Authentication with OAuth 2.0

Similar documents
Technical Overview. Version March 2018 Author: Vittorio Bertola

Connect. explained. Vladimir Dzhuvinov. :

openid connect all the things

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

Check to enable generation of refresh tokens when refreshing access tokens

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Securing APIs and Microservices with OAuth and OpenID Connect

OpenID Connect Update

OAuth and OpenID Connect (IN PLAIN ENGLISH)

Warm Up to Identity Protocol Soup

Real-world security analyses of OAuth 2.0 and OpenID Connect

fredag 7 september 12 OpenID Connect

Authentication in the Cloud. Stefan Seelmann

Tutorial: Building the Services Ecosystem

The OAuth 2.0 Authorization Protocol

Authentication in Cloud Application: Claims-Based Identity Model

Client Certificates Are Going Away

The SciTokens Authorization Model: JSON Web Tokens & OAuth

OPENID CONNECT 101 WHITE PAPER

The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Introduction to SciTokens

Single Sign-On Best Practices

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Privacy and Security in Online Social Networks Department of Computer Science and Engineering Indian Institute of Technology, Madras

API Gateway. Version 7.5.1

CSE 123A Computer Netwrking

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Decentralized Action Integrity for Trigger-Action IoT Platforms. Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash

Partner Center: Secure application model

5 OAuth EssEntiAls for APi AccEss control layer7.com

MITOCW watch?v=kz7jjltq9r4

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

5 OAuth Essentials for API Access Control

Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

Justin Richer Antonio Sanso

Stateless Microservice Security via JWT, TomEE and MicroProfile

firewalls and vpns 5A15E503E76294A6E25A62A93FCE442E Firewalls And Vpns 1 / 6

OAuth 2.0 Incremental Auth

P1_L3 Operating Systems Security Page 1

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Introduction to the FAPI Read & Write OAuth Profile

Introduction to RESTful Web Services. Presented by Steve Ives

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Authentication and Authorization of End User in Microservice Architecture

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

OAuth securing the insecure

Integrating with ClearPass HTTP APIs

Overview! Automated Certificate Management (ACME) Protocol! IP-NNI Task Force! Mary Barnes - iconectiv!

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Authentication. Katarina

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

TRANSFER MANAGER 2017

Common IAM Flaws Plaguing Systems After Years of Assessment

RESTful API Design APIs your consumers will love

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

Kerberos for the Web Current State and Leverage Points

SAML-Based SSO Solution

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Java Relying Party API v1.0 Programmer s Guide

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

CS November 2018

XML Web Services Basics

Easily Secure your Microservices with Keycloak. Sébastien Blanc Red

The Current State of OAuth 2. Aaron Open Source Bridge Portland, June 2011

ForgeRock Access Management Customization and APIs

TIBCO Cloud Integration Security Overview

LUCITY REST API INTRODUCTION AND CORE CONCEPTS

CO Java EE 6: Develop Web Services with JAX-WS & JAX-RS

INDIGO AAI An overview and status update!

Bots. Table of Contents

Man in the Middle Attacks and Secured Communications

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol

White Paper: Delivering Enterprise Web Applications on the Curl Platform

CptS 464/564 Lecture 18

Welcome to this IBM Rational Podcast. I'm. Angelique Matheny. Joining me for this podcast, Delivering

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Using Twitter & Facebook API. INF5750/ Lecture 10 (Part II)

System and Software Architecture Description (SSAD)

CS Protocol Design. Prof. Clarkson Spring 2017

Web Security Model and Applications

Misconceptions about W3C Widgets

Access Manager 4.4 Service Pack 3 Release Notes

Comprehensive Guide to Evaluating Event Stream Processing Engines

Joint Initiative on a PSD2 Compliant XS2A Interface NextGenPSD2 XS2A Framework Operational Rules

Your Auth is open! Oversharing with OpenAuth & SAML

Allowing the user to define the attribute release 21 May 2014

Authentication CS 4720 Mobile Application Development

Science-as-a-Service

Mastering OAuth 2.0. Mastering OAuth 2.0. Charles Bihis. Mastering OAuth 2.0

Transcription:

