1 / 51

An introduction to OAuth and OpenID Connect

An introduction to OAuth and OpenID Connect. Background. Introduction. Why OAuth ? History of OAuth Overview of OAuth 2.0 What is OpenID Connect Issues with OAuth 2.0. Why OAuth ?. Classic Scenario. Trusted subsystems Classic security is intranet only

lev
Download Presentation

An introduction to OAuth and OpenID Connect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An introduction to OAuth and OpenID Connect

  2. Background

  3. Introduction • Why OAuth? • History of OAuth • Overview of OAuth 2.0 • What is OpenIDConnect • Issues with OAuth 2.0

  4. Why OAuth?

  5. Classic Scenario • Trusted subsystems • Classic security is intranet only • Active Directory/LDAP/Kerberos

  6. Enterprise to Enterprise • Trusted external parties • Soap, Xml, WS-*

  7. Mobile Computing • No enterprise security integration • Lightweight • Low power • HTTP/JSON/HTML5

  8. Game Changer

  9. In Reality...

  10. History of OAuth

  11. In the Beginning • Online services • 3rd party applications • Insecure

  12. Proprietary Protocols

  13. OAuth 1.0 • An open standard • Based on current best practice • Released Nov 2007 • Still had issues

  14. OAuth 1.0 Issues • Complex • Limited scope • Didn’t scale

  15. What is OAuth 2.0?

  16. Delegated Authorisation

  17. Server Application

  18. Client Application

  19. Native Application

  20. OAuth 2.0 Client Profiles • Server side web application • Client side (browser) application • Native application

  21. OAuth 2.0 Roles Resource Owner Client Application Resource Server Authorization Server

  22. Application Registration

  23. Access Token • Bearer Tokens • Not Crypto signed • SSL/TLS required • Transmission • Header (Preferred) • Querystringparam • Form encoded param

  24. OAuth 2.0 Authorization Flows • Authorization Code • Implicit Grant • Resource Owner Password • Client Credentials • Device Profile • SAML Bearer Assertion Profile

  25. Authorization Code Flow • Server to Server • Best used: • OAuth client is a web server • Long-lived access • Access Accountability

  26. Authorization Code Flow • GET accounts.google.com/o/ oauth2/auth • client_id=mossbook& • scope= googleapis.com/auth/ tasks • redirect_uri=https://mossbook.com/cb& • response_type=code& • state=999

  27. Authentication Authorisation

  28. Retrieve Access token GET mossbook.com/cb? code=762475&state=999 POST /token authorization: Basic (client_id:secret) grant_type=authorization_code& redirect_uri=https://mossbook.com/cb • { • “access_token” : “abc”, • “exipres_in” : “3600”, • “token_type” : “Bearer” • “refresh_token” : “xyz” • }

  29. Access Resources GET googleapis.com/tasks/1/lists/tasks/all

  30. Implicit Grant • GET accounts.google.com/o/ oauth2/auth • client_id=mossbook& • scope= googleapis.com/auth/ tasks • redirect_uri=https://mossbook.com/cb& • response_type=token& • state=999

  31. Resource Owner Password • For trusted clients/devices • Credentials collected • User experience traditional form

  32. Client Credentials • Machine to Machine • Client owns the data • Not widely Implemented

  33. OpenID Connect

  34. Authentication

  35. Insecure Impersonation

  36. oauth.io

  37. OpenID • Built on top of OAuth 2.0 • Standardises: • UserInfo resource • An extra token type • Added protocol validation • Coming soon: • Session Management • Discovery • Dynamic registration

  38. OpenID Connect Flow • GET accounts.google.com/authorise • client_id=mossbook& • scope= openid • redirect_uri=https://mossbook.com/cb& • response_type=code& • state=999 • { • “access_token” : “abc”, • “id_token” : “rst”, • “exipres_in” : “3600”, • “token_type” : “Bearer” • “refresh_token” : “xyz” • }

  39. OAuth 2.0 Issues

  40. Its Hammer time! “When compared to OAuth 1.0 the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure” Eran Hammer

  41. A Committee Divided

  42. Overly Complex

  43. Design by Committee • Evolved into a framework • Not explicit enough • Multiple interpretations • Open Standard • Insecure

  44. Defence in Depth? • Bearer tokens not tied to request • Reliance on SSL • Developers WTF?? • Infrastructure level bypass • Pineapples

  45. Large Attack Surface

  46. Security Theatre

  47. Controvsey Another Eran Hammer “OAuth is dead” picture from RealTimeConf 2012

  48. Authorisation • OAuth 2.0 • Authentication • OpenID Connect Thank-you very much, you’ve been a great audience 

  49. References

  50. References • http://oauth.net/ • http://hueniverse.com/ • http://www.leastprivilege.com

More Related