Post on 12-Aug-2015
EXTREME OAUTH Paul Meyer pmeyer@pingidentity.com
WHAT WILL WE COVER
• OAuth 2.0 Overview – Actors and Actions • Client Considerations
• Web, Native App, User Agent Based clients • API-to-API
• Resource Server Considerations
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
BUT FIRST.. NOT SO EXTREME OAUTH
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Web Server
Client (Application)
Resource Server (API)
User Agent
Authorization Server
RO
AuthZ Endpoint
Token Endpoint
BUT FIRST.. NOT SO EXTREME OAUTH
• Client Considerations • GET a token • USE a token • REFRESH a token • REGISTER • REVOKE a token (RFC 7009)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
BUT FIRST.. NOT SO EXTREME OAUTH
• Resource Server Considerations • REGISTER • RECEIVE a token • VALIDATE a token
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
CLIENT CONSIDERATIONS
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
GET A TOKEN
• OAuth Grant Types • Authorization Code • Implicit • Resource Owner Password Credentials • Client Credentials • Extension Grants (SAML, JWT)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
SCENARIO – Web Application
• Easy… right? Just use AuthZ Code • Already in the user agent (interactivity)
• Leverage browser authentication • Security concerns
• Open redirect • Man-in-the-middle attacks
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
SCENARIO – Web Application
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Web Server
Application (Client)
API (Resource Server)
User Agent
Authorization Server
RO
AuthZ Endpoint
Token Endpoint
code
code
token(s)
Authentication Happens…
SCENARIO – Native App
• Implicit makes sense (but no refresh token) • AuthZ Code has challenges
• Distributing the client secret • Malicious apps with same URL scheme
• PKCE can help here • Dynamic Registration provides interesting options
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Device
SCENARIO – Native App (Implicit Flow)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Web Server
API (Resource Server)
User Agent
Authorization Server
RO
AuthZ Endpoint
Token Endpoint
token
Application (Client)
Authentication Happens…
Device
SCENARIO – Native App (AuthZ Code Flow)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Web Server
API (Resource Server)
User Agent
Authorization Server
RO
AuthZ Endpoint
Token Endpoint
code
Application (Client)
code_challenge
code_verifier + code
token(s)
Authentication Happens…
code
SCENARIO – User Agent Based Client
• App resides in the User Agent (i.e. JavaScript App) • Client can’t keep its secret… secret • Client can’t keep much else secret either
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
SCENARIO – User Agent Based Client
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Web Server
API (Resource Server)
User Agent
Authorization Server
RO
AuthZ Endpoint
Token Endpoint
token
Application (Client)
Authentication Happens…
SCENARIO – Token Transformation
• API-to-API conversations • Swap a SAML assertion for an AT (or vice-versa) • Swap an AT for another AT
• Options • SAML 2.0 Profile for OAuth 2.0 • JWT Profile for OAuth 2.0 • WS-Trust (!)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Web Service
SCENARIO – SAML > Access Token
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Client
Authorization Server
AuthZ Endpoint
Token Endpoint
REST API
WS-Trust Service
API (Resource Server)
SAML
SAML
token(s)
REST API
SCENARIO – Access Token > SAML
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Client
WS-Trust STS
Web Service
API (Resource Server)
WS-Trust Service WS-Trust STS
USE the token
token
SAML SAML
REST API
SCENARIO – Access Token > Access Token
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Client
Authorization Server
AuthZ Endpoint
Token Endpoint
REST API
API (Resource Server)
API (Resource Server)
USE the token
token
token USE the token
Access Gateway
SCENARIO – Token Mediation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Client
Authorization Server
AuthZ Endpoint
Token Endpoint
REST API
Access Policy
API (Resource Server)
USE the token
token
token
RESOURCE SERVER CONSIDERATIONS
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
RESOURCE SERVER CONSIDERATIONS
• Validation options • Token introspection • JWT validation
• Validation more than just dsig validation • scopes, audience, issuer etc
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
TOKEN VALIDATION - Introspection
HTTP/1.1 200 OK { "scope":"edit", "token_type":"urn:pingidentity.com:oauth2:validated_token", "expires_in":59933, "client_id":"im_client", "access_token":{ "subject":"joe", "department":"SALES" }}
Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
TOKEN VALIDATION – JWT Validation
eyJhbGciOiJIUzI1NiIsImtpZCI6ImExIn0 . eyJzdWJqZWN0Ijoiam9lIiwiZGVwYXJ0bWVudCI6IlNBTEVTIiwiZXhwIjoxNDMzNDg0NDI5LCJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6ImltX2NsaWVudCIsImlzcyI6Imh0dHBzOi8vYXMucGluZ2RldmVsb3BlcnMuY29tIiwiYXVkIjoiaHR0cHM6Ly9hcGkucGluZ2RldmVsb3BlcnMuY29tIn0 . vAim2TzzkWi_RRDtyf0RjAyY2H4MtWToSfsGPCfhc60
Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
TOKEN VALIDATION – JWT Validation
{"alg":"HS256","kid":"a1"} . {"subject":"joe", "department":"SALES", "exp":1433484429, "scope":["edit"], "client_id":"im_client", "iss":"https://as.pingdevelopers.com", "aud":"https://api.pingdevelopers.com”}
Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
REFERENCES
• RFC 6749 - The OAuth 2.0 Authorization Framework • RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model and Security Considerations • RFC 7009 - OAuth 2.0 Token Revocation • RFC 7519 - JSON Web Token (JWT) • RFC 7521 - Assertion Framework for OAuth 2.0 Client Authn and Authz Grants • RFC 7522 - SAML 2.0 Profile for OAuth 2.0 Client Authn and Authz Grants • RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authn and Authz Grants • draft-ietf-oauth-dyn-reg-30 - Dynamic Client Registration Protocol • draft-ietf-oauth-dyn-reg-management-15 - Dynamic Client Registration Management Protocol • draft-ietf-oauth-introspection-09 - OAuth 2.0 Token Introspection • draft-ietf-oauth-spop-11 - Proof Key for Code Exchange (PKCE)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 26
QUESTIONS?
Thank You!
Paul Meyer pmeyer@pingidentity.com
Copyright © 2015 Cloud Identity Summit. All rights reserved. 27