![Roles in OAuth2.0
Resource [R]
A HTTP Resource / Service / App
Resource Owner [RO]
Entity that is capable of granting access to a resource
Resource Server [RS]
Protected resource Host
Client Application [CA]
Application making request to RS on behalf of RO to gain access to R
Authorization Server [AS]
Generates tokens after authenticating the RO and obtaining authorization](https://image.slidesharecdn.com/oauth-150404073425-conversion-gate01/85/OAuth-2-0-and-OpenId-Connect-16-320.jpg)
![OpenID Connect
• Why OpenID Connect
– No responsibility of apps to maintain passwords
– Uses Claims to transfer profile information across diverse apps
• How does it work
– (Identity, Authentication) + OAuth 2.0 = OpenID Connect
• System-level support
– Android OS
– Windows Server 2012 – R2 [ADFS 3.0]
• OpenID makes use of OAuth 2 flows to establish identity](https://image.slidesharecdn.com/oauth-150404073425-conversion-gate01/85/OAuth-2-0-and-OpenId-Connect-28-320.jpg)
![OpenID Connect Glossary
• IDP [AaaS]
– Any service that provides identity and authentication
• RP
– App that out sources its authentication to an IDP
• OP
– The OpenID provider
• Claims
– Piece of information about an entity / identity](https://image.slidesharecdn.com/oauth-150404073425-conversion-gate01/85/OAuth-2-0-and-OpenId-Connect-31-320.jpg)
![OpenID & SAML
• SAML
– For web based apps
– Uses XML
• OpenID Connect
– JSON
– REST
– Any app [Native, Mobile, Web]](https://image.slidesharecdn.com/oauth-150404073425-conversion-gate01/85/OAuth-2-0-and-OpenId-Connect-36-320.jpg)
![Realtime Implementation
• Authorization Server in TechCello
– OpenID Connect 1.0
– OAuth 2.0
• Supported Modes
– Social Logins [MSFT, GOOG, FB, TWT]
– WAAD
– ADFS 3.0
– LDAP
– Proprietary Authentication exposed as an OP](https://image.slidesharecdn.com/oauth-150404073425-conversion-gate01/85/OAuth-2-0-and-OpenId-Connect-37-320.jpg)
OAuth 2.0 and OpenId Connect
- 2. Authentication & Authorization Authentication Establishment of a binding of confidence between and entity and an identity Authorization Process of establishing the rights for the authenticated user
- 3. Why AuthN & AuthZ • To avoid insecure resource access • To give finer control on the resource access • To track the various actions performed on resources by the doer’s • Increasing variations in resource consumers • Overcoming security breaches
- 4. Ways to Achieve • Authentication – Username / Password – Certificates – Access tokens / established identity etc… – Finger print / Retina Scan etc… • Authorization – Roles – Policies
- 5. Authorization Background • Policy Phases – Definition – Enforcement • Access Control Lists / Capability – Principle of least privilege • Tokens – Anonymous identity support
- 6. Need for OAuth Problem – Present day has Multitudes of • Applications • Identities – Hard to remember authentication information among above Solution – Delegated Authentication & Authorization
- 7. Use Case Multitude of devices for accessing 1 application
- 8. SSO Use Case
- 9. Problems Addressed in OAuth
- 10. The Problem 1. Credentials Sharing 2. Unrestricted Access 3. Servers are required to handle authentication & authorization 4. Difficulty in revoking 5. Huge chain of dependencies 6. Security breach
- 11. Solution 1. Abstracting the authorization layer from the client & server 2. No more password sharing 3. Access Tokens / Valet Keys with lifetimes 4. Takes place over HTTPS / SSL 5. Concealed / isolated identity
- 12. OAuth 2.0
- 13. What is OAuth • OAuth 2.0 is an Authorization Framework • Framework specifying – Authentication & Authorization delegation – Interactions in the delegation process
- 14. Specification • Google, Yammer & Bitbucket all speak through OAuth. • Developed in 2006 by Twitter & Ma.gnolia • Evolved from 1.0 to 2.0 • Main problem targeted by OAuth is Access Delegation
- 15. Use Case
- 16. Roles in OAuth2.0 Resource [R] A HTTP Resource / Service / App Resource Owner [RO] Entity that is capable of granting access to a resource Resource Server [RS] Protected resource Host Client Application [CA] Application making request to RS on behalf of RO to gain access to R Authorization Server [AS] Generates tokens after authenticating the RO and obtaining authorization
- 17. Flow
- 18. Authorization Grant Server-side Scenarios Target Applications 1. Any app that is web enabled / Desktop 2. Application that can access a browser
- 19. Flow
- 21. Implicit Grant • Scripted client access – Ex: Google Ad services API • For well known clients • No client validation happens • Access Token sent as a fragment in the response
- 24. Resource Owner Flow • Fully trusted applications • Not very secure • Maintained for backward compatibility • Use of existing data to generate the access tokens
- 26. Sample
- 27. OpenID Connect
- 28. OpenID Connect • Why OpenID Connect – No responsibility of apps to maintain passwords – Uses Claims to transfer profile information across diverse apps • How does it work – (Identity, Authentication) + OAuth 2.0 = OpenID Connect • System-level support – Android OS – Windows Server 2012 – R2 [ADFS 3.0] • OpenID makes use of OAuth 2 flows to establish identity
- 30. OpenID 2.0 & OpenID Connect • Compared to OpenID2.0, OpenID Connect uses – JWT Data Structures – Simplified signing of tokens – No XML – Highly interoperable
- 31. OpenID Connect Glossary • IDP [AaaS] – Any service that provides identity and authentication • RP – App that out sources its authentication to an IDP • OP – The OpenID provider • Claims – Piece of information about an entity / identity
- 32. Flow
- 34. Sample JWT • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEz ODY4OTkxMzEsImlzcyI6ImppcmE6MTU0ODk1OTUiLC Jxc2giOiI4MDYzZmY0Y2ExZTQxZGY3YmM5MGM4YW I2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdiNDY xNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKq U9dTB6gKwG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo • <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
- 36. OpenID & SAML • SAML – For web based apps – Uses XML • OpenID Connect – JSON – REST – Any app [Native, Mobile, Web]
- 37. Realtime Implementation • Authorization Server in TechCello – OpenID Connect 1.0 – OAuth 2.0 • Supported Modes – Social Logins [MSFT, GOOG, FB, TWT] – WAAD – ADFS 3.0 – LDAP – Proprietary Authentication exposed as an OP
- 38. Points to Ponder Upon • Automated OP Discovery • Automated Client Registration