CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

1 like1,087 views

The document discusses the advantages of using OpenID Connect over traditional SAML for authentication and API authorization, highlighting its single flow that allows both identity assertion and security tokens to be returned together. It outlines the processes for authorization requests, token responses, and key components such as access tokens and refresh tokens, emphasizing enhanced mobile and REST compatibility. Additionally, it contrasts OAuth 2 with OpenID Connect by noting the extra request for the 'openid' scope and the inclusion of an ID token.

Technology

CONSOLIDATING
AUTHENTICATION AND
API AUTHORIZATION USING
OPENID CONNECT
John Bradley
Copyright © 2014 Ping Identity Corp.All rights reserved. 2Confidential — do not distribute

SAML
SOAP WS-*
SAML
Web SSO
SAML
SOAP WS-*
Typical SAML Deployment model
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 3

Typical SAML Deployment model
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 4
• Two flows
– One using Web SSO for Authentication.
– One call to a STS to exchange authentication token for
security token.
– Typically no user consent.
– Not mobile friendly.

OpenID Connect
OpenID Connect Deployment model
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 5
OAuth 2

OpenID Connect Deployment model
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 6
• Single flow
– One request returns both Identity Assertion and security
token for access.
– Opportunity for user consent for API and login in a
single interface.
– Mobile/REST friendly.

Connect Rolls
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 7
• Authorization Server (IdP)
– Authorization endpoint
– Token endpoint
• Client (SP)
• Resource Server (API)

Authentication & Authorization request
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 8
• The basic OAuth Authorization request contains a list
of scopes (resources) that the client is requesting
access to.
• Connect adds a single scope to the request called
“openid” that causes the Identity assertion to be
returned.

Authorization Response
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 9
• The Authorization server response is standard OAuth
• The Authorization server returns a single use artifact
called a code.
• This prevents PII leakage via the browser, and
prevents large redirect URI that cause problems in
some browsers.

Request for tokens
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 10
• The client uses its credentials to make a direct
authenticated request to the Authorization Server
with the code received from the Authorization server
via the users browser.
• This is a simple http POST request.
• This request is standard OAuth.

Token Response
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 11
• Standard OAuth response containing
– Refresh Token
– Access Token
– JWT id_token (Connect extension to OAuth)

Identity Assertion
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 12
• JWT Contains
–  Audience
–  Issuer
–  Subject
–  Issued At
–  Expiry
–  Other optional claims like Authentication context.

Refresh Token
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 13
• Used to make additional requests for access tokens.
– Allows access tokens to be short lived.
– Allows Authorization server to revoke API access by not
granting new access tokens.
– Revoked refresh tokens cause the client to attempt
reauthorization by the Resource owner (user).

Access Token
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 14
• The token is added to REST calls to a Resource
server’s API.
– The token can be a signed JWT
– The token can be opaque and introspected via callback
to the Authorization server.

Delta between Oauth 2 and Connect
to add basic Authentication
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 15
• One additional scope requested “openID”
• One additional parameter returned id_token.

Native Applications
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 16
• Many social native applications use the id_token
from a login at google to authenticate to their own
API.

Using the id_token as an assertion
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 17
Native App
Authorization
server
App API Server
AS Resource
Server
Request
Access and ID Tokens
Access Token
ID Token

NAPPS
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 18
Token Agent
Authorization
server
App API Server
AS Resource
Server
Authentication Request
Refresh Token
Access Token
ID Token
Native App
Request
Token Request
Access & ID Tokens
Access & ID Tokens

QUESTIONS?
John Bradley @ve7jtb
Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 19

More Related Content

What's hot (20)

PDF

OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers

PPTX

Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit

PPTX

An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu

PDF

OpenID Connect ExplainedVladimir Dzhuvinov

PDF

CIS13: Introduction to OAuth 2.0CloudIDSummit

PPT

OAuth 2.0 and OpenId ConnectSaran Doraiswamy

PDF

CIS14: Working with OAuth and OpenID ConnectCloudIDSummit

PDF

OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff

PPTX

OpenID Connect 1.0 ExplainedEugene Siow

PDF

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake

PPTX

Single-Page-Application & REST securityIgor Bossenko

PPTX

Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.

