Understanding OAuth 2.0 and OpenID Connect

A presentation at Connect.Tech in October 2019 in Atlanta, GA, USA by Stephanie Chamblee

Slide 1

Slide 1

Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0

Slide 2

Slide 2

OAuth2 & OIDC Stephanie Chamblee @stephchamblee

Slide 3

Slide 3

Stephanie Chamblee Software Developer at BrightLink (we’re hiring!) Auth0 Ambassador stephaniechamblee.com schamblee@thebrightlink.com @stephchamblee

Slide 4

Slide 4

Slide 5

Slide 5

Overview 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough

Slide 6

Slide 6

CONTEXT

Slide 7

Slide 7

OAuth2 OpenID Connect

Slide 8

Slide 8

Thanks! Stephanie Chamblee @stephchamblee

Slide 9

Slide 9

OPEN STANDARDS

Slide 10

Slide 10

Open Standards in Identity * SAML * JWT * OAuth2 * OIDC

Slide 11

Slide 11

HISTORY OF IDENTITY

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

Slide 15

Slide 15

HISTORY OF IDENTITY 1960s Passwords 2002 2010 2014

Slide 16

Slide 16

Slide 17

Slide 17

Slide 18

Slide 18

Slide 19

Slide 19

Computer User Password

Slide 20

Slide 20

Slide 21

Slide 21

Slide 22

Slide 22

Simple Login Security * Password Strength Requirements * Password Hashing * Two-Factor Authentication

Slide 23

Slide 23

haveibeenpwned.com

Slide 24

Slide 24

Slide 25

Slide 25

ABC Company

Slide 26

Slide 26

HISTORY OF IDENTITY SAML 1960s Passwords 2002 2010 2014

Slide 27

Slide 27

Slide 28

Slide 28

Slide 29

Slide 29

HISTORY OF IDENTITY SAML 1960s Passwords 2002 2012 OAuth2 2014

Slide 30

Slide 30

DELEGATED AUTHORIZATION

Slide 31

Slide 31

Slide 32

Slide 32

Slide 33

Slide 33

Authorization vs. Authentication

Slide 34

Slide 34

Authorization

Slide 35

Slide 35

Authentication

Slide 36

Slide 36

Slide 37

Slide 37

HISTORY OF IDENTITY OIDC SAML 1960s Passwords 2002 2012 OAuth2 2014

Slide 38

Slide 38

Slide 39

Slide 39

CONTEXT SUMMARY

Slide 40

Slide 40

FOUNDATION

Slide 41

Slide 41

Four Roles Defined by OAuth2

Slide 42

Slide 42

OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO)

Slide 43

Slide 43

Resource Owner (RO) end user scopes

Slide 44

Slide 44

OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data

Slide 45

Slide 45

Resource Server (RS) Application Controlling the data

Slide 46

Slide 46

OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS)

Slide 47

Slide 47

OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Client Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS) Client Application requesting the data

Slide 48

Slide 48

Client Application requesting the data

Slide 49

Slide 49

Let’s review.

Slide 50

Slide 50

SomeApp

Slide 51

Slide 51

SomeApp

Slide 52

Slide 52

Resource Owner SomeApp

Slide 53

Slide 53

SomeApp

Slide 54

Slide 54

Resource Server + Authorization Server SomeApp

Slide 55

Slide 55

SomeApp

Slide 56

Slide 56

Client SomeApp

Slide 57

Slide 57

SomeApp

Slide 58

Slide 58

Scopes SomeApp

Slide 59

Slide 59

Resource Server + Authorization Server Resource Owner Client SomeApp Scopes Consent

Slide 60

Slide 60

Tokens

Slide 61

Slide 61

Tokens Access Token Refresh Token ID Token

Slide 62

Slide 62

Access Token

Slide 63

Slide 63

Refresh Token

Slide 64

Slide 64

ID Token

Slide 65

Slide 65

ID Token JSON Web Token (JWT)

