SlideShare a Scribd company logo

CIS 2015 Extreme OAuth - Paul Meyer

CloudIDSummit
CloudIDSummit

OAuth 2.0 (RFC 6749/50) is a delegated authorization framework that makes requesting access for and authenticating as a client to an API as easy as getting a token and using a token. This session will explore the different OAuth flows in the spec as will as discuss extensions such as the JWT assertion flow and SAML bearer extension, and will also discuss security mitigations needed to use the protocol safely.

Related slideshows

Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
1 of 27
Download to read offline
CIS 2015 Extreme OAuth - Paul Meyer
EXTREME OAUTH Paul Meyer pmeyer@pingidentity.com
WHAT WILL WE COVER •  OAuth 2.0 Overview – Actors and Actions •  Client Considerations •  Web, Native App, User Agent Based clients •  API-to-API •  Resource Server Considerations Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
BUT FIRST.. NOT SO EXTREME OAUTH Copyright © 2015 Cloud Identity Summit. All rights reserved. 4 Web Server Client (Application) Resource Server (API) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint
BUT FIRST.. NOT SO EXTREME OAUTH •  Client Considerations •  GET a token •  USE a token •  REFRESH a token •  REGISTER •  REVOKE a token (RFC 7009) Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
BUT FIRST.. NOT SO EXTREME OAUTH •  Resource Server Considerations •  REGISTER •  RECEIVE a token •  VALIDATE a token Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
CLIENT CONSIDERATIONS Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
GET A TOKEN •  OAuth Grant Types •  Authorization Code •  Implicit •  Resource Owner Password Credentials •  Client Credentials •  Extension Grants (SAML, JWT) Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
SCENARIO – Web Application •  Easy… right? Just use AuthZ Code •  Already in the user agent (interactivity) •  Leverage browser authentication •  Security concerns •  Open redirect •  Man-in-the-middle attacks Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
SCENARIO – Web Application Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Web Server Application (Client) API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint code code token(s) Authentication Happens…
SCENARIO – Native App •  Implicit makes sense (but no refresh token) •  AuthZ Code has challenges •  Distributing the client secret •  Malicious apps with same URL scheme •  PKCE can help here •  Dynamic Registration provides interesting options Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Device SCENARIO – Native App (Implicit Flow) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint token Application (Client) Authentication Happens…
Device SCENARIO – Native App (AuthZ Code Flow) Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint code Application (Client) code_challenge code_verifier + code token(s) Authentication Happens… code
SCENARIO – User Agent Based Client •  App resides in the User Agent (i.e. JavaScript App) •  Client can’t keep its secret… secret •  Client can’t keep much else secret either Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
SCENARIO – User Agent Based Client Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint token Application (Client) Authentication Happens…
