Top Banner
Delegerad autentisering Knock knock - who's there?
82

Knock knock - who's there?

May 08, 2015

Download

Technology

Valtech AB

Adam Renberg & Jonas Oscarsson, Valtech
Vi pratar inloggning och OAuth 2 på en teknisk nivå. Do you GET it?

GET /oauth/authorize
?response_type=code
&client_id=se.ettforum
&redirect_uri=...
&scope=profile HTTP/1.1
Host: example.com
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Knock knock - who's there?

Delegerad autentisering

Knock knock - who's there?

Page 2: Knock knock - who's there?

Delegerad autentisering

Knock knock - who's there?

Page 3: Knock knock - who's there?
Page 4: Knock knock - who's there?
Page 5: Knock knock - who's there?
Page 6: Knock knock - who's there?
Page 7: Knock knock - who's there?
Page 8: Knock knock - who's there?
Page 9: Knock knock - who's there?
Page 10: Knock knock - who's there?
Page 11: Knock knock - who's there?
Page 12: Knock knock - who's there?
Page 13: Knock knock - who's there?
Page 14: Knock knock - who's there?
Page 15: Knock knock - who's there?

OAuth 2

Page 16: Knock knock - who's there?

Adam Renberg

Jonas Oscarsson

Page 17: Knock knock - who's there?

Sony Mobileaccount.sonymobile.com

Page 18: Knock knock - who's there?
Page 19: Knock knock - who's there?
Page 20: Knock knock - who's there?

• Eran Hammer

• OAuth 1.0 2007

• OAuth 1.0a 2009

• OAuth 2.0 2012

Page 21: Knock knock - who's there?

• Resource Owner [email protected]

• Clientettforum.se

• Authorization ServerResource Serverexample.com

Page 22: Knock knock - who's there?
Page 23: Knock knock - who's there?
Page 24: Knock knock - who's there?
Page 25: Knock knock - who's there?
Page 26: Knock knock - who's there?

• Resource Owner [email protected]

• Clientettforum.se

• Authorization ServerResource Serverexample.com

Page 27: Knock knock - who's there?
Page 28: Knock knock - who's there?
Page 29: Knock knock - who's there?
Page 30: Knock knock - who's there?
Page 31: Knock knock - who's there?
Page 32: Knock knock - who's there?

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

302GET /oauth/authorize

GET /write-post

Page 33: Knock knock - who's there?

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

Page 34: Knock knock - who's there?

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

Page 35: Knock knock - who's there?

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

Page 36: Knock knock - who's there?

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

Page 37: Knock knock - who's there?

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

Page 38: Knock knock - who's there?
Page 39: Knock knock - who's there?
Page 40: Knock knock - who's there?
Page 41: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 42: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 43: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 44: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 45: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 46: Knock knock - who's there?

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 47: Knock knock - who's there?

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

GET /sign-in

302GET /oauth/authorize

302GET /login/callback

Inloggning

Page 48: Knock knock - who's there?

GET /login/callback?code=HXbKPYnMx7 HTTP/1.1 Host: www.ettforum.se

Page 49: Knock knock - who's there?

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /write-post

Inloggning

Page 50: Knock knock - who's there?

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

Page 51: Knock knock - who's there?

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

Page 52: Knock knock - who's there?

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

Page 53: Knock knock - who's there?

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

Page 54: Knock knock - who's there?

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 55: Knock knock - who's there?

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 56: Knock knock - who's there?

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 57: Knock knock - who's there?

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 58: Knock knock - who's there?

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID [email protected]

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Page 59: Knock knock - who's there?

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

Page 60: Knock knock - who's there?

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

Page 61: Knock knock - who's there?

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

Page 62: Knock knock - who's there?

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

Page 63: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

GET /write-post

Inloggning

Page 64: Knock knock - who's there?

GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4

Page 65: Knock knock - who's there?

GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4

Page 66: Knock knock - who's there?

HTTP/1.1 200 OK Content-Type: application/json !{ "email": "[email protected]", "name": "Example User", "profile_image": "http://example.com/img/12134.jpg" }

Page 67: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Page 68: Knock knock - who's there?

