philippederyck
play

@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who - PowerPoint PPT Presentation

Jul 04, 2023 •773 likes •1.23k views

A UTHENTICATION WITH O PEN ID C ONNECT IN A NGULAR D R . P HILIPPE D E R YCK https://Pragmatic Web Security.com D R . P HILIPPE D E R YCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) -

  1. A UTHENTICATION WITH O PEN ID C ONNECT IN A NGULAR D R . P HILIPPE D E R YCK https://Pragmatic Web Security.com

  2. D R . P HILIPPE D E R YCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) - Course curator of the SecAppDev course (https://secappdev.org) Pragmatic Web Security High-quality security training for developers and managers Custom courses covering web security, API security, Angular security, … Consulting services on security, OAuth 2.0, OpenID Connect, … @P HILIPPE D E R YCK @PhilippeDeRyck 2 HTTPS ://P RAGMATIC W EB S ECURITY . COM

  3. @PhilippeDeRyck 3

  4. @PhilippeDeRyck 4

  5. @PhilippeDeRyck 5

  6. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github 1 Open Github for authentication @PhilippeDeRyck 6

  7. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github 1 Open Github for authentication @PhilippeDeRyck 7

  8. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github 1 Open Github for authentication @PhilippeDeRyck 8

  9. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github 1 Open Github for authentication @PhilippeDeRyck 9

  10. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github Redirect back to Netlify 5 with information about Philippe 1 Open Github for authentication 6 Follows redirect to Netlify 7 Github says it's Philippe. Hi Philippe! @PhilippeDeRyck 10

  11. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github Redirect back to Netlify 5 with information about Philippe 1 Open Github for authentication 6 Follows redirect to Netlify 7 Github says it's Philippe. Hi Philippe! @PhilippeDeRyck 11

  12. 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github Redirect back to Netlify 5 with information about Philippe 1 Open Github for authentication 6 Follows redirect to Netlify 7 Github says it's Philippe. Hi Philippe! @PhilippeDeRyck 12

  13. Not part of the OIDC spec 3 Who that? 4 It's me, Philippe! 2 Follows the redirect to Github Redirect back to Netlify 5 with information about Philippe OpenID Connect 1 Open Github for authentication 6 Follows redirect to Netlify 7 Github says it's Philippe. Hi Philippe! @PhilippeDeRyck 13

  14. @PhilippeDeRyck 14

  15. @PhilippeDeRyck 15

  16. @PhilippeDeRyck 16

  17. @PhilippeDeRyck 17

  18. 3 Who that? On-premise or cloud-based 4 It's me, Philippe! 2 Follows the redirect to the identity provider Redirect back 5 with information about Philippe 1 Authenticate with my provider 6 Follows redirect 7 My provider says it's Philippe. Hi Philippe! @PhilippeDeRyck 18

  19. D ELEGATE AUTHENTICATION WITH O PEN ID C ONNECT Building a secure custom authentication mechanism is hard Identity providers are specialized in managing & authenticating users Offloading authentication makes sense, even in a non-SSO scenario @PhilippeDeRyck 19

  20. Obtain an authorization code User authentication Session Exchange code for identity token @PhilippeDeRyck 20

  21. Obtain an authorization code Obtain an authorization code Session Exchange code Exchange code for identity token for identity token @PhilippeDeRyck 21

  22. Obtain an authorization code Obtain an authorization code Call API with an OAuth 2.0 Session access token Exchange code Exchange code for identity token for identity token and access token @PhilippeDeRyck 22

  23. Obtain an authorization code Obtain an authorization code Call API with an OAuth 2.0 Session access token Exchange code for identity token Exchange code for identity token and access token Call API with and access token an OAuth 2.0 access token @PhilippeDeRyck 23

  24. @PhilippeDeRyck 24

  25. R EDIRECT FROM N ETLIFY TO G ITHUB 1 2 GitHub's OIDC endpoint https://github.com/openid-connect/auth Indicates the OIDC hybrid flow ?response_type=id_token code &client_id=NetlifyClient Requests access to user's identity information &scope=openid email profile &redirect_uri=https://netlify.com/codeCallback &state=s0wzojm2w8c23xzprkk6 &nonce=Bh91lG2QLb1jAiaha372 Redirect to Github 2 for authentication 1 Sign in with Github @PhilippeDeRyck 25

  26. 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Redirect to Github 2 for authentication 1 Sign in with Github @PhilippeDeRyck 26

  27. R EDIRECT FROM G ITHUB TO N ETLIFY 7 8 Approved redirect URI https://netlify.com/codeCallback Authorization code 5 ?code=q3AKQ...0X4UeQ Request client authorization JWT containing authentication information &id_token= eyJhbGciO...du6TY9w 3 Authenticate yourself &state=s0wzojm2w8c23xzprkk6 4 Login credentials 6 Authorize client Redirect to Github 2 for authentication Redirect with authorization code 7 and identity token 1 Sign in with Github 8 Authorization code and identity token @PhilippeDeRyck 27

  28. T HE IDENTITY TOKEN CONTAINS INFORMATION ABOUT THE USER ' S AUTHENTICATION 8 { Profile information about the user "name": "Philippe De Ryck", 5 Request client authorization "email": "philippe@pragmaticwebsecurity.com", 3 Authenticate yourself "email_verified": true, The identifier of the issuer of the token "iss": "https://github.com", "aud": "NetlifyClient", The intended audience for this token 4 Login credentials "iat": "1550400912", 6 Authorize client "exp": "1550422512", The unique ID of the user within the issuer "sub": "github|bBFd87uO9PDaVpOjZRB7", } Redirect to Github 2 for authentication Redirect with authorization code 7 and identity token 1 Sign in with Github 8 Authorization code and identity token @PhilippeDeRyck 28

  29. 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Authorization code 9 10 access token / refresh token Redirect to Github with client credentials 2 for authentication Redirect with authorization code 7 and identity token 1 Sign in with Github 11 Github repo 8 API Authorization code 12 Data to deploy and identity token @PhilippeDeRyck 29

  30. @PhilippeDeRyck 30

  31. 3 Authenticate yourself Frontends are no 4 Login credentials place to keep a secret. Authorization code 8 7 access token Redirect for with client credentials 2 authentication Redirect with authorization code 5 and identity token 1 Sign in 9 Github repo 6 API Authorization code 10 Data to deploy and identity token @PhilippeDeRyck 31

  32. 4 Store code challenge 10 Match code challenge to verifier 5 Authenticate yourself 6 PKCE replaces client Login credentials credentials with a "one-time password" Authorization code 11 Redirect for 9 access token with code verifier 3 authentication with code challenge Redirect with authorization code 7 and identity token 2 Sign in URL with code challenge 12 Github repo 8 API Authorization code 13 Data to deploy and identity token 1 Generate code verifier @PhilippeDeRyck 32

  33. @PhilippeDeRyck 33

  34. npm install angular-oauth2-oidc this.oauthService.initCodeFlow(); @PhilippeDeRyck 34

  35. npm install @auth0/auth0-spa-js this.auth0Client$.subscribe((client: Auth0Client) => { client.loginWithRedirect() }); @PhilippeDeRyck 35

  36. npm install keycloak-js keycloak.init({ flow: 'hybrid', promiseType: 'native', }) @PhilippeDeRyck 36

  37. U SE THE RIGHT OIDC FLOW FOR YOUR APPLICATION Both a backend and a frontend can use the OIDC hybrid flow Backends require client authentication & frontends require PKCE OIDC is typically used along with OAuth 2.0 to enable API access @PhilippeDeRyck 37

  38. @PhilippeDeRyck 38

  39. Authenticate with preferred provider 3 Redirect to Github 2 for authentication Redirect with authorization code 4 and identity token 1 Sign in with Github 5 Authorization code and identity token @PhilippeDeRyck 39

  40. Users Employees Allowing employees to be normal users as well 2 Identity brokering 1 Sign in Employee-only applications A public application available to all users @PhilippeDeRyck 40

  41. OIDC IS MORE THAN AUTHENTICATION ALONE OIDC also includes support for session management and logout Identity brokering enables the chaining of multiple identity providers Identity brokering is a crucial concept in enterprise architectures @PhilippeDeRyck 41

  42. F REE REE SE SECU CURITY CH CHEAT SH SHEETS FO FOR MO MODERN APPL APPLICATIONS https://cheatsheets.pragmaticwebsecurity.com/ @PhilippeDeRyck 42

