o-auth 2.0, openid connect 1.0, single sign-on subhojeet...
TRANSCRIPT
Web-based Authentication and Authorization SchemesO-Auth 2.0, OpenId Connect 1.0, Single Sign-On
Subhojeet Mukherjee
Colorado State University
April 19, 2016
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 1 / 40
Contents
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 2 / 40
MotivationSo you thought username-password based authentication was enough?
Which one do you think is better?
Figure: Twit Resource Access
Since weird guy has valid Twittercredentials is Twitter allowed to give awayMY photos?If yes is Twitter allowed decide which onesto give away?Does having only valid username-passwordsolve these problems?
Figure: Twit Resource Access 2
Weird guy has valid username-password.Twitter does not own MY resources.Twitter must be certain that I allowedhim to get whatever he requires.I am responsible for deciding whichpictures he can read and which he cant.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 3 / 40
MotivationSo you thought username-password based authentication was enough?
Moral of the Story
We need much more than simple user-name password based authentication.
O-Auth 2.0, OpenId Connect 1.0 and Single Sign On are some web-based authentication andauthorization protocols which can be issues mentioned in the previous slide.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 4 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 5 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 6 / 40
O-Auth 2.0Why use it?
Figure: Typical O-Auth Operation
What happens in an O-Auth 2.0?
Random guy wants your photos on Twitter.He wants your permission to access 5different photos.You decide to give access to read 3 photos.
What advantages does O-Auth 2.0 give?
Users can control if third-party is allowed toaccess their resources.Users can decide which resources should beshared.Granted permissions can be revoked at anytime.Users do not need to share your credentialswith an untrusted third party application togive them access to their resources.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 7 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 8 / 40
O-Auth 2.0Abstract Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
(A) Authorization Request
(B) Authorization Grant
(C) Authorization Grant
(D) Access Token
(E) Access Token
(F) Protected Resources
Figure: O-Auth 2.0 Abstract Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 9 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 10 / 40
O-AuthActors
Typically four actors are involved in an O-Auth protocol flow.
Resource Owner Owner of the resource. Entity capable of granting access to resources owned bythem.
Example
ME as a Twitter user.
Resource Server Server where the resources are stored. Allows access to protected resourcesdepending on access scope.
Example
Twitter server at San Francisco.
Client Any third party who wants to access protected resources.
Example
Data analyst, mobile/web application etc.
Authorization Server The server responsible for delegating access privileges to the “Client” basedon the “Resource Owner”’s decisions.
Example
Apache Oltu.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 11 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 12 / 40
O-Auth 2.0Client Registration
Figure: Client Registration Process
Step in protocol: Before protocol is initiated. Typically a one-time task.Medium: Web registration form, third party validation etc.Requirements:
1 Client type:
Confidential Ability to keep credentials secret.Public Inability to keep credentials secret.
2 Redirection URI: Client end-point where resource-owner should be redirected duringauthorization grant.
3 Additional Information: Application name, website, logo, description etc.
Response:
Client Identifier: Unique string representing the registration information provided by the client. Isnot a secret.
Client Secret: A secret shared between client and authorization server.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 13 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 14 / 40
O-Auth 2.0Abstract Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
(A) Authorization Request
(B) Authorization Grant
(C) Authorization Grant
(D) Access Token
(E) Access Token
(F) Protected Resources
Figure: O-Auth 2.0 Abstract Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 15 / 40
O-Auth 2.0Authorization Grants
Covers: (A-B-C-D) in Abstract Protocol Flow.
Authorization Grant types:
1 Authorization Code
2 Implicit Grants
3 Resource Owner Password Credentials
4 Client Credentials
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 16 / 40
O-Auth 2.0: Authorization Grants: Authorization CodeAbstract Flow
A:
Client ------- [Authorization Grant Type: Authorization Code] ------> Resource Owner
B:
Client <------- [Authorization Grant] <------ Resource Owner
C:
Client ------- [Authorization Grant] ------> Authorization Server
D:
Client <------- [Access token] ------ Authorization Server
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 17 / 40
O-Auth 2.0: Authorization Grants: Authorization Code IProtocol Flow
Resource Owner
User Agent
Client
AuthorizationServer
(A) Client Identifier & Redirection URI
(B) User Authenticates
(C) Authorization Code
(D) Authorization Code & Redirection URI
(E) Access Token (w/ Optional Refresh Token)
(A) (C)
(B)
Figure: O-Auth 2.0 Authorization Code Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 18 / 40
O-Auth 2.0: Authorization Grants: Authorization Code IIProtocol Flow
(A) Client redirects users user-agent (web-browser) to authorization server.
The redirect contains the client id and redirection URI obtained during registration.
Examplehttps://cloud.digitalocean.com/v1/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read
(B) Resource owner authenticates to authorization server and grants required access.
(C) Authorization server redirects resource owner user-agent to client redirection URIwith authorization code.
Examplehttps://dropletbook.com/callback?code=AUTHORIZATION_CODE
(D) Client forwards authentication code to authorization server.
At this point client authenticates with the authorization server.
Examplehttps://cloud.digitalocean.com/v1/oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=CALLBACK_URL
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 19 / 40
O-Auth 2.0: Authorization Grants: Authorization Code IIIProtocol Flow
(E) Authorization server performs required client validation and returns access token.
