SlideShare a Scribd company logo

Full stack security

D
DPC Consulting Ltd

The document covers the topics of OAuth 2.0, OpenID Connect, and JSON Web Tokens (JWT), outlining their functionalities in authorizing and authenticating users. OAuth 2.0 presents methods for secure resource access via tokens while addressing common security issues. OpenID Connect builds on OAuth 2.0 to provide user identity verification through an ID token, and the document also includes flow diagrams and practical implementation details.

Technology
1 of 35
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Full Stack Security OAuth/OpenID Connect and JWT connecting frontend and backend DPC, Oct 2015 Peter.Varga @thevrg http://dpc.hu DPC Consulting Ltd
Agenda ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
OAuth 2.0
OAuth 2.0 ● Open standard for authorization (RFC 6749) ● Provides a method for a third-party to access resources on behalf of a resource owner ● OAuth 2.0 token are also used to imply authentication ● OAuth 2.0 process consists of: 1. Obtaining an authorization grant 2. Obtaining an access token 3. Using the access token to make requests
Problems Addressed by OAuth 2.0 ● In traditional model, a third-party given access to a resource owner resources means: – Third-party must store the resource owner credentials – Third-party access is not limited in scope – Third-party access is not limited in time – The resource owner cannot revoke access to one third- party only; the only way to revoke access being a change in credentials ● OAuth2 presents an alternative solution addressing each of these issues
OAuth 2.0 Roles ● Client ● Resource Owner ● Authorization Server ● Resource Server
OAuth 2.0 Terminology ● Authorization Grant: – credentials representing the resource owner’s authorization – used by the client to obtain an access token ● Access Token: – credentials used to access protected resources – represents specific scopes and durations of access ● Refresh Token: – credentials used to obtain a new access token when current access token becomes invalid ● Scope: – determines the specific resources that can be accessed and the duration of the grant
OAuth 2.0 Clients ● Confidential: can protect their credentials – web applications ● Public: risk to expose their credentials – mobile phone apps – desktop clients – web-browsers ● Before OAuth2 process can take place, the client must register to the authorization server
Obtaining Access Token ● There are different ways to obtain an access token: – Authorization Code – Implicit – Resource Owner Password Credentials – Client Credentials – Extension Mechanism; e.g. SAML2 Token Insertion ● All communication must be performed through a secure channel
Authorization Code Flow
Authorization Code Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=rea d ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
Authorization Code Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://oauthprovider.example.com/oauth/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token":" ACCESS_TOKEN","token_type":"bearer","expires_in":3872," refresh_token":" REFRESH_TOKEN","scope":"read","uid":,"info":{"name":"Peter Varga","email":"peter.varga@dpc.hu"}}
Implicit Flow
Implicit Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=token&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=re ad ● response_type= token ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
Implicit Flow (4-6) 4: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback #token=ACCESS_TOKEN ● #token=ACCESS_TOKEN 5: Client loads javascript which will extract token from hash ● The web server does not get access token directly 6: Script extracts Access Token from URL’s hash ● Now the script can share it with the client
Access Token ● The access token is a “bearer token”; anyone presenting it can obtain access: – The access token is sent through TLS/SSL from the authorization server to the client – The access token usually has a short life span and is renewed through refresh tokens ● A client can query the resource server endpoints to access resources/information
Accessing Resources ● Once in possession of an access token, the client presents the token to the resource server ● The resource server validates the token, its scope and its expiry date ● The validation generally requires interaction or coordination with the authorization server GET /protected/resource HTTP/1.1 Host: resource.example.com Authorization: Bearer ACCESS_TOKEN
Access Token Information ● The specification does not include the communication between the resource server and the authorization server ● There are proprietary mechanisms/implementations – The authorization server has an endpoint which can be used to get info about the presented access token GET /openam/oauth2/tokeninfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN
Bearer Token Recommendations ● Safeguard bearer tokens ● Validate TLS certificate chains ● Always use TLS (https) ● Don’t store bearer tokens in cookies ● Issue short-lived bearer tokens ● Issue scoped bearer tokens ● Don’t pass bearer tokens in URLs
OpenID Connect
OAuth 2.0 is NOT an Authentication Protocol
OpenID Connect ● OpenID connect = Identity, Authentication + OAuth2 ● OAuth 2.0 is an authorization protocol; when a client receives an access token it does not know the identity of the user ● OpenID Connect leverages the OAuth 2.0 handshake to provide Identity assertion through an ID token ● With OAuth 2.0 the client requests an access token; with OpenID Connect the client requests an access token and an ID token
OpenID Connect Flow
OpenID Connect Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=ope nid%20profile ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=openid%20profile 3: User authorizes request ● User authenticates if not authenticated yet
OpenID Connect Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://www.googleapis.com/oauth2/v3/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token": "ya29.JgEXH5-koEv0wnizPyikm8qdpRG", "token_type": "Bearer","expires_in": 3597," id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc0ZWIyNDY1MGE0NzViNDkz. ZGQzZjFiMjU2MmM5MTZmOTA1MzIyOTAifQ. eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3Vi"}
OpenID Connect ID Token ● Signed claim about user identity ● In Standard JSON Web Token (JWT) format ● Client must validate it: – Signature – Audience – Expiry – Nonce
JSON Web Token
JSON Web Token ● Compact, URL-safe means of representing claims to be transferred between two parties ● IETF Standard – https://tools.ietf.org/html/draft-ietf-oauth-json-web-token- 32 – http://jwt.io/ ● Simple Structure: – Header – Payload – Signature
JSON Web Token (JWT) Structure
User Information Endpoint ● OpenID Connect specifies it ● Retrieves the user info about the current session represented by the access token GET /openam/oauth2/userinfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com" }
Demo
Starting Implicit Flow with OpenID Connect
Processing Tokens Passed by the Authorization Server
Summary ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
Q & A

More Related Content

What's hot (20)

PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PDF
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PDF
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PPTX
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
PDF
OAuth 2.0 Updates #technight
Nov Matake
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
FIDO2 Specifications Overview
FIDO Alliance
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PDF
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OAuth 2.0 Updates #technight
Nov Matake
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
FIDO2 Specifications Overview
FIDO Alliance
 
2016 pycontw web api authentication
Micron Technology
 
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
OpenID Connect Explained
Vladimir Dzhuvinov
 

Viewers also liked (15)

PDF
Idcon11 implicit demo
Ryo Ito
 
PDF
Java 9 and Project Jigsaw
DPC Consulting Ltd
 
PDF
Jsonp coding dojo
DPC Consulting Ltd
 
PDF
Docker+java
DPC Consulting Ltd
 
PDF
Két Java fejlesztő első Scala projektje
DPC Consulting Ltd
 
KEY
Federation Lab and OpenID Connect
Andreas Åkre Solberg
 
PDF
OpenID ConnectとAndroidアプリのログインサイクル
Masaru Kurahayashi
 
PPTX
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
PDF
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
PDF
Oracle API Gateway
Rakesh Gujjarlapudi
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PDF
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
PDF
今更聞けないOAuth2.0
Takahiro Sato
 
PDF
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 
PPTX
Api gatewayの話
Hiroshi Hayakawa
 
Idcon11 implicit demo
Ryo Ito
 
Java 9 and Project Jigsaw
DPC Consulting Ltd
 
Jsonp coding dojo
DPC Consulting Ltd
 
Docker+java
DPC Consulting Ltd
 
Két Java fejlesztő első Scala projektje
DPC Consulting Ltd
 
Federation Lab and OpenID Connect
Andreas Åkre Solberg
 
OpenID ConnectとAndroidアプリのログインサイクル
Masaru Kurahayashi
 
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
Oracle API Gateway
Rakesh Gujjarlapudi
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
今更聞けないOAuth2.0
Takahiro Sato
 
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 
Api gatewayの話
Hiroshi Hayakawa
 
Ad

Similar to Full stack security (20)

PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PPTX
OAuth and Open-id
Parisa Moosavinezhad
 
PDF
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
Introduction to OAuth2.0
Oracle Corporation
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PPTX
OAuth [noddyCha]
noddycha
 
PDF
Introduction to OAuth
Wei-Tsung Su
 
PDF
The OpenID Connect Protocol
Clément OUDOT
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PPT
OAuth - Alex Bilbie
Eduserv
 
PPTX
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Oauth 2.0 security
vinoth kumar
 
OAuth and Open-id
Parisa Moosavinezhad
 
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Demystifying OAuth 2.0
Karl McGuinness
 
(1) OAuth 2.0 Overview
anikristo
 
OAuth2 + API Security
Amila Paranawithana
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Introduction to OAuth2.0
Oracle Corporation
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
OAuth [noddyCha]
noddycha
 
Introduction to OAuth
Wei-Tsung Su
 
The OpenID Connect Protocol
Clément OUDOT
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OAuth - Alex Bilbie
Eduserv
 
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas
 
Ad

More from DPC Consulting Ltd (6)

PDF
Scaling on AWS
DPC Consulting Ltd
 
PDF
Microservices and modularity with java
DPC Consulting Ltd
 
PDF
Garbage First Garbage Collector Algorithm
DPC Consulting Ltd
 
PDF
Power tools in Java
DPC Consulting Ltd
 
PDF
Server in your Client
DPC Consulting Ltd
 
PDF
OSGi as Enterprise Integration Platform
DPC Consulting Ltd
 
Scaling on AWS
DPC Consulting Ltd
 
Microservices and modularity with java
DPC Consulting Ltd
 
Garbage First Garbage Collector Algorithm
DPC Consulting Ltd
 
Power tools in Java
DPC Consulting Ltd
 
Server in your Client
DPC Consulting Ltd
 
OSGi as Enterprise Integration Platform
DPC Consulting Ltd
 

Recently uploaded (20)

PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
The Future of Artificial Intelligence (AI)
Mukul
 