PDF

Enterprise Single Sign On WSO2

PDF

Authentication and Authorization Architecture in the MEAN StackFITC

PPTX

OAuth2 & OpenID ConnectMarcin Wolnik

PDF

Spring security oauth2axykim00

PPTX

OpenID Connect: An OverviewPat Patterson

PPTX

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

KEY

OpenID vs OAuth - Identity on the WebRichard Metzler

PPTX

JWT SSO Inbound AuthenticatorMifrazMurthaja

OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers

Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit

An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu

OpenID Connect ExplainedVladimir Dzhuvinov

CIS13: Introduction to OAuth 2.0CloudIDSummit

OAuth 2.0 and OpenId ConnectSaran Doraiswamy

CIS14: Working with OAuth and OpenID ConnectCloudIDSummit

OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff

OpenID Connect 1.0 ExplainedEugene Siow

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake

Single-Page-Application & REST securityIgor Bossenko

Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.

Enterprise Single Sign On WSO2

Authentication and Authorization Architecture in the MEAN StackFITC

OAuth2 & OpenID ConnectMarcin Wolnik

Spring security oauth2axykim00

OpenID Connect: An OverviewPat Patterson

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

OpenID vs OAuth - Identity on the WebRichard Metzler

JWT SSO Inbound AuthenticatorMifrazMurthaja

Similar to CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect (20)

PDF

The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs

PDF

Who’s Knocking? Identity for APIs, Web and MobileNordic APIs

PPTX

Securing ap is oauth and fine grained access controlAaronLieberman5

PDF

CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit

PDF

Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance

PPTX

Intro to OAuth2 and OpenID ConnectLiamWadman

PDF

CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit

PPTX

Securing APIs with oAuth2Michae Blakeney

PPTX

Creating a Sign On with Open id connectDerek Binkley

PDF

Spring4 security oauth2axykim00

PPTX

Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...MysoreMuleSoftMeetup

PPTX

Managing Identities in the World of APIsApigee | Google Cloud

PDF

Spring4 security oauth2Sang Shin

PDF

CIS13: Federation Protocol Cross-SectionCloudIDSummit

PDF

Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes

PPTX

OAuth2 and OpenID with Spring BootGeert Pante

PDF

Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz

PDF

Stateless Auth using OAuth2 & JWTGaurav Roy

PDF

Openstack identity protocols unconferenceDavid Waite

PDF

Demystifying AuthN/AuthZ Using OIDC & OAuth2NGINX, Inc.

The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs

Who’s Knocking? Identity for APIs, Web and MobileNordic APIs

Securing ap is oauth and fine grained access controlAaronLieberman5

CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit

Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance

Intro to OAuth2 and OpenID ConnectLiamWadman

CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit

Securing APIs with oAuth2Michae Blakeney

Creating a Sign On with Open id connectDerek Binkley

Spring4 security oauth2axykim00

Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...MysoreMuleSoftMeetup

Managing Identities in the World of APIsApigee | Google Cloud

Spring4 security oauth2Sang Shin

CIS13: Federation Protocol Cross-SectionCloudIDSummit

Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes

OAuth2 and OpenID with Spring BootGeert Pante

Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz

Stateless Auth using OAuth2 & JWTGaurav Roy

Openstack identity protocols unconferenceDavid Waite

Demystifying AuthN/AuthZ Using OIDC & OAuth2NGINX, Inc.

More from CloudIDSummit (20)

PPTX

CIS 2016 Content HighlightsCloudIDSummit

PPTX

Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit

PDF

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit

PDF

Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit

PDF

CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit

PDF

CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit

PDF

CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit

PDF

CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit

PDF

CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit

PDF

CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit

PDF

CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit

PDF

CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit

PDF

CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit

PDF

CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit

PDF

CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit

PDF

The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit

PDF

CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit

PDF

CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit

PDF

CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit

PDF

CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit