Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen
Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen
Authentication scenarios for mobile Applications*
The Microsoft Technology Stack**
Corporate vs Customer facing Applications
*WS-Federation, OpenID Connect, OAuth2
**AD, ADFS, AAD, ADAL, Katana
Agenda
Classic Intranet Scenario
VPN
Bridging the Gap – On Premise
ADFS
Web
Application
Proxy
Cloud
sync
AAD
Typical Application Scenarios
ProtocolsWS-Fed, SAML
2.0, OpenID
Connect
OAuth2
OAuth2
OAuth2
OAuth2
OAuth2
OAuth2
1. Browser to Web Application
WS-Fed, SAML
2.0, OpenID
Connect
WebApp Service Principal
• App ID URI
• Reply Url
1. Navigate to site
2. Redirect to token service
3. Sign in
4. Send security token to Reply URL
5. Set session
Web Browser to
Web App:
WS-Federation,
SAML 2.0,
OpenID Connect
SAML, WS-Fed, or OpenID Connect Endpoint
Katana
Authentication Middleware for ASP.NET
WS-Federation
OpenID Connect
JSON Web Tokens
Cookies
Katana
OpenID Connect – Request
GET /authorize
?client_id=app1
&scope=openid profile
&redirect_uri=https://app.com/cb
&response_type=id_token
&response_mode=form_post
OpenID Connect – Response
<form>
<input type="hidden"
name="id_token"
value="xjsj…aas" />
</form>
POST /callback
JSON Web Tokens (JWT){
"typ": "JWT","alg": "HS256"
}
{"iss": "https://login.windows.net","exp": 1340819380,"aud": "app1",
"sub": "182jmm199","email": "[email protected]","email_verified": true,"amr": "password","auth_time": 12340819300
}
Header
Claims
eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature
2. Native Client to Web API
OAuth 2.0
1. Request Authorization Code
Native Client to
Web API:
OAuth 2.0
auth code grant,
public client
NativeApp SP
• Client ID
• Redirect URI
Authorize Endpoint Token Endpoint
ADAL
2. Sign in
3. Return Authorization Code to Redirect URI
User sees
web pop up… Katana
WebAPI SP
• App ID URI
GET https://login/adfs/oauth2/authorize
?response_type=code
&resource=https://myservice
&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d
&redirect_uri=http://myclient/
<< Stuff happens here to sign the user in... >>
302 Found http://myclient/
?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff…
Authorization Code Request/Response
Web-based
Name/Password
2FA
Kerberos (ADFS)
Client Certificates (ADFS)
Authentication Methods
4. Redeem Authorization Code
Native Client to
Web API:
OAuth 2.0
auth code grant,
public client
Authorize Endpoint Token Endpoint
ADAL
5. Return Access Token, Refresh Token
6. Send Access Token on Authorization Header
Katana
NativeApp SP
• Client ID
• Redirect URI
WebAPI SP
• App ID URI
POST https://login/adfs/oauth2/token
grant_type=authorization_code
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…
&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d
&redirect_uri=http://myclient/
&resource=https://myservice
200 OK
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",
"token_type":"Bearer",
"expires_in":"3599",
"refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",
Token Request/Response
{
"typ": "JWT", "alg": "RS256", "x5t": "NGTFvdK-fythEuLwjpwAJOM9n-A”
}.
{
"aud": "http://myService",
"iss": "https://sts.windows.net/81aabdd2-3682-48fd-9efa-2cb2fcea8557/",
"iat": 1396468289, "nbf": 1396468289, "exp": 1396472189, "ver": "1.0",
"tid": "81aabdd2-3682-48fd-9efa-2cb2fcea8557",
"oid": "b3809430-6c28-4e43-870d-fa7d38636dcd",
"upn": "[email protected]",
"sub": "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-A",
"family_name": "Baier",
"given_name": "Dominick",
"appid": "fb715b0e-3ca9-45b8-9928-2329a776b42d",
}
Example AAD JWT Access Token (shortened)
http://jwt.io/
Active Directory Authentication Library
Open Source Client Library for
Desktop .NET
Windows RT
Windows Phone
iOS/Android Native
iOS/Android Xamarin
ADAL
https://github.com/AzureAD
ADAL supports token caching (extensible)
Token renewal via existing logon session
Refresh tokens
Token Lifetime Management
Native Client to
Web API:
Refresh Tokens
Authorize Endpoint Token Endpoint
ADAL
2. Access Token has Expired
3. Request new Access Token with Refresh Token
4. Return Access Token, Refresh Token
5. Call web API with Access Token in AuthZ Header
1. Call WebAPI (Access Token in AuthZ Header)
Katana
NativeApp SP
• Client ID
• Redirect URI
WebAPI SP
• App ID URI
Brand new ADAL.js library (preview)
familiar programming interface, AngularJS support..
Support for OAuth2 “Implicit Flow”
simplified flow – no server back-end required
currently AAD only
What about SPAs?
http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/
3. Web Application to Web API
Web App calls Web API using own identity
Trusted Subsystem design
OAuth2 client credential flow or code flow
Web App calls Web API using user identity
OpenID Connect and/or OAuth2 code flow
Options
Web App to
Web API:
OAuth 2.0
client credentials
1. Signed in, using the web app…
2. Request token (Client ID, Credential, App ID URI)
3. Return access token
4. Call web API with Access Token in AuthZ Header
*The application’s
credential can be a
password, or it can be
an assertion (a JWT
token) signed with
private key.
NativeApp SP
• Client ID
• Credential
WebAPI SP
• App ID URI
Authorize Endpoint Token Endpoint
Katana
ADAL
Katana
Web App to
Web API:
Delegation with
OpenID Connect
1. Navigate to site
2. Redirect to sign in and request auth code (Client ID, Redirect URI)
3. Sign in
4. Return ID Token and
Auth Code to Redirect URI
6. Set session
Authorize Endpoint Token Endpoint
Might require
user consent
NativeApp SP
• Client ID
• Credential
WebAPI SP
• App ID URI
Katana
ADAL
Katana
Web App to
Web API:
Delegation with
OpenID Connect
WIF OWIN
7. Request access token
8. Return access token, refresh token
9. Call web API with Access Token in AuthZ Header
Authorize Endpoint Token Endpoint
ADALKatana
ADAL
Katana
NativeApp SP
• Client ID
• Credential
WebAPI SP
• App ID URI
AD traditionally geared towards corporate identities
ADFS & AAD are protocol / infrastructure
extensions
What about customer identities & applications?
Where to store identities?
What about social logins?
B2B vs B2C
B2B & B2C Hybrid Architecture
ADFS
Customer Accounts
AAD
Thinktecture
IdentityServer
https://github.com/thinktecture/Thinktecture.IdentityServer.v3
ADFS (2012R2) Azure AD IdentityServer v3
Type Domain joined SaaS Standalone
WS-Federation yes yes yes
WS-Trust yes no no
OAuth2
Code Flow yes yes yes
Resource
Owner Flow
no yes yes
Implicit Flow no yes yes
Client
Credentials
Flow
no yes yes
Social Logins no no yes
OpenID Connect no yes yes
Saml2p yes yes no
Price Model Part of Windows
Server
Freemium Free (OSS)
http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx
Feature Matrix (non exhaustive)
© 2014 Microsoft Corporation. All rights reserved. Because
Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft,
and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES
NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE
INFORMATION IN THIS PRESENTATION.
Vielen Dank