Mission Accomplished

Page 69: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Page 70: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Page 71: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Page 72: Knock knock - who's there?

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Page 73: Knock knock - who's there?

Hur gör vi?

Page 74: Knock knock - who's there?

Valtech IDP

HerokuappHerokuappHerokuappHerokuappHerokuappAzureapp

HerokuappHerokuapp...

AD

Valtech

.........

OAuth 2OAuth 2

OAuth 2

LDAP

Page 75: Knock knock - who's there?
Page 76: Knock knock - who's there?
Page 77: Knock knock - who's there?
Page 78: Knock knock - who's there?
Page 79: Knock knock - who's there?

• Redirecta till /oauth/authorize

• Ta emot en code

• Byt code mot access_token

Page 80: Knock knock - who's there?

[AllowAnonymous] public class LoginController : Controller { private readonly ValtechIdpClient client; ! public LoginController() { client = new ValtechIdpClient() { ClientIdentifier = Config.GetOAuthClientId(), ClientCredentialApplicator = DotNetOpenAuth.OAuth2.ClientCredentialApplicator.NetworkCredential( Config.GetOAuthClientSecret()) }; } ! public ActionResult Index() { if (Request.IsAuthenticated) return RedirectToAction("Index", "Consultants"); client.RequestUserAuthorization(new string[] { "none" }, new Uri(Config.GetOAuthClientRedirectUri())); return null; } ! public ActionResult Callback() { DotNetOpenAuth.OAuth2.IAuthorizationState auth = client.ProcessUserAuthorization(); FormsAuthentication.SetAuthCookie(auth.AccessToken, false); return RedirectToAction("Index", "Consultants"); } }

Page 81: Knock knock - who's there?

• RFC6749 (OAuth 2.0)

• RFC6750 (Bearer Tokens)

• RFC6819 (Threat Model)

Page 82: Knock knock - who's there?

• RFC6749 (OAuth 2.0)

• RFC6750 (Bearer Tokens)

• RFC6819 (Threat Model)

[email protected] [email protected]


Related Documents
Knock Knock Who

Knock Knock Who

Category: Documents
Knock knock! – Who's there? – The Law! Open up! 2... · Centrul pentru Studiul Criminalitatii Informatice :: Cybercrime Research Centre – Romania Paperwork & Evidence Bullet

Knock knock! – Who's there? – The Law! Open up! 2... ·...

Category: Documents
Jesus Wants Us To Be Friends. Knock, Knock Who’s there?

Jesus Wants Us To Be Friends. Knock, Knock Who’s there?

Category: Documents
Knock Knock Jokes

Knock Knock Jokes

Category: Documents
Session on. 8. 2011: Who's buried in there?, by Christine Suter

Session on. 8. 2011: Who's buried in there?, by Christine...

Category: Technology
KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET IN!files.brucon.org/2017/003_Anna_Shirokova_An... · KNOCK KNOCK... WHO'S THERE? ADMIN ADMIN AND GET IN! An overview of the CMS brute

KNOCK KNOCK WHO'S THERE? ADMIN ADMIN AND GET...

Category: Documents
‘Knock, knock,1208969/FULLTEXT01.pdf · ‘Knock, knock, who’s there?’ - A B2B* intervention that questions the existing way of portraying material knowledge Ida Aldevinge Master

‘Knock, knock,1208969/FULLTEXT01.pdf · ‘Knock, knock,....

Category: Documents
WHO's WHO's

WHO's WHO's

Category: Documents
DemandBase - Knock Knock

DemandBase - Knock Knock

Category: Technology
Knock, Knock!

Knock, Knock!

Category: Documents
%22A0@?? A? - Happiness is Homemade · SCHOOL Knock, knock Who's there? Orange Orange who? Orange gou glad there is no school on SaturdagQ Whg was six afraid of seven? esnooee :uemsuv

%22A0@?? A? - Happiness is Homemade · SCHOOL Knock, knock....

Category: Documents
Knock Knock - Who's There?

Knock Knock - Who's There?

Category: Technology