Example{"access_token":"ACCESS_TOKEN","token_type":"bearer","expires_in":2592000,"refresh_token":"REFRESH_TOKEN","scope":"read","uid":100101,"info":{"name":"Mark E. Mark","email":"[email protected]"}}
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 20 / 40
——————————————————————————————————
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 21 / 40
O-Auth 2.0: Authorization Grants: Implicit GrantAbstract Flow
A:
Client ------- [Authorization Grant Type: Implicit Grant] ------> Resource Owner
D:
Client <------- [Access token] ------ Resource Owner
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 21 / 40
O-Auth 2.0: Authorization Grants: Implicit Grant IProtocol Flow
Figure: O-Auth 2.0 Implicit Grant Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 22 / 40
O-Auth 2.0: Authorization Grants: Implicit Grant IIProtocol Flow
(A) Client redirects users user-agent (web-browser) to authorization server.
The redirect contains the client id and redirection URI obtained during registration.
Examplehttps://cloud.digitalocean.com/v1/oauth/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read
(B) Resource owner authenticates to authorization server and grants required access.
(C) Authorization server redirects resource owner user-agent to client redirection URIwith access token in the URI.
Access token is visible to the resource owner.
Examplehttps://dropletbook.com/callback#token=ACCESS_TOKEN
(D) Resource owner’s user agent redirects to client supplied redirection URI.
This redirect does not include the access token.
(E) Web Hosted Client Resource provides a script that could extract the providedaccess token.
(F) Resource owner’s user agent runs the script.
(G) Resource owner’s user agent thus passes the access token to the client.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 23 / 40
O-Auth 2.0: Authorization Grants: Resource Owner PasswordCredentialsAbstract Flow
B:
Client <------- [Resource Owner Password Credentials] ------ Resource Owner
C:
Client ------- [Resource Owner Password Credentials] ------> Authorization Server
D:
Client <------- [Access token] ------ Authorization Server
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 24 / 40
O-Auth 2.0: Authorization Grants: Resource Owner PasswordCredentials IProtocol Flow
Figure: O-Auth 2.0 Resource Owner Password Credentials Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 25 / 40
O-Auth 2.0: Authorization Grants: Resource Owner PasswordCredentials IIProtocol Flow
(A) Resource owner initiates the flow by providing highly trusted client with his usernameand password.
(B) Client forwards credentials to authorization server.
Examplehttps://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID
(C) Authorization Server provides access token.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 26 / 40
O-Auth 2.0: Authorization Grants: Client CredentialsAbstract Flow
C:
Client ------- [Resource Owner Credentials] ------> Authorization Server
D:
Client <------- [Access token] ------ Authorization Server
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 27 / 40
O-Auth 2.0: Authorization Grants: Client Credentials IProtocol Flow
Figure: O-Auth 2.0 Client Credentialss Protocol Flow
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 28 / 40
O-Auth 2.0: Authorization Grants: Client Credentials IIProtocol Flow
(A) Resource owner/Client by authorizing to the authorization server.
Examplehttps://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
(B) Authorization Server provides access token.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 29 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 30 / 40
O-Auth 2.0: Authorization Server ResponseSuccessful Validation
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
Contains the following information:
access token: As provided by authorization server.
token type: “Bearer”, “Mac” etc.
expires in Lifetime in seconds of the access token
refresh token A refresh token which can be used to obtain a new access token.
scope Space delimited string used to express access control specifications.Requested initially by the client.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 31 / 40
O-Auth 2.0: Authorization Server ResponseUnsuccessful Validation
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 32 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 33 / 40
O-Auth 2.0Accessing Protected Resources
Client sends query to resource server with access token.
Examplecurl -X POST -H "Authorization: Bearer ACCESS_TOKEN""https://api.digitalocean.com/v2/$OBJECT"
Resource server interprets the authorization server’s response (access token).
Resource server validates the token.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 34 / 40
O-Auth 2.0References
Materials referenced from:
1 https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
2 http://tutorials.jenkov.com/oauth2/authorization-code-request-response.html
3 https://tools.ietf.org/html/rfc6749
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 35 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 36 / 40
OpenID Connect IOverview
0-Auth provides a mechanism of authorization.
What is the guarantee that the Client you are talking to is an authentic one?
OpenId provides that guarantee by authenticating the user.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 37 / 40
Figure: OpenId Connect Example
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 38 / 40
OpenID ConnectReferences
Materials referenced from:
1 https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com
2 http://openid.net/connect/
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 38 / 40
Outline
1 Motivation
2 O-Auth 2.0MotivationAbstract Protocol FlowActorsClient RegistrationAuthorization Grants
Authorization CodeImplicit GrantResource Owner Password CredentialsClient Credentials
Authorization Server ResponseAccessing Protected Resources
3 OpenID Connect 1.0
4 Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 39 / 40
Single Sign On I
Use one username password for access to multiple applications.
Each application vendor must trust primary login domain.
Eg. You login to gmail. You can access Youtube, Hangout and other Google aps usingthe same login session.
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 40 / 40
Figure: Single Sign On
Subhojeet Mukherjee (Colorado State University)Web-based Authentication and Authorization SchemesApril 19, 2016 40 / 40