Full stack security

  • 1. Full Stack Security OAuth/OpenID Connect and JWT connecting frontend and backend DPC, Oct 2015 Peter.Varga @thevrg http://dpc.hu DPC Consulting Ltd
  • 2. Agenda ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
  • 4. OAuth 2.0 ● Open standard for authorization (RFC 6749) ● Provides a method for a third-party to access resources on behalf of a resource owner ● OAuth 2.0 token are also used to imply authentication ● OAuth 2.0 process consists of: 1. Obtaining an authorization grant 2. Obtaining an access token 3. Using the access token to make requests
  • 5. Problems Addressed by OAuth 2.0 ● In traditional model, a third-party given access to a resource owner resources means: – Third-party must store the resource owner credentials – Third-party access is not limited in scope – Third-party access is not limited in time – The resource owner cannot revoke access to one third- party only; the only way to revoke access being a change in credentials ● OAuth2 presents an alternative solution addressing each of these issues
  • 6. OAuth 2.0 Roles ● Client ● Resource Owner ● Authorization Server ● Resource Server
  • 7. OAuth 2.0 Terminology ● Authorization Grant: – credentials representing the resource owner’s authorization – used by the client to obtain an access token ● Access Token: – credentials used to access protected resources – represents specific scopes and durations of access ● Refresh Token: – credentials used to obtain a new access token when current access token becomes invalid ● Scope: – determines the specific resources that can be accessed and the duration of the grant
  • 8. OAuth 2.0 Clients ● Confidential: can protect their credentials – web applications ● Public: risk to expose their credentials – mobile phone apps – desktop clients – web-browsers ● Before OAuth2 process can take place, the client must register to the authorization server
  • 9. Obtaining Access Token ● There are different ways to obtain an access token: – Authorization Code – Implicit – Resource Owner Password Credentials – Client Credentials – Extension Mechanism; e.g. SAML2 Token Insertion ● All communication must be performed through a secure channel
  • 11. Authorization Code Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=rea d ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
  • 12. Authorization Code Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://oauthprovider.example.com/oauth/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token":" ACCESS_TOKEN","token_type":"bearer","expires_in":3872," refresh_token":" REFRESH_TOKEN","scope":"read","uid":,"info":{"name":"Peter Varga","email":"[email protected]"}}
  • 14. Implicit Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=token&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=re ad ● response_type= token ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=read 3: User authorizes request ● User authenticates if not authenticated yet
  • 15. Implicit Flow (4-6) 4: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback #token=ACCESS_TOKEN ● #token=ACCESS_TOKEN 5: Client loads javascript which will extract token from hash ● The web server does not get access token directly 6: Script extracts Access Token from URL’s hash ● Now the script can share it with the client
  • 16. Access Token ● The access token is a “bearer token”; anyone presenting it can obtain access: – The access token is sent through TLS/SSL from the authorization server to the client – The access token usually has a short life span and is renewed through refresh tokens ● A client can query the resource server endpoints to access resources/information
  • 17. Accessing Resources ● Once in possession of an access token, the client presents the token to the resource server ● The resource server validates the token, its scope and its expiry date ● The validation generally requires interaction or coordination with the authorization server GET /protected/resource HTTP/1.1 Host: resource.example.com Authorization: Bearer ACCESS_TOKEN
  • 18. Access Token Information ● The specification does not include the communication between the resource server and the authorization server ● There are proprietary mechanisms/implementations – The authorization server has an endpoint which can be used to get info about the presented access token GET /openam/oauth2/tokeninfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN
  • 19. Bearer Token Recommendations ● Safeguard bearer tokens ● Validate TLS certificate chains ● Always use TLS (https) ● Don’t store bearer tokens in cookies ● Issue short-lived bearer tokens ● Issue scoped bearer tokens ● Don’t pass bearer tokens in URLs
  • 21. OAuth 2.0 is NOT an Authentication Protocol
  • 22. OpenID Connect ● OpenID connect = Identity, Authentication + OAuth2 ● OAuth 2.0 is an authorization protocol; when a client receives an access token it does not know the identity of the user ● OpenID Connect leverages the OAuth 2.0 handshake to provide Identity assertion through an ID token ● With OAuth 2.0 the client requests an access token; with OpenID Connect the client requests an access token and an ID token
  • 24. OpenID Connect Flow (1-3) 1-2: Authorization Request https://oauthprovider.example.com/oauth/authorize? response_type=code&client_id= CLIENT_ID&redirect_uri= CALLBACK_URL&scope=ope nid%20profile ● response_type= code ● client_id=CLIENT_ID ● redirect_uri=CALLBACK_URL ● scope=openid%20profile 3: User authorizes request ● User authenticates if not authenticated yet
  • 25. OpenID Connect Flow (4-7) 4-5: Browser is redirected to Client’s CALLBACK_URL https://sample.oauthclient.com/callback?code= AUTHORIZATION_CODE ● code=AUTHORIZATION_CODE 6: Client requests Access Token POST https://www.googleapis.com/oauth2/v3/token Content-Type: application/x-www-form-urlencoded client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authorization_c ode&code=AUTHORIZATION_CODE &redirect_uri= CALLBACK_URL 7: Client receives Access Token {"access_token": "ya29.JgEXH5-koEv0wnizPyikm8qdpRG", "token_type": "Bearer","expires_in": 3597," id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc0ZWIyNDY1MGE0NzViNDkz. ZGQzZjFiMjU2MmM5MTZmOTA1MzIyOTAifQ. eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3Vi"}
  • 26. OpenID Connect ID Token ● Signed claim about user identity ● In Standard JSON Web Token (JWT) format ● Client must validate it: – Signature – Audience – Expiry – Nonce
  • 28. JSON Web Token ● Compact, URL-safe means of representing claims to be transferred between two parties ● IETF Standard – https://tools.ietf.org/html/draft-ietf-oauth-json-web-token- 32 – http://jwt.io/ ● Simple Structure: – Header – Payload – Signature
  • 29. JSON Web Token (JWT) Structure
  • 30. User Information Endpoint ● OpenID Connect specifies it ● Retrieves the user info about the current session represented by the access token GET /openam/oauth2/userinfo HTTP/1.1 Host: login.example.com Authorization: Bearer ACCESS_TOKEN HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "[email protected]" }
  • 31. Demo
  • 32. Starting Implicit Flow with OpenID Connect
  • 33. Processing Tokens Passed by the Authorization Server
  • 34. Summary ● OAuth 2.0 ● OpenID Connect ● JSON Web Token (JWT) ● Demo ● Q&A
  • 35. Q & A