OAuth For Architects

GET /authorize

?response_type=code

&client_id=s6BhdRkqt3

&state=xyz

&scope=openid images

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

Cam Morris

Developer, Identity Team @FamilySearch

Created OWASP Passfault - Password Policy Tool

State Parameter

Generated by the Client/RP

Snet to the Authorization Server / IDP

Returned unchanged to the Client / RP

Must match original

• Prevent CSRF Attack
• Crypto-bound to a cookie

Largest collection of genealogy

records in the world

• 4+ Billion names
• (~20 Billion names in microfilm)

Redirect URI

Authentication Endpoint:

• Validate redirect_uri and client_id with preconfigured URIs

Token Endpoint:

• Validate redirect_uri is correct for the access code and client_id

Currently Use

• OAuth 2.0 for AuthZ to dozens of services
• OpenID 2.0 for SSO to about a dozen partners

Scopes

• See Google OAuth 2.0 Playground
• Simple permissions, 2 or 3 per service
• Not very granular

If you need more see UMA

• Think Google Doc permissions
• User not Present
• Multi-party access

Token Storage

Cookies?

Sessions?

Database?

Cache?

Token Strategies

Handle

Assertion

Authorization Server

Simple

• Random Number
• Services
• Token

Not Scalable

• Need to Phone Home

Self Contained

Parsable

Not Simple

More Scalable

JWT:

• Signed
• Encrypted

Resource Server

Resource Owner

To Access

Grant Access To

Client

Public and Confidential

Bearer Token

• Prove who you are to use the token
• HMAC or Signature
• Crypto is hard (whine)
• More Secure

• Simpler
• Short Lived
• Adds complexity with Refresh Token
• Less Secure
• Anyone who bears the token can use it

Client Credentials Grant

Code Grant

Client (3rd Party site)

Wants to access a resource

Classic Web Server Use Case

Authorization Server

Authorization Endpoint

• Validate:
• redirect_uri
• client_id with preconfigured URIs
• Authenticate the Resource Owner
• User grants access to the resource
• associate code-> {

- redirect URL

- Client ID

- granted access

}

Prompt to Grant Approval

Implicit Grant

Token Endpoint

Authorization Server

Code ->

{

- redirect URL

- Client ID

- granted access

}

Validate

• redirect_uri matches
• client_id matches

Remove Code (1-time use)

Generate Access Token

Proof Token

Resource Server

Password Credentials Grant

Resource Server

Token Endpoint

Javascript only client - no server backend

- no refresh token

- no client secret

- could be used for mobile

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Resource Owner

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

SSO

Client Credentials

Non-Browser Use

Mobile Use

Single Sign On

Client

Authorization Server

Confidential Client

Authorization Endpoint

• Don't do passwords
• If you need to authenticate -> Buy
• Ping, ForgeRock, Google, Microsoft, AWS, UnboundID
• Can require Authentication Classes
• Base Sessions on the Subject

Prompt to Grant Approval

Authorization Server

No refresh Tokens

GET /authorize

?response_type=token

&client_id=s6BhdRkqt3

&state=xyz

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

OpenID Subject

Authz request

Resource Server

Token Endpoint

Access Token

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"mF_9.B5f-4.1JqM",

"token_type":"bearer",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",

"example_parameter":"example_value"

}

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Refresh Tokens

Access Token

Password

Resource Owner

Authorization Server

Authorization Endpoint

• Validate:
• redirect_uri
• client_id with preconfigured URIs
• Authenticate the Resource Owner
• User grants access to the resource
• associate code-> {

- redirect URL

- Client ID

- granted access

}

Prompt to Grant Approval

Authorization Server

Token Endpoint

Authorization Endpoint

Code ->

{

- redirect URL

- Client ID

- granted access

}

Validate

• redirect_uri matches
• client_id matches

Remove Code (1-time use)

Generate Access Token

• Validate:
• redirect_uri
• client_id with preconfigured URIs
• Authenticate the Resource Owner
• User grants access to the resource
• associate code-> {

- redirect URL

- Client ID

- granted access

}

Resource Server

Token Endpoint

Code ->

{

- redirect URL

- Client ID

- granted access

}

Validate

• redirect_uri matches
• client_id matches

Remove Code (1-time use)

Generate Access Token

Access Token

Resource Server

Access Token

+

Refresh Token

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

SSO

Resource Owner

Access Token

Expires

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"mF_9.B5f-4.1JqM",

"token_type":"bearer",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",

"example_parameter":"example_value"