Authentication with OAuth 2.0 The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication. This has lead many developers to incorrectly conclude that OAuth is itself an authentication protocol and to mistakenly use it as such. Let's say that again, to be clear: OAuth 2.0 is not an authentication protocol. Much of the confusion comes from the fact that OAuth is used inside of authentication protocols, and developers will see the OAuth components and interact with the OAuth flow and assume that by simply using OAuth, they can accomplish user authentication. What is authentication? Authentication tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning". Authentication is all about the user and their presence with the application, and an internet-scale authentication protocol needs to be able to do this across network and security boundaries. However, OAuth tells the application none of that. OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there. As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all. In fact, much of the point of OAuth is about giving this delegated access for use in situations where the user is not present on the connection between the client and the resource being accessed. This is great for client authorization, but it's really bad for authentication where the whole point is figuring out if the user is there or not (and who they are). As it turns out, though, there are a handful of things that can be used along with OAuth to create an authentication and identity protocol on top of this delegation and authorization protocol. In nearly all of these cases, the core functionality of OAuth remains and what's happening is that the user is delegating access to their identity to the application. The client application then becomes a consumer of the identity API, thereby finding out who authenticated the client in the first place. One major benefit of this approach is that the user can delegate access to other protected APIs along side their identity at the same time, making it much simpler for both application developers and end users to manage. With one call, an application can find out if a user is logged in, what the app should call the user, download photos for printing, and post updates to their message stream. This simplicity is very compelling, but by doing both at the same time, many developers conflate the two functions. Authentication vs. Authorization: a metaphor To help clear things up, it may be helpful to think of the problem in terms of a metaphor: chocolate vs. fudge. From the start, the nature of these two things is quite different: chocolate is an ingredient, fudge is a confection. Chocolate can be used to make many different things, and it can even be used on its own. Fudge can be made out of many different things, and one of those things might be chocolate, but it takes more than one

ingredient to make fudge happen and it might not even involve chocolate. As such, it's incorrect to say that chocolate equals fudge, or even to say thatchocolate equals chocolate fudge. OAuth, in this metaphor, is chocolate. It's a versatile ingredient that is fundamental to a number of different things and can even be used on its own to great effect. Authentication is more like fudge. There are at least a few ingredients that must brought together in the right way to make it work, and OAuth can be one of these ingredients (perhaps the main ingredient) but it doesn't have to be involved at all. You need a recipe that says what to combine and how to combine them, and there are a large number of different recipes that say how that can be accomplished. And in fact, there are a number of well-known recipes out there for doing this with specific providers, like Facebook Connect, Sign In With Twitter, and OpenID Connect (which powers Google's sign-in system, among others). These recipes each add a number of items, such as a common profile API, to OAuth to create an authorization protocol. Common pitfalls for authentication using OAuth Even though it's very possible to use OAuth to build an authentication protocol, there are a number of things that tend to trip up those who who do so, either on the side of the identity provider or on the side of the identity consumer. Access tokens as proof of authentication Since the access token can be traded for a set of user attributes, it is tempting to think that posession of a valid access token is enough to prove that a user is authenticated. This assumption turns out to be true in some cases, where the token was freshly minted in the context of a user being authenticated at the authorization server. However, that's not the only way to get an access token in OAuth. Refresh tokens and assertions can be used to get access tokens without the user being present, and in some cases access grants can occur without the user having to authenticate at all. Furthermore, the access token will generally be usable long after the user is no longer present. This means that if a client wants to make sure that an authentication is still valid, it's not sufficient to simply trade the token for the user's attributes again because the OAuth protected resource, the identity API, has no way of re-authenticating the user. This problem stems from the fact that the client is not the audience of the OAuth access token. Instead, it is the authorized presenter of that token, and the audience is in fact the protected resource. The protected resource is not generally going to be in a position to tell if the user is still present by the token alone, since by the very nature and design of the OAuth protocol the user will not be available on the connection between the client and protected resource. To counter this, there needs to be an artifact that is directed at the client itself. This could be done by dual-purposing the access token, defining a format that the client could parse and understand. However, since general OAuth does not define a specific format or structure for the access token itself, protocols like OpenID Connect and Facebook Connect provide a secondary token along side the access token that communicates the authentication information directly to the client. This allows the primary access token to remain opaque to the client, just like in regular OAuth. Lack of audience restriction Another problem with trading the access token for a set of attributes to get the current user is that most OAuth APIs do not provide any mechanism of audience restriction for the