SCENARIO – Token Transformation •  API-to-API conversations •  Swap a SAML assertion for an AT (or vice-versa) •  Swap an AT for another AT •  Options •  SAML 2.0 Profile for OAuth 2.0 •  JWT Profile for OAuth 2.0 •  WS-Trust (!) Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Web Service SCENARIO – SAML > Access Token Copyright © 2015 Cloud Identity Summit. All rights reserved. 17 Client Authorization Server AuthZ Endpoint Token Endpoint REST API WS-Trust Service API (Resource Server) SAML SAML token(s)
REST API SCENARIO – Access Token > SAML Copyright © 2015 Cloud Identity Summit. All rights reserved. 18 Client WS-Trust STS Web Service API (Resource Server) WS-Trust Service WS-Trust STS USE the token token SAML SAML
REST API SCENARIO – Access Token > Access Token Copyright © 2015 Cloud Identity Summit. All rights reserved. 19 Client Authorization Server AuthZ Endpoint Token Endpoint REST API API (Resource Server) API (Resource Server) USE the token token token USE the token
Access Gateway SCENARIO – Token Mediation Copyright © 2015 Cloud Identity Summit. All rights reserved. 20 Client Authorization Server AuthZ Endpoint Token Endpoint REST API Access Policy API (Resource Server) USE the token token token
RESOURCE SERVER CONSIDERATIONS Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
RESOURCE SERVER CONSIDERATIONS •  Validation options •  Token introspection •  JWT validation •  Validation more than just dsig validation •  scopes, audience, issuer etc Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
TOKEN VALIDATION - Introspection HTTP/1.1 200 OK { "scope":"edit", "token_type":"urn:pingidentity.com:oauth2:validated_token", "expires_in":59933, "client_id":"im_client", "access_token":{ "subject":"joe", "department":"SALES" }} Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
TOKEN VALIDATION – JWT Validation eyJhbGciOiJIUzI1NiIsImtpZCI6ImExIn0 . eyJzdWJqZWN0Ijoiam9lIiwiZGVwYXJ0bWVudCI6IlNBTEVTIiwiZXhwIjoxNDMz NDg0NDI5LCJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6ImltX2NsaWVudC IsImlzcyI6Imh0dHBzOi8vYXMucGluZ2RldmVsb3BlcnMuY29tIiwiYXVkIjoiaHR0 cHM6Ly9hcGkucGluZ2RldmVsb3BlcnMuY29tIn0 . vAim2TzzkWi_RRDtyf0RjAyY2H4MtWToSfsGPCfhc60 Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
TOKEN VALIDATION – JWT Validation {"alg":"HS256","kid":"a1"} . {"subject":"joe", "department":"SALES", "exp":1433484429, "scope":["edit"], "client_id":"im_client", "iss":"https://as.pingdevelopers.com", "aud":"https://api.pingdevelopers.com”} Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
REFERENCES •  RFC 6749 - The OAuth 2.0 Authorization Framework •  RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage •  RFC 6819 - OAuth 2.0 Threat Model and Security Considerations •  RFC 7009 - OAuth 2.0 Token Revocation •  RFC 7519 - JSON Web Token (JWT) •  RFC 7521 - Assertion Framework for OAuth 2.0 Client Authn and Authz Grants •  RFC 7522 - SAML 2.0 Profile for OAuth 2.0 Client Authn and Authz Grants •  RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authn and Authz Grants •  draft-ietf-oauth-dyn-reg-30 - Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-management-15 - Dynamic Client Registration Management Protocol •  draft-ietf-oauth-introspection-09 - OAuth 2.0 Token Introspection •  draft-ietf-oauth-spop-11 - Proof Key for Code Exchange (PKCE) Copyright © 2015 Cloud Identity Summit. All rights reserved. 26
QUESTIONS? Thank You! Paul Meyer pmeyer@pingidentity.com Copyright © 2015 Cloud Identity Summit. All rights reserved. 27

