Delegerad autentisering Knock knock - who's there?
May 08, 2015
Delegerad autentisering
Knock knock - who's there?
Delegerad autentisering
Knock knock - who's there?
OAuth 2
Adam Renberg
Jonas Oscarsson
Sony Mobileaccount.sonymobile.com
• Eran Hammer
• OAuth 1.0 2007
• OAuth 1.0a 2009
• OAuth 2.0 2012
• Resource Owner [email protected]
• Clientettforum.se
• Authorization ServerResource Serverexample.com
• Resource Owner [email protected]
• Clientettforum.se
• Authorization ServerResource Serverexample.com
Webbläsare
Resource Owner
Client Authorization Server
example.comettforum.se
302GET /oauth/authorize
GET /write-post
GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
Webbläsare
Resource Owner
Client Authorization Server
example.comettforum.se
GET /sign-in
302GET /oauth/authorize
302GET /login/callback
Inloggning
GET /login/callback?code=HXbKPYnMx7 HTTP/1.1 Host: www.ettforum.se
Webbläsare
Resource Owner
Client Authorization Server
example.comettforum.se
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /write-post
Inloggning
POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback
CODE HXbKPYnMx7
USER_ID [email protected]
CLIENT_ID se.ettforum
SCOPE profile
REDIRECT_URI http://www.ettforum.se/login/callback
HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }
Webbläsare
Resource Owner
Client Server
example.comettforum.se
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
GET /write-post
Inloggning
GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4
GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4
HTTP/1.1 200 OK Content-Type: application/json !{ "email": "[email protected]", "name": "Example User", "profile_image": "http://example.com/img/12134.jpg" }
Webbläsare
Resource Owner
Client Server
example.comettforum.se
GET /write-post
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
302
GET /write-post
200
Inloggning
Mission Accomplished
Webbläsare
Resource Owner
Client Server
example.comettforum.se
GET /write-post
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
302
GET /write-post
200
Inloggning
Webbläsare
Resource Owner
Client Server
example.comettforum.se
GET /write-post
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
302
GET /write-post
200
Inloggning
Webbläsare
Resource Owner
Client Server
example.comettforum.se
GET /write-post
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
302
GET /write-post
200
Inloggning
Webbläsare
Resource Owner
Client Server
example.comettforum.se
GET /write-post
302GET /oauth/authorize
302GET /login/callback
POST /oauth/token
GET /user
302
GET /write-post
200
Hur gör vi?
Valtech IDP
HerokuappHerokuappHerokuappHerokuappHerokuappAzureapp
HerokuappHerokuapp...
AD
Valtech
.........
OAuth 2OAuth 2
OAuth 2
LDAP
• Redirecta till /oauth/authorize
• Ta emot en code
• Byt code mot access_token
[AllowAnonymous] public class LoginController : Controller { private readonly ValtechIdpClient client; ! public LoginController() { client = new ValtechIdpClient() { ClientIdentifier = Config.GetOAuthClientId(), ClientCredentialApplicator = DotNetOpenAuth.OAuth2.ClientCredentialApplicator.NetworkCredential( Config.GetOAuthClientSecret()) }; } ! public ActionResult Index() { if (Request.IsAuthenticated) return RedirectToAction("Index", "Consultants"); client.RequestUserAuthorization(new string[] { "none" }, new Uri(Config.GetOAuthClientRedirectUri())); return null; } ! public ActionResult Callback() { DotNetOpenAuth.OAuth2.IAuthorizationState auth = client.ProcessUserAuthorization(); FormsAuthentication.SetAuthCookie(auth.AccessToken, false); return RedirectToAction("Index", "Consultants"); } }
• RFC6749 (OAuth 2.0)
• RFC6750 (Bearer Tokens)
• RFC6819 (Threat Model)
• RFC6749 (OAuth 2.0)
• RFC6750 (Bearer Tokens)
• RFC6819 (Threat Model)