  43. March 9 th – 13 th , 2020 Leuven, Belgium A week-long course on Secure Application Development Taught by experts from around the world 38 in-depth lectures and 3 one-day workshops https://secappdev.org A yearly initiative from the SecAppDev.org non-profit, since 2005 @PhilippeDeRyck 43

  44. T HANK YOU ! Follow me on Twitter to stay up to date on web security best practices @PhilippeDeRyck

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City, Ottawa, Paris @clementoudot ISO 9001:2004 / ISO 14001:2008 contact@savoirfairelinux.com GET /summary { part1:Some words on OAuth

796 views • 48 slides
Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

CS3 2020 Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks <michael.meeks@collabora.com> General Manager at Collabora Productjvity @michael_meeks, mmeeks #libreoffjce-dev irc.freenode.net

821 views • 60 slides
Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3

1.32k views • 66 slides
Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International Conference on Concurrency Theory (CONCUR 2020) Adapted for Mobility Reading group 22/10/2020. Ross Horne Computer Science, University of Luxembourg 1-4

546 views • 35 slides
Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity - Reviewability - Productivity - Reviewability - Maintainability - Patterns - Principles - OOP/FP - Common Sense But We focus on production code

1.47k views • 113 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis", "testthat", "reprex", "pkgdown")) git_sitrep() > library(usethis) > git_sitrep() Git user * Name: 'Amelia McNamara'

308 views • 9 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

1.03k views • 44 slides
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material Web sites Microsoft links from last lecture Linux Capabilities - man 7 capabilities or http://www.linuxjournal.com/article/5737

1.17k views • 29 slides
Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF What Is Apache CXF Production

465 views • 25 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides
15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon

15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon

15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon University Fall 2019 1 Outline The data collection process Common data formats and handling Regular expressions and parsing 2 Outline The

605 views • 27 slides
Tutamen: A Next-Generation Secret-Storage System Andy Sayler, Taylor Andrews, Matt Monaco, and

Tutamen: A Next-Generation Secret-Storage System Andy Sayler, Taylor Andrews, Matt Monaco, and

Tutamen: A Next-Generation Secret-Storage System Andy Sayler, Taylor Andrews, Matt Monaco, and Dirk Grunwald Presented by Andy Sayler SoCC 2016 10/06/16 SFg5asknmc6e SFg5asknmc6e SFg5asknmc6e DTrump GreatPassword Secrets SFg5asknmc6e

2.19k views • 193 slides
DEVELOPMENT OF A PRIVACY PRESERVING LIFERAY PORTAL DOCUMENT SYNCHRONIZER FOR ANDROID BY

DEVELOPMENT OF A PRIVACY PRESERVING LIFERAY PORTAL DOCUMENT SYNCHRONIZER FOR ANDROID BY

DEVELOPMENT OF A PRIVACY PRESERVING LIFERAY PORTAL DOCUMENT SYNCHRONIZER FOR ANDROID BY MAX PERRY PERINATO Thesis Supervisor: Prof. Michele Bugliesi Department of Environmental Sciences, Informatics and Statistics

830 views • 15 slides
Your TSP Account: What to Think About When Nearing Retirement or Considering Leaving the

Your TSP Account: What to Think About When Nearing Retirement or Considering Leaving the

Your TSP Account: What to Think About When Nearing Retirement or Considering Leaving the Government Alan Sorcher Randy Urban October 6, 2020 Tom Manganello Paul Saulski SEC Disclaimer The SECs Office of Investor Education and Advocacy

607 views • 39 slides
Spring Grove Lacrosse Club Registration Tutorial First Steps 1. Make an account for yourself

Spring Grove Lacrosse Club Registration Tutorial First Steps 1. Make an account for yourself

Spring Grove Lacrosse Club Registration Tutorial First Steps 1. Make an account for yourself This only applies if you dont already have an account If you are on the mailing list, go to www.sglax.org, click on Sign in at the upper

548 views • 21 slides
Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai

Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai

Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai * 1, 2 Thijs Vogels 2 Martin Jaggi 2 Franois Fleuret 1, 2 1 Idiap Research Institute, 2 EPFL, Switzerland * Equal Contribution prabhu.teja,

282 views • 15 slides
How to Create an OLLI Student Account & Pay Your

How to Create an OLLI Student Account & Pay Your

How to Create an OLLI Student Account & Pay Your No Charge Membership Fee Go to: www.USM.maine.edu/OLLI and click on registraJon

306 views • 16 slides

More recommend