Create a Sign On with Open ID Connect

Derek Binkley@DerekB_WI

★Lead Developer at National Conference of Bar Examiners★PHP and Java Developer★MySQL DBA★Father of Three★Home Pizza Chef★@DerekB_WI

Questions

• Yes! Please ask them.• During or at the end.

Why?

OpenID Connect is a new standardNot a lot of documentationBuilt upon Oauth 2.0 which is widespreadSign On across disconnected services

What is a sign on?

• Authentication (who are you?) • Authorization (what can you do?)

What is OpenID Connect?

A Simple Identity layer on top of OAuth 2.0Verify IdentityUser basic infoREST-likeMany client types

What is OAuth 2?

• A method of allowing authorized access to web resources without the need for usernames and passwords.

• More in Ben Ramsey's May 2016 PHP Architect article.

PHP Libraries

• Bshaffer’s oauth2-server-php library

Traditional MVC Application

Modern Distributed Architecture

Session State/Authentication

• Login maintained by connection between browser and Identity Provider

OpenID Steps1. Client prepares an Authentication Request containing the desired

request parameters. 2. Client sends the request to the Authorization Server. 3. Authorization Server Authenticates the End-User. 4. Authorization Server obtains End-User Consent/Authorization. 5. Authorization Server sends the End-User back to the Client with an

Authorization Code. 6. Client requests a response using the Authorization Code at the Token

Endpoint. 7. Client receives a response that contains an ID Token and Access Token

in the response body. 8. Client validates the ID token and retrieves the End-User's Subject

Identifier.

Setting up Your Auth Server

1. Client prepares an Authentication Request containing the desired request parameters.

• Client id• Client secret• Response Type• Scope• State

client_id/client_secret

• Specific to your application• Sets Up Return URL

Response_type

• Code• Id_token• Id_token token• Code id_token• Code token• Code id_token token

State

• Unique string saved by your app• Prevents a forged return call from Identity

Provider.

2. Client sends the request to the Authorization Server.

• Forward user to Auth Server URL• Have user post form to Auth Server

3. Authorization Server Authenticates the End-User.

• Implementation entirely up to you.• What? Isn’t this specification about

authentication?

Authentication Methods

• Something you know• Something you are• Something you have

4. Authorization Server obtains End-User Consent/Authorization.

• My app would like to access … Allow?• Optional if you are in control of all parts of the

chain.

5. Authorization Server sends the End-User back to the Client with an Authorization Code.

• Forward to client URL• Either receive error or code.• Trade code for token.

Auth Server Code

6. Client requests a response using the Authorization Code at the Token Endpoint.

• Your PHP app sends an http request back to the Identity Provider (OpenID server).

• Trades one time use code for token.

Client Code

7. Client receives a response that contains an ID Token and Access Token in the response body.

• Response back with ID token and access token• ID Token can be decrypted to ensure integrity

and details of session

Server Code

Client Code

8. Client validates the ID token and retrieves the End-User's Subject Identifier.

8. Client validates the ID token and retrieves the End-User's Subject Identifier.

Taking it further with session handling

• Sessions between App and Identity Provider don’t stay in sync.

• No way for App to check.

Modern Distributed Architecture

Logout Problem

• User logs out of Identity Provider then logins in as another user then returns to App.

• App still has access token for first login. • App won’t know immediately that token has

expired so could reveal one user’s data to another.

Embed an Iframe with Auth Server Connection

• Send message to iframe to get user’s login status.

• Handle response checking for ‘unchanged’

X-Frame-Options not enough

Content Security Policy in Apache Config

• Header set Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.example.com"

Thanks

• Feedback at Meetup or Joind.in• https://joind.in/event/2016-madison-php-meetings

Resources

• https://www.phparch.com/2016/05/may-2016-full-speed-ahead/• http://openid.net/specs/openid-connect-core-1_0.html• http://openid.net/specs/openid-connect-session-1_0.html• http://bshaffer.github.io/oauth2-server-php-docs/cookbook/• https://www.jwtinspector.io/