Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect & UMA
Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf ·...
Transcript of Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf ·...
![Page 1: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/1.jpg)
IntroductiontoIdentityServer
TheopensourceOIDCframeworkfor.NET
BrockAllenhttp://brockallen.com
Slides and code: http://1drv.ms/1PLU4DV
@IdentityServer
DominickBaierhttp://leastprivilege.com
![Page 2: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/2.jpg)
Outline
• MotivateIdentityServer• Hosting,configuring,andrunningIdentityServer
![Page 3: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/3.jpg)
WhatisIdentityServer?
• Frameworkforbuildingapplicationsecurity• Singlesign-on• ProtectingWebAPIs
![Page 4: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/4.jpg)
Withoutsinglesign-on
App2
App3
App1AuthenticationRegistration
Etc…
AuthenticationRegistration
Etc…
AuthenticationRegistration
Etc…
username/password
![Page 5: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/5.jpg)
TokenService
Singlesign-onwithatokenservice
App2
App3
App1
AuthenticationRegistration
Etc…
![Page 6: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/6.jpg)
APISecurity
API2
API3API1credentials
credentials
credentials
![Page 7: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/7.jpg)
APISecuritywithatokenservice
API2
API3
API1
TokenServicecredentials
![Page 8: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/8.jpg)
WhatisIdentityServer?
• Free,OSSframeworkforbuildingtokenservice• OpenIDConnectandOAuth2
• Designedforflexibilityandcustomization• Morecontrolthanoff-the-shelf/SaaSproducts
• Canbeusedstand-aloneorcaninteropwithotherproviders• Helpsabstractexternalinfrastructure
•è Becomesyourapplications'identityplatform
![Page 9: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/9.jpg)
Architecture
• Designedasmiddleware• Requiresdevelopertobuildhost
• Configurationdrivestokenservice• Requiresdevelopertoprovideconfiguration
• Manyextensibilitypoints• Somerequired(coreobjectmodelandconfigurationdata)• Someoptional(tooverridedefaultbehavior)
![Page 10: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/10.jpg)
Platforms
• IdentityServer3(released:Jan,2015)• OWIN/Katana• .NET4.5,ASP.NET5(full.NETframeworkonly),Mono
• IdentityServer4(released:sametimeasASP.NET5)• ASP.NET5• .NETCore,full.NETframework
![Page 11: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/11.jpg)
Coreobjectmodel
![Page 12: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/12.jpg)
ConfiguringIdentityServer
• Configurationdrivesbehavior• Signingcertificateneeded• Factorycontainsconfigurationaroundobjectmodelpublic void Configuration(IAppBuilder app){
var factory = new IdentityServerServiceFactory();// more factory config here...
var cert = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=sts").First();
var options = new IdentityServerOptions {SiteName = "My Token Service",Factory = factory,SigningCertificate = cert
};app.UseIdentityServer(options);
}
![Page 13: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/13.jpg)
Configuringusers
• Userdatanormallystoredindatabase• IUserService extensibilitypointusedtoloaduserdatafromdatabase
• Inmemoryconfigurationusefulforprototyping/development
var factory = new IdentityServerServiceFactory();
var users = new List<InMemoryUser> {new InMemoryUser {
Subject = "123",Username = "alice", Password = "password",
}};factory.UseInMemoryUsers(users);
![Page 14: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/14.jpg)
Configuringscopes
• Identityscopesmodelaccesstouserinformation• Constantsforstandardidentityscopesalreadydefined
• ResourcescopesmodelaccesstowebAPIs
var factory = new IdentityServerServiceFactory();
var scopes = new Scope[] {StandardScopes.OpenId, // user's unique idStandardScopes.Email, // user's emailnew Scope { // custom web api
Name = "api1",DisplayName = "My API",Type = ScopeType.Resource
}};factory.UseInMemoryScopes(scopes);
![Page 15: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/15.jpg)
Configuringclients
• Manydifferentconfigurationvaluesdependingonflow• ForMVCclient,implicitflowcommonlyused
var factory = new IdentityServerServiceFactory();
var clients = new Client[] {new Client {
ClientId = "mvc",ClientName = "MVC App",Flow = Flows.Implicit,RedirectUris = new List<string> { "https://server.com/YourMvcClient" },AllowedScopes = new List<string> { "openid", "email", "api1" }
}};factory.UseInMemoryClients(clients);
![Page 16: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/16.jpg)
Configuringclientapplication