returned information. In other words, it is very possible to take a naive client, hand it the (valid) token from another client, and have the naive client treat this as a "log in" even. After all, the token is valid and it will return valid user information. The problem is of course that the user hasn't done anything to prove that they're present, and in this case they haven't even authorized the naive client. This problem can be mitigated by communicating the authentication information to a client along with an identifier that the client can recognize and validate, allowing the client to differentiate between an authentication for itself versus an authentication for another application. It is also mitigated by passing the set of authentication information directly to the client during the OAuth process instead of through a secondary mechanism such as an OAuth protected API, preventing a client from having an unknown and untrusted set of information injected later in the process. Injection of invalid user information If an attacker is able to intercept or coopt one of the calls from the client, it could alter the content of the returned user information without the client being able to know anything was amiss. This would allow an attacker to impersonate a user at a naive client by simply swapping out a user identifier in the right call sequence. This can be mitigated by getting the authentication information directly from the identity provider during the authentication protocol process (such as along side the OAuth token) and by protecting the authentication information with a verifiable signature. Different protocols for every potential identity provider One of the biggest problems with OAuth-based identity APIs is that even when using a fully standards-compliant OAuth mechanism, different providers will inevitably implement the details of the actual identity API differently. For example, a user's identifier might be found in a user_id field in one provider but in the subject field in another provider. Even though these are semantically equivalent, they would require two separate code paths to process. In other words, while the authorization may happen the same way at each provider, the conveyance of the authentication information could be different. This problem can be mitigated by providers using a standard authentication protocol built on top of OAuth so that no matter where the identity information is coming from, it is transmitted in the same way. A standard for authentication using OAuth: OpenID Connect OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns. OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and

OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: ID Tokens The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token. The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud). Additionally, the ID Token contains information about the token's valid (and usually short) lifetime as well as any information about the authentication context to be conveyed to the client, such as how long ago the user was presented with a primary authentication mecehanism. Since the format of the ID Token is known by the client, it is able to parse the content of the token directly and obtain this information without relying on an external service to do so. Furthermore, it is issued in addition to (and not in lieu of) an access token, allowing the access token to remain opaque to the client as it is defined in regular OAuth. Finally, the token itself is signed by the identity provider's public key, adding an additional layer of protection to the claims inside of it in addition to the TLS transport protection that was used to get the token in the first place, preventing a class of impersonation attacks. By applying a few simple checks to this ID token, a client can protect itself from a large number of common attacks. UserInfo Endpoint In addition to the claims in the ID Token, OpenID Connect defines a standard protected resource that contains claims about the current user. The claims here are not part of the authentication process, as discussed above, but instead provide bundled identity attributes that make the authentication protocol more valuable to application developers. After all, it's preferable to say "Good Morning, Jane Doe" instead of "Good Morning, 9XE3- JI34-00132A". OpenID Connect defines set of standardized OAuth scopes that map to subsets of these attributes, allowing plain OAuth authorization request to carry the necessary information for a request. In particular, the OpenID Connect defines a special openid scope that switches on the issuance of the ID token as well as access to the UserInfo Endpoint by the access token. The OpenID Connect scopes can be used along side more plain OAuth scopes without issue. Dynamic server discovery and client registration OAuth 2.0 was written to allow a variety of different deployments, but by design does not specify how these deployments come to be set up or how the components know about each other. This is OK in the regular OAuth world where one authorizatoin server protects a specific API, and the two are closely coupled. With OpenID Connect, a common protected API is deployed across a wide variety of clients and providers, all of which need to know about each other to operate. It would not be scalable for each client to have to know ahead of time about each provider, and it would be even more unscalable to require each provider to know about each potential client. To counteract this, OpenID Connect defines a discovery protocol that allows clients to easily fetch information on how to interact with a specific identity provider. On the other side of the transaction, OpenID Connect defines a client registration protocol that allows clients to be introduced to new identity providers. By using these two mechanisms and a common

identity API, OpenID Connect can function at internet scale, where no parties have to know about each other ahead of time. Advanced capabilities OpenID Connect also defines a number of advanced capabilities beyond standard OAuth that are suitable for higher security profiles and deployments, including (among others): Public key client authentication Selecting and retrieving specific claims and values from the identity provider Signing and encrypting OAuth requests Session management over time Further Reading In the article OAuth 2.0 and Sign-in, Vittorio Bertocci provides detail on the security boundaries between parties and why the authorization layer makes sense as the lower layer to build on top of. Justin Richer presented a detailed overview of the technologies talked about here in Auth* In the Extended Enterprise at MIT.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback