EXTREME OAUTH Paul Meyer pmeyer@pingidentity.com

WHAT WILL WE COVER

•  OAuth 2.0 Overview – Actors and Actions •  Client Considerations

•  Web, Native App, User Agent Based clients •  API-to-API

•  Resource Server Considerations

Copyright © 2015 Cloud Identity Summit. All rights reserved. 3

BUT FIRST.. NOT SO EXTREME OAUTH

Copyright © 2015 Cloud Identity Summit. All rights reserved. 4

Web Server

Client (Application)

Resource Server (API)

User Agent

Authorization Server

RO

AuthZ Endpoint

Token Endpoint

BUT FIRST.. NOT SO EXTREME OAUTH

•  Client Considerations •  GET a token •  USE a token •  REFRESH a token •  REGISTER •  REVOKE a token (RFC 7009)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 5

BUT FIRST.. NOT SO EXTREME OAUTH

•  Resource Server Considerations •  REGISTER •  RECEIVE a token •  VALIDATE a token

Copyright © 2015 Cloud Identity Summit. All rights reserved. 6

CLIENT CONSIDERATIONS

Copyright © 2015 Cloud Identity Summit. All rights reserved. 7

GET A TOKEN

•  OAuth Grant Types •  Authorization Code •  Implicit •  Resource Owner Password Credentials •  Client Credentials •  Extension Grants (SAML, JWT)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 8

SCENARIO – Web Application

•  Easy… right? Just use AuthZ Code •  Already in the user agent (interactivity)

•  Leverage browser authentication •  Security concerns

•  Open redirect •  Man-in-the-middle attacks

Copyright © 2015 Cloud Identity Summit. All rights reserved. 9

SCENARIO – Web Application

Copyright © 2015 Cloud Identity Summit. All rights reserved. 10

Web Server

Application (Client)

API (Resource Server)

User Agent

Authorization Server

RO

AuthZ Endpoint

Token Endpoint

code

code

token(s)

Authentication Happens…

SCENARIO – Native App

•  Implicit makes sense (but no refresh token) •  AuthZ Code has challenges

•  Distributing the client secret •  Malicious apps with same URL scheme

•  PKCE can help here •  Dynamic Registration provides interesting options

Copyright © 2015 Cloud Identity Summit. All rights reserved. 11

Device

SCENARIO – Native App (Implicit Flow)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 12

Web Server

API (Resource Server)

User Agent

Authorization Server

RO

AuthZ Endpoint

Token Endpoint

token

Application (Client)

Authentication Happens…

Device

SCENARIO – Native App (AuthZ Code Flow)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 13

Web Server

API (Resource Server)

User Agent

Authorization Server

RO

AuthZ Endpoint

Token Endpoint

code

Application (Client)

code_challenge

code_verifier + code

token(s)

Authentication Happens…

code

SCENARIO – User Agent Based Client

•  App resides in the User Agent (i.e. JavaScript App) •  Client can’t keep its secret… secret •  Client can’t keep much else secret either

Copyright © 2015 Cloud Identity Summit. All rights reserved. 14

SCENARIO – User Agent Based Client

Copyright © 2015 Cloud Identity Summit. All rights reserved. 15

Web Server

API (Resource Server)

User Agent

Authorization Server

RO

AuthZ Endpoint

Token Endpoint

token

Application (Client)

Authentication Happens…

SCENARIO – Token Transformation

•  API-to-API conversations •  Swap a SAML assertion for an AT (or vice-versa) •  Swap an AT for another AT

•  Options •  SAML 2.0 Profile for OAuth 2.0 •  JWT Profile for OAuth 2.0 •  WS-Trust (!)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 16

Web Service

SCENARIO – SAML > Access Token

Copyright © 2015 Cloud Identity Summit. All rights reserved. 17

Client

Authorization Server

AuthZ Endpoint

Token Endpoint

REST API

WS-Trust Service

API (Resource Server)

SAML

SAML

token(s)

REST API

SCENARIO – Access Token > SAML

Copyright © 2015 Cloud Identity Summit. All rights reserved. 18

Client

WS-Trust STS

Web Service

API (Resource Server)

WS-Trust Service WS-Trust STS

USE the token

token

SAML SAML

REST API

SCENARIO – Access Token > Access Token

Copyright © 2015 Cloud Identity Summit. All rights reserved. 19

Client

Authorization Server

AuthZ Endpoint

Token Endpoint

REST API

API (Resource Server)

API (Resource Server)

USE the token

token

token USE the token

Access Gateway

SCENARIO – Token Mediation

Copyright © 2015 Cloud Identity Summit. All rights reserved. 20

Client

Authorization Server

AuthZ Endpoint

Token Endpoint

REST API

Access Policy

API (Resource Server)

USE the token

token

token

RESOURCE SERVER CONSIDERATIONS

Copyright © 2015 Cloud Identity Summit. All rights reserved. 21

RESOURCE SERVER CONSIDERATIONS

•  Validation options •  Token introspection •  JWT validation

•  Validation more than just dsig validation •  scopes, audience, issuer etc

Copyright © 2015 Cloud Identity Summit. All rights reserved. 22

TOKEN VALIDATION - Introspection

HTTP/1.1 200 OK { "scope":"edit", "token_type":"urn:pingidentity.com:oauth2:validated_token", "expires_in":59933, "client_id":"im_client", "access_token":{ "subject":"joe", "department":"SALES" }}

Copyright © 2015 Cloud Identity Summit. All rights reserved. 23

TOKEN VALIDATION – JWT Validation

eyJhbGciOiJIUzI1NiIsImtpZCI6ImExIn0 . eyJzdWJqZWN0Ijoiam9lIiwiZGVwYXJ0bWVudCI6IlNBTEVTIiwiZXhwIjoxNDMzNDg0NDI5LCJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6ImltX2NsaWVudCIsImlzcyI6Imh0dHBzOi8vYXMucGluZ2RldmVsb3BlcnMuY29tIiwiYXVkIjoiaHR0cHM6Ly9hcGkucGluZ2RldmVsb3BlcnMuY29tIn0 . vAim2TzzkWi_RRDtyf0RjAyY2H4MtWToSfsGPCfhc60

Copyright © 2015 Cloud Identity Summit. All rights reserved. 24

TOKEN VALIDATION – JWT Validation

{"alg":"HS256","kid":"a1"} . {"subject":"joe", "department":"SALES", "exp":1433484429, "scope":["edit"], "client_id":"im_client", "iss":"https://as.pingdevelopers.com", "aud":"https://api.pingdevelopers.com”}

Copyright © 2015 Cloud Identity Summit. All rights reserved. 25

REFERENCES

•  RFC 6749 - The OAuth 2.0 Authorization Framework •  RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage •  RFC 6819 - OAuth 2.0 Threat Model and Security Considerations •  RFC 7009 - OAuth 2.0 Token Revocation •  RFC 7519 - JSON Web Token (JWT) •  RFC 7521 - Assertion Framework for OAuth 2.0 Client Authn and Authz Grants •  RFC 7522 - SAML 2.0 Profile for OAuth 2.0 Client Authn and Authz Grants •  RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authn and Authz Grants •  draft-ietf-oauth-dyn-reg-30 - Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-management-15 - Dynamic Client Registration Management Protocol •  draft-ietf-oauth-introspection-09 - OAuth 2.0 Token Introspection •  draft-ietf-oauth-spop-11 - Proof Key for Code Exchange (PKCE)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 26

QUESTIONS?

Thank You!

Paul Meyer pmeyer@pingidentity.com

Copyright © 2015 Cloud Identity Summit. All rights reserved. 27