Slide 66

Slide 66

JSON Web Token (JWT) ● Encoded Claims (user data) ● Stateless validation ● Signed for authenticity

Slide 67

Slide 67

3 parts of JWT Header Payload Signature hhhhhhhhhhh . ppppppppppppp . sssssssssssssssss

Slide 68

Slide 68

3 parts of JWT hhhhhhhhhhh . ppppppppppppp Header Payload . sssssssssssssssss Signature

Slide 69

Slide 69

HEADER

Slide 70

Slide 70

PAYLOAD { “iss”: “https://example.com”, “sub”: “123”, “aud”: “some-client-id”, “exp”: 1311281970, “iat”: 1311280970 }

Slide 71

Slide 71

SIGNATURE

Slide 72

Slide 72

Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm verify that a token is authentic

Slide 73

Slide 73

Authorization Grants

Slide 74

Slide 74

Authorization Grants methods for a client application to acquire an access token which represents a user’s permission for the client to access their data

Slide 75

Slide 75

Authorization Grant Flows * Authorization Code * Authorization Code + PKCE * Client Credentials

Slide 76

Slide 76

Front-Channel Browser to API Not-so secure Back-Channel Server to API Very Secure

Slide 77

Slide 77

Authorization Code Flow Back Channel + Front Channel

Slide 78

Slide 78

Implicit Authorization Code + PKCE Front Channel Only SPA/Mobile

Slide 79

Slide 79

Client Credentials Flow Back Channel Only Machine-to-Machine example: microservices

Slide 80

Slide 80

FOUNDATION SUMMARY

Slide 81

Slide 81

OAUTH & OIDC FLOW

Slide 82

Slide 82

Slide 83

Slide 83

CLIENT RO User my app AS Auth0 RS Google

Slide 84

Slide 84

CLIENT RO User my app AS Auth0 RS Google

Slide 85

Slide 85

CLIENT ? n o i t a my app n a C h I z i r o h t u a e v a RO User AS Auth0 RS Google

Slide 86

Slide 86

https://auth-server.com/authorize? response_type=code& client_id=client_id123& redirect_uri=https://example.com/callback& scope=openid+profile+email& state=some_random_string

Slide 87

Slide 87

RO User CLIENT my app Here’s your auth code! AS Auth0 RS Google

Slide 88

Slide 88

https://example.com/callback? code=123& state=some_random_string

Slide 89

Slide 89

RO User CLIENT my app a e v a h I n Ca ? n e tok s s e c c a n AS Auth0 RS Google

Slide 90

Slide 90

POST https://auth-server.com/token grant_type=authorization_code& code=123& redirect_uri=https://example.com/callback& client_id=client_id123&

Slide 91

Slide 91

RO User CLIENT my app s s e c c a r u o y s d ’ n e r a e n H e k o t h s e r f e r , n e tok ! n e k ID to AS Auth0 RS Google

Slide 92

Slide 92

Slide 93

Slide 93

RO User CLIENT my app AS Auth0 Can I h ave us e r data? RS Google

Slide 94

Slide 94

Slide 95

Slide 95

RO User CLIENT my app AS Auth0 Here’s the use r data! RS Google

Slide 96

Slide 96

Slide 97

Slide 97

Slide 98

Slide 98

RO User CLIENT my app r e h t o n a e v a h I n Ca ? n e k o t s s e acc AS Auth0 RS Google

Slide 99

Slide 99

RO User CLIENT my app r e h t o n a s ’ e r He ! n e k o t s s e c ac AS Auth0 RS Google

Slide 100

Slide 100

RS Google CLIENT my app AS Auth0 Can I h ave us e r data RS Google

Slide 101

Slide 101

RS Google CLIENT my app AS Auth0 YEAH! RS Google

Slide 102

Slide 102

DEMO

Slide 103

Slide 103

Summary 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough

Slide 104

Slide 104

Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0

Slide 105

Slide 105

Thanks! Stephanie Chamblee @stephchamblee