Client_secret=secret123& grant_type=authorization_code Code_verifier = XXXXXXX Confidential clients Public clients 15 Authorization server returns an access token { "access_token ": "fFAGRNJru1FTz70BzhT3Zg" , "expires_in ": 3920 , " token_type " : "Bearer " , " scope " = " profile " } 16 Use the access token GET api.google.com/some/endpoint Authorization: Bearer fFAGRNJru1FTz70BzhT3Zg Token Client API • • Validate token Use token scope for authorization 17 Refresh Token 18 OAuth 2.0 flows • Authorization code (front channel + back channel) Web applications • Native apps (with PKCE) • • Implicit (front channel only) • browser-based app (SPA or JS app with API backend) • Resource owner password credentials (back channel only) • Client credentials (back channel only) 19 OAuth 2.0 Implicit Flow Client sample app Authorization Server Accounts.google.com Go to Authorization Server Connect with Gmail Redirect URI: facebook.com/callback Response type: Token Scope: profile contacts Resource owner Email Password Contacts.google.com Talk to resourse server with access token (front channel) Request consent From resource owner sample app Accounts.google.com Back to redirect URI Hello! With Token Allow the app to access your public profile and contacts? No Yes 20 Identity use cases (Pre-2014) • Simple login – OAuth 2.0 Authentication • Single sign-on across sites – OAuth 2.0 Authentication • Mobile app login – OAuth 2.0 Authentication • Delegated authorization – OAuth 2.0 Authorization 21 Problems with OAuth 2.0 for authentication • No standard way to get the user's information • Every implementation is a little different • No common set of scopes 22 OAuth 2.0 and OpenID Connect 23 What OpenID Connect adds • ID token • UserInfo endpoint for getting more user information • Standard set of scopes • Standardized implementation 24 OpenID Connect Authorization Code Flow OpenID Provider Relying party Accounts.google.com Facebook Go to Authorization Server Log in with Gmail Redirect URI: facebook.com/callback Response type: Code Scope: openid profile Resource owner Email Password accounts.google.com /userinfo Get user info with access token Facebook.com/callback Accounts.google.com Back to redirect URI Loading … With authorization code Allow Facebook to access your public profile and contacts? No Yes 25 Starting the flow https://accounts.google.com/o/oauth2/v2/auth? client_id=abc123& redirect_uri=https://facebook.com/callback& scope=openid profile& response_type=code& state=foobar 26 Exchange code for an access token and ID token POST www.googleapis.com/oauth/v4/token error=access_denied& Content_Type= application/x-www-form-urlencoded https://facebook.com/callback? code=oMsCeLvIaQm6bTrgtp7& Client_id=abc123& Client_secret=secret123& grant_type=authorization_code 27 Authorization server returns access and ID token { "access_token ": "fFAGRNJru1FTz70BzhT3Zg" , "id_token": "eyJraB03ds3F..." "expires_in ": 3920 , " token_type " : "Bearer " , } 28 ID Token (JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IkRNa3Itd0JqRU1EYnhOY25xaVJISVhuYUxub WI3UUpfWF9rWmJyaEtBMGMifQ Header . eyJzdWIiOiIwMHU5bzFuaWtqdk9CZzVabzBoNyIsInZlciI6MSwiaXNzIjoiaHR0c HM6Ly9kZXYtMzQxNjA3Lm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvYXVzOW84d3ZraG 9ja3c5VEwwaDciLCJhdWQiOiJsWFNlbkx4eFBpOGtRVmpKRTVzNCIsImlhdCI6MTU wOTA0OTg5OCwiZXhwIjoxNTA5MDUzNDk4LCJqdGkiOiJJRC5oa2RXSXNBSXZTbnBG YVFHTVRYUGNVSmhhMkgwS2c5Ykl3ZEVvVm1ZZHN3IiwiYW1yIjpbImtiYSIsIm1mY SIsInB3ZCJdLCJpZHAiOiIwMG85bzFuaWpraWpLeGNpbjBoNyIsIm5vbmNlIjoidW pwMmFzeHlqN2UiLCJhdXRoX3RpbWUiOjE1MDkwNDk3MTl9 Payload (claims) . dv4Ek8B4BDee1PcQT_4zm7kxDEY1sRIGbLoNtlodZcSzHzXU5GkKyl6sAVmdXOIPUlAIrJAhNfQWQ_XZLBVPjETiZE8CgNg5uqNmeXMUnYnQmvN5oWlXUZ8Gcub-GAbJ8NQuyBmyec1j3gmGzX3wemke8NkuI6SX2L4Wj1PyvkknBtbjfiF9ud1ERKbobaFbnjDFOFTzvL6g34SpMmZWy6uc_Hs--n4IC-ex-_Ps3FcMwRggCW_7o2FpH6rJTOGPZYrOx44n3ZwAu2dGm6axtPIsqU8b6sw7DaHpogD_hxsXgMIOzOBMbYsQEiczoGn71ZFz_1O7FiW4dH6g Signature 29 ID Token (JWT) (Header) . { "iss": "https://accounts.google.com", "sub": "you@gmail.com", "name": "Mohammad Modaresi" "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, } . (Signature) 30 Calling the userinfo endpoint GET www.googleapis.com/oauth2/v4/userinfo Authorization: Bearer fFAGRNJru1FTz70BzhT3Zg 200 OK Content-Type: application/json { "sub": "you@gmail.com", "name": “Mohammad Modaresi" "profile_picture": "http://plus.g.co/123" } 31 Identity use cases (Today) • Simple login – OpenID Connect Authentication • Single sign-on across sites – OpenID Connect Authentication • Mobile app login – OpenID Connect Authentication • Delegated authorization – OAuth 2.0 Authorization 32 OAuth and OpenID Connect USE OAUTH 2.0 FOR: • • Granting access to your API Getting access to user data in other systems (Authorization) USE OPENID CONNECT FOR: • Logging the user in • Making your accounts available in other systems (Authentication) 33 OAuth 1.0 VS OAuth 2.0 34 References • OAuth 2 in Action (Justin Richer, Antonio Sanso) • Solving Identity Management In Modern Applications Demystifying OAuth 2.0, OpenID Connect, And SAML 2.0 (Yvonne Wilson, Abhishek Hingnikar) 35