• OpenIDConnectmiddlewareusedtoobtaintokens• Handlesprotocoldetails• Issuescookiewithcookieauthenticationmiddleware• Accesstokenreturnedandshouldbestored(usuallyincookieclaims)
• UseaccesstokenasAuthorizationHTTPheader• Using"Bearer"scheme
![Page 17: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/17.jpg)
ConfiguringOpenIDConnectmiddlewarepublic void Configuration(IAppBuilder app){
app.UseCookieAuthentication(new CookieAuthenticationOptions{
AuthenticationType = "cookies",});
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions{
AuthenticationType = "oidc",SignInAsAuthenticationType = "cookies",UseTokenLifetime = false,Authority = "https://localhost:44333/",ClientId = "mvc",RedirectUri = "https://localhost:44300/",ResponseType = "id_token token",Scope = "openid email api1",Notifications = new OpenIdConnectAuthenticationNotifications {...}
});}
![Page 18: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/18.jpg)
UsingaccesstokentocallwebAPI[Authorize]public async Task<IActionResult> CallApi(){
var client = new HttpClient();
var access_token = User.FindFirst("access_token").Value;client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", access_token);
var result = await client.GetAsync("http://localhost:21177/test");if (result.IsSuccessStatusCode){
var json = await result.Content.ReadAsStringAsync();return Content(json, "application/json");
}else{
return Content("Error: " + result.StatusCode);}
}
![Page 19: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/19.jpg)
ProtectingWebAPI
• JwtBearerTokenmiddlewarevalidatesaccesstokens• AccesstokencontentsturnedintoClaimsPrincipal onUser
public void Configuration(IAppBuilder app){
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions {
Authority = "https://localhost:44333/",RequiredScopes = new string[] { "api1" }
});
var config = new HttpConfiguration();// ...app.UseWebApi(config);
}
![Page 20: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/20.jpg)
Beyondin-memoryconfiguration…
• IdentityServerdesignedforextensibility• IdentityServerdefinesseveralinterfacestomodelfunctionality
• Commoncustomizations• Stores• Userservice• Branding/UI• Logging/auditing
![Page 21: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/21.jpg)
Clientandscopestores
• Storesprovidesread-onlyaccesstoconfiguration• In-memoryimplementationusefulfordevelopment/testing• EFimplementationsupported• Othercommunityprovidedimplementations
public interface IClientStore{
Task<Client> FindClientByIdAsync(string clientId);}
public interface IScopeStore{
Task<IEnumerable<Scope>> FindScopesAsync(IEnumerable<string> scopeNames);Task<IEnumerable<Scope>> GetScopesAsync(bool publicOnly = true);
}
![Page 22: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/22.jpg)
Userservice
• Userservicemodelsusers• Containsauthenticationlogic• Providesclaimsforusers• Supportsuserdeactivation
• Supportedimplementations• In-memory• MembershipReboot• ASP.NETIdentity
public interface IUserService{
Task PreAuthenticateAsync(PreAuthenticationContext context);Task AuthenticateLocalAsync(LocalAuthenticationContext context);Task AuthenticateExternalAsync(ExternalAuthenticationContext context);Task PostAuthenticateAsync(PostAuthenticationContext context); Task SignOutAsync(SignOutContext context);Task GetProfileDataAsync(ProfileDataRequestContext context);Task IsActiveAsync(IsActiveContext context);
}
![Page 23: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/23.jpg)
Otheruserservicefeatures
• Externalidentityproviders• Socialorotherexternalproviders• CustomizableHRD
• Userworkflow• Priortologinusermustperformregistration• AtloginusermustacceptEULAorprovide2FA• Userimpersonation
![Page 24: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/24.jpg)
Otherextensibilityandcustomization
• Visualassets• BrandingofHTML,CSS,etc.
• Tokenserviceconfiguration• Claimscontainedintokensareconfigurable• Configurableexpiration• Accesstokentype(JWTvs.referencetokens)• Tokenandconsentrevocability• Customvalidation• Delegationscenarios
• Loggingandevents
![Page 25: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/25.jpg)
Resources
• Sourcecode,samples,andissuetracker• https://github.com/IdentityServer
• Documentation• https://identityserver.github.io/Documentation
• Gitter• https://gitter.im/IdentityServer/IdentityServer3• https://gitter.im/IdentityServer/IdentityServer4
![Page 26: Introduction to IdentityServersddconf.com/brands/sdd/library/Introduction_to_IdentityServer.pdf · • OpenID Connect and OAuth2 • Designed for flexibility and customization •](https://reader033.fdocuments.us/reader033/viewer/2022051605/600bded0663895302a29d18f/html5/thumbnails/26.jpg)
Summary
• IdentityServerprovidesanOIDCandOAuth2framework• Designedforextensibilityandcustomization