More Related Content

CIS 2015 Extreme OAuth - Paul Meyer

  • 3. WHAT WILL WE COVER •  OAuth 2.0 Overview – Actors and Actions •  Client Considerations •  Web, Native App, User Agent Based clients •  API-to-API •  Resource Server Considerations Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
  • 4. BUT FIRST.. NOT SO EXTREME OAUTH Copyright © 2015 Cloud Identity Summit. All rights reserved. 4 Web Server Client (Application) Resource Server (API) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint
  • 5. BUT FIRST.. NOT SO EXTREME OAUTH •  Client Considerations •  GET a token •  USE a token •  REFRESH a token •  REGISTER •  REVOKE a token (RFC 7009) Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
  • 6. BUT FIRST.. NOT SO EXTREME OAUTH •  Resource Server Considerations •  REGISTER •  RECEIVE a token •  VALIDATE a token Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
  • 7. CLIENT CONSIDERATIONS Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
  • 8. GET A TOKEN •  OAuth Grant Types •  Authorization Code •  Implicit •  Resource Owner Password Credentials •  Client Credentials •  Extension Grants (SAML, JWT) Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
  • 9. SCENARIO – Web Application •  Easy… right? Just use AuthZ Code •  Already in the user agent (interactivity) •  Leverage browser authentication •  Security concerns •  Open redirect •  Man-in-the-middle attacks Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
  • 10. SCENARIO – Web Application Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Web Server Application (Client) API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint code code token(s) Authentication Happens…
  • 11. SCENARIO – Native App •  Implicit makes sense (but no refresh token) •  AuthZ Code has challenges •  Distributing the client secret •  Malicious apps with same URL scheme •  PKCE can help here •  Dynamic Registration provides interesting options Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
  • 12. Device SCENARIO – Native App (Implicit Flow) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint token Application (Client) Authentication Happens…
  • 13. Device SCENARIO – Native App (AuthZ Code Flow) Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint code Application (Client) code_challenge code_verifier + code token(s) Authentication Happens… code
  • 14. SCENARIO – User Agent Based Client •  App resides in the User Agent (i.e. JavaScript App) •  Client can’t keep its secret… secret •  Client can’t keep much else secret either Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
  • 15. SCENARIO – User Agent Based Client Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 Web Server API (Resource Server) User Agent Authorization Server RO AuthZ Endpoint Token Endpoint token Application (Client) Authentication Happens…
  • 16. SCENARIO – Token Transformation •  API-to-API conversations •  Swap a SAML assertion for an AT (or vice-versa) •  Swap an AT for another AT •  Options •  SAML 2.0 Profile for OAuth 2.0 •  JWT Profile for OAuth 2.0 •  WS-Trust (!) Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
  • 17. Web Service SCENARIO – SAML > Access Token Copyright © 2015 Cloud Identity Summit. All rights reserved. 17 Client Authorization Server AuthZ Endpoint Token Endpoint REST API WS-Trust Service API (Resource Server) SAML SAML token(s)
  • 18. REST API SCENARIO – Access Token > SAML Copyright © 2015 Cloud Identity Summit. All rights reserved. 18 Client WS-Trust STS Web Service API (Resource Server) WS-Trust Service WS-Trust STS USE the token token SAML SAML
  • 19. REST API SCENARIO – Access Token > Access Token Copyright © 2015 Cloud Identity Summit. All rights reserved. 19 Client Authorization Server AuthZ Endpoint Token Endpoint REST API API (Resource Server) API (Resource Server) USE the token token token USE the token
  • 20. Access Gateway SCENARIO – Token Mediation Copyright © 2015 Cloud Identity Summit. All rights reserved. 20 Client Authorization Server AuthZ Endpoint Token Endpoint REST API Access Policy API (Resource Server) USE the token token token
  • 21. RESOURCE SERVER CONSIDERATIONS Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
  • 22. RESOURCE SERVER CONSIDERATIONS •  Validation options •  Token introspection •  JWT validation •  Validation more than just dsig validation •  scopes, audience, issuer etc Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
  • 23. TOKEN VALIDATION - Introspection HTTP/1.1 200 OK { "scope":"edit", "token_type":"urn:pingidentity.com:oauth2:validated_token", "expires_in":59933, "client_id":"im_client", "access_token":{ "subject":"joe", "department":"SALES" }} Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
  • 24. TOKEN VALIDATION – JWT Validation eyJhbGciOiJIUzI1NiIsImtpZCI6ImExIn0 . eyJzdWJqZWN0Ijoiam9lIiwiZGVwYXJ0bWVudCI6IlNBTEVTIiwiZXhwIjoxNDMz NDg0NDI5LCJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6ImltX2NsaWVudC IsImlzcyI6Imh0dHBzOi8vYXMucGluZ2RldmVsb3BlcnMuY29tIiwiYXVkIjoiaHR0 cHM6Ly9hcGkucGluZ2RldmVsb3BlcnMuY29tIn0 . vAim2TzzkWi_RRDtyf0RjAyY2H4MtWToSfsGPCfhc60 Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
  • 25. TOKEN VALIDATION – JWT Validation {"alg":"HS256","kid":"a1"} . {"subject":"joe", "department":"SALES", "exp":1433484429, "scope":["edit"], "client_id":"im_client", "iss":"https://as.pingdevelopers.com", "aud":"https://api.pingdevelopers.com”} Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
  • 26. REFERENCES •  RFC 6749 - The OAuth 2.0 Authorization Framework •  RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage •  RFC 6819 - OAuth 2.0 Threat Model and Security Considerations •  RFC 7009 - OAuth 2.0 Token Revocation •  RFC 7519 - JSON Web Token (JWT) •  RFC 7521 - Assertion Framework for OAuth 2.0 Client Authn and Authz Grants •  RFC 7522 - SAML 2.0 Profile for OAuth 2.0 Client Authn and Authz Grants •  RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authn and Authz Grants •  draft-ietf-oauth-dyn-reg-30 - Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-management-15 - Dynamic Client Registration Management Protocol •  draft-ietf-oauth-introspection-09 - OAuth 2.0 Token Introspection •  draft-ietf-oauth-spop-11 - Proof Key for Code Exchange (PKCE) Copyright © 2015 Cloud Identity Summit. All rights reserved. 26
  • 27. QUESTIONS? Thank You! Paul Meyer pmeyer@pingidentity.com Copyright © 2015 Cloud Identity Summit. All rights reserved. 27