The Protocol Founded in 1999 >100 persons Clment OUDOT - PowerPoint PPT Presentation

The Protocol

● Founded in 1999 ● >100 persons Clément OUDOT ● Montréal, Quebec City, Ottawa, Paris @clementoudot ● ISO 9001:2004 / ISO 14001:2008 ● contact@savoirfairelinux.com

GET /summary { “part1”:“Some words on OAuth 2.0”, “part2”:“The OpenID Connect Protocol”, “part3”:“OpenID Connect VS SAML”, “part4”:“Support of OpenID Connect in LL::NG” } 3

4

RFC 6749 The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specifjcation replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. 5

Roles Resource owner Client Authorization Resource (end-user) (third-party) Server Server 6

Authorization Request Authorization Grant Authorization Grant Access T oken Access T oken P r o t e c t e d R e s o u r c e 7

Authorization Grant Resource Owner Authorization Client Implicit Password Code credentials Credentials ● More secure ● Access token ● Requires ● Client is ● Server side directly sent high trust often the ● Designed for applications between resource ● T okens JS client end-user owner hidden to application and client end user 8

T okens ● Access T ● Refresh T oken : oken : – Opaque Allow to get a new access – token – Limited duration Optional – – Scope Can not be used as an – – Give access to the access token resource server 9

Authorization Grant Access T oken & Refresh T oken Access T oken Protected Resource Access T oken Invalid T oken Error Refresh T oken Access T oken & Optional Refresh T oken 10

Client Registration ● Client has to be registered with the authorization server ● OAuth 2.0 do not specify how this registration is done ● Information that should be registered: Client type – Redirection URIs – Other: application name, logo, etc. – ● The client then received a client_id and a client_password 11

Client types ● Confj ● Public: Clients incapable fjdential: Clients capable of maintaining of maintaining the the confjdentiality of their confjdentiality of their credentials : credentials : – Application on a secure Native mobile application – server Web browser based – application 12

Endpoints ● Authorization Server: ● Client: – Authorization: where the Redirection: where the – resource owner gives resource owner is authorization redirected after authorization – T oken: where the client get tokens 13

Authorization GET /authorize? response_type=code&client_id=s6BhdRkqt3&st ate=xyz&redirect_uri=https%3A%2F%2Fclient %2Eexample%2Ecom%2Fcb https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=xyz 14

T oken POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-T ype: application/x-www-form- urlencoded grant_type=authorization_code&code=SplxlOBe ZQQYbYS6WxSbIA&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb 15

T oken HTTP/1.1 200 OK Content-T ype: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } 16

Resource GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA 17

18

OpenID 1.0 OpenID 2.0 OpenID Connect 19

(2) AuthN & AuthZ (1) AuthN Request (3) AuthN Response RP OP RP OP (4) UserInfo Request (5) UserInfo Response 20

Built on top of OAuth 2.0 ● Flows: ● Endpoints: – Based on OAuth 2.0 Use Authorize, T oken and – Authorization grants: Redirection endpoints Authorization Code New endpoint: UserInfo – ● Implicit ● T ● okens: – New fmow: Hybrid Use access and refresh – ● Scope: tokens – New scope: “openid” New token: ID token (JWT) – 21

OpenID Connect Protocol Suite Dynamic Client Core Discovery Registration Minimal Dynamic Session Form Post Management Response Mode Complete 22

Underpinnings OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Core Bearer Assertions JWT Profjle Responses JWT JWS JWE JWK JWA WebFinger JOSE 23

JOSE Javascript Object Signing and Encryption 24

JWT ● Concatenation with dots of: JSON base64(Header) – Web base64(Payload) – Token base64(Signature) – 25

http://jwt.io/ 26

http://auth.example.com/oauth2/authorize? response_type=code &client_id=lemonldap &scope=openid%20profjle%20email OP &redirect_uri=http%3A%2F OP RP RP %2Fauth.example.com%2Foauth2.pl %3Fopenidconnectcallback%3D1 &state=ABCDEFGHIJKLMNOPQRSTUVWXXZ 27

28

29

http://auth.example.com/oauth2.pl? openidconnectcallback=1; OP OP RP RP code=f6267efe92d0fc39bf2761c29de44286; state=ABCDEFGHIJKLMNOPQRSTUVWXXZ 30