}

Resource Owner

+

Refresh Token

Refresh Token

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Resource Owner

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

Client

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"mF_9.B5f-4.1JqM",

"token_type":"bearer",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",

"example_parameter":"example_value"

}

Client

Simple Web Page

No Backend Process

Public Client

Single Sign Out

Identity = OIDP Issuer Name + Sub

Subject must be unique at the issuer

Subject names cannot be used:

• Reuse attack
• Someone famous says "I'm quitting facebook"
• Create new user with old name
• Login to RPs with famous guys name

• Three draft options:
• Session Management
• Http Based
• Back Channel

WS-*

SOAP & XML

SAML 2

SAML

More SOAP Features

Shibboleth

Aims

No passwords for web services

No identity needed - just authorization

Could use services anonymously

Eran Hammer

OAuth 1

Tokens

Only The Big Boys can Implement it

Framework

vs

Protocol

Identity ProviderOIDP

• Bearer Token only
• versus signed requests
• Refresh Tokens

"Unlikely to produce interoperable implementation"

Authorization Server

REST & JSON

OAuth 2.0

OpenID

IETF standards process: Google, Microsoft, Facebook, Oracle...

OpenID 2.0

Identity is a URL

OpenID-Connect

Authorization Endpoint

Resource Server

Token Endpoint

UserInfo Endpoint

Resource Owner

Client

Relying Party

Authorization Code Flow

Scopes or Claims?

OidP

Authorization Endpoint

Prompt to Grant Approval

OidP

Implicit Flow

Token Endpoint

AuthN Request

Authorization Endpoint

302: Auth Code

Resource Server

HTTP/1.1 302 Found

Location: https://client.example.com/cb

?code=SplxlOBeZQQYbYS6WxSbIA

&state=xyz

Prompt to Grant Approval

Hybrid Flow

GET /authorize

?response_type=code

&client_id=s6BhdRkqt3

&state=xyz

&scope=openid images

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

Token Endpoint

Auth Code

Access and ID Token

AuthN Request

UserInfo Endpoint

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

302: Auth Code

Resource Owner

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

Resource Server

HTTP/1.1 302 Found

Location: https://client.example.com/cb

?code=SplxlOBeZQQYbYS6WxSbIA

&state=xyz

Access Token

Auth Code

Access and ID Token

User Claims

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Resource Owner

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

302: AuthN request

Access Token

RP

Redirect or JS autosubmit to the

Authorization Endpoint

• response_type=code
• client_id=s6BhdRkqt3
• state=xyz
• redirect_uri
• scope

302: AuthN request

OidP

RP

Redirect or JS autosubmit to the

Authorization Endpoint

• response_type=code
• client_id=s6BhdRkqt3
• state=xyz
• redirect_uri
• scope

OidP

Authorization Endpoint

Prompt to Grant Approval

Authorization Endpoint

GET /authorize

?response_type=id_token%20token

&client_id=s6BhdRkqt3

&state=xyz

&scope=openid images

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

AuthN Request

Prompt to Grant Approval

GET /authorize

?response_type=code

&client_id=s6BhdRkqt3

&state=xyz

&scope=openid images

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

Token Endpoint

Access & ID Token

Resource Server

AuthN Request

HTTP/1.1 302 Found

Location: https://client.example.com/cb

?code=SplxlOBeZQQYbYS6WxSbIA

&state=xyz

code or token or id_token

Resource Server

HTTP/1.1 302 Found

Location: https://client.example.com/cb

?code=SplxlOBeZQQYbYS6WxSbIA

&state=xyz

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Resource Owner

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code

&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

Access Token

Auth Code

Access or ID Token

GET /resource HTTP/1.1

Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Resource Owner

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1

Host: server.example.com

POST /resource HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

access_token=mF_9.B5f-4.1JqM

HTTP/1.1 200 OK

Content-Type: application/json

Cache-Control: no-store

Pragma: no-cache

{

"access_token": "SlAV32hkKG",

"token_type": "Bearer",

"refresh_token": "8xLOxBtZp8",

"expires_in": 3600,

"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc

yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5

NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ

fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz

AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q

Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ

NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd

QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS

K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4

XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"

}

Access Token

302: AuthN request

RP

Redirect or JS autosubmit to the

Authorization Endpoint

• response_type=code
• client_id=s6BhdRkqt3
• state=xyz
• redirect_uri
• scope

302: AuthN request

RP

Redirect or JS autosubmit to the

Authorization Endpoint

• response_type=code
• client_id=s6BhdRkqt3
• state=xyz
• redirect_uri
• scope