POST /oauth2/token HTTP/1.1 Host: auth.example.com Authorization: Basic xxxx Content-T ype: application/x-www-form-urlencoded grant_type=authorization_code &code=f6267efe92d0fc39bf2761c29de44286 &redirect_uri=http%3A%2F%2Fauth.example.com %2Foauth2.pl%3Fopenidconnectcallback%3D1 OP OP RP RP 31

{"id_token" :"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhY3IiOiJsb2EtMiIsImF1dGhfdGltZSI6MTQzMjEx MzU5MywiaWF0IjoxNDMyMTEzOTY2LCJhdF9oYXNo IjoiOWF4enNOaTlwTkRrNXpXZWZLc002QSIsImlzcy I6Imh0dHA6Ly9hdXRoLmV4YW1wbGUuY29tLyIsIm V4cCI6IjM2MDAiLCJhenAiOiJsZW1vbmxkYXAiLCJub 25jZSI6IjEyMzQ1Njc4OTAiLCJzdWIiOiJjb3Vkb3RAbG luYWdvcmEuY29tIiwiYXVkIjpbImxlbW9ubGRhcCJdf OP OP RP RP Q==.daYGlzIr37dC1R0biIwdvQLM1LlCMsBFFcEufe MZtXsZvCiiAm-1LFJwJJJDHFOhd- WQnc9_GvtP3gT abXB8U4gQ2IW- bPNLUsjT24njmBPYunHy8YTQ5PV- QnQI5EK5WrrTS04AF86U5Qu6m3b27yWKFXkIuGI7 EUvvByv8L1Anh1gPG3il5cEOnMFHIUzAaC6PkJiy1sj SBM53nLRAf9NQ6eux4iCVBIRwl26CCgmRT sTRy- iTxB3bf0LrILohUlAR_- HPWGseaIAMvqUpGeaovgGDPt4Zip9KERo7368ykg Qc09VFlLvZIwyMTWQdVBIYdW0oY6eI9ZHjofn0mg" , "expires_in" : "3600","access_token" : "512cdb7b97e073d0656ac9684cc715fe", "token_type" : "Bearer"} 32

ID T oken payload { "acr": "loa-2", "auth_time": 1432113593, "iat": 1432113966, "at_hash": "9axzsNi9pNDk5zWefKsM6A", "iss": "http://auth.example.com/", "exp": "3600", "azp": "lemonldap", "nonce": "1234567890", "sub": "coudot@linagora.com", "aud": [ "lemonldap" ] } 33

POST /oauth2/userinfo HTTP/1.1 Host: auth.example.com Authorization: Bearer 512cdb7b97e073d0656ac9684cc715fe Content-T ype: application/x-www-form-urlencoded OP OP RP RP 34

OP OP RP RP { "name": "Clément OUDOT", "email": "coudot@linagora.com", "sub": "coudot@linagora.com" } 35

36

Frameworks Frameworks ● REST ● SOAP ● JSON ● XML ● JWT/JOSE ● XMLSec ● HTTP GET/POST ● HTTP GET/POST ● Offm ● No offm ffmine mode possible ffmine mode 37

Network fm fmows Network fm fmows ● Direct connection ● Can work without link between RP and OP between SP and IDP required ● Request and responses ● Request can be passed can be passed as as reference (Request references (Artefacts) URI) ● IDP initiated possibility ● Always RP initiated 38

Confj fjguration Confj fjguration ● Published as JSON ● Published as XML (openid-confj fjguration) (metadata) ● Client (RP) registration ● SP and IDP registration needed needed ● Keys publication (jwks) ● Keys publication (metadata) 39

Security Security ● HTTPS ● HTTPS ● Signature and ● Signature and encryption of JWT encryption of all messages 40

User consent User consent ● Consent required to ● No consent needed to authorize requested share attributes scopes ● Consent can be asked ● No account federation to federate accounts 41

Implementation Implementation ● RP: quite easy ● SP: diffj ffjcult ● OP: diffj ● IDP: diffj ffjcult ffjcult 42

43

LemonLDAP::NG ● Free Software (GPLv2+) / OW2 consortium ● Single Sign On, Access Control ● Service Provider / Identity Provider ● Perl/Apache/CGI/FCGI ● Lost Password and Account Register self services ● http://www.lemonldap-ng.org 44

45

OpenID Connect RP ● Authorization Code Flow ● OP selection screen ● JSON confjguration and JWKS parsing ● Full confjguration of authentication requests (scope, display, prompt, acr_values, etc.) ● Attributes mapping 46