Knock knock - who's there?

Preview:

Click to see full reader

DESCRIPTION

Adam Renberg & Jonas Oscarsson, Valtech Vi pratar inloggning och OAuth 2 på en teknisk nivå. Do you GET it? GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=... &scope=profile HTTP/1.1 Host: example.com

Citation preview

Delegerad autentisering

Knock knock - who's there?

Delegerad autentisering

Knock knock - who's there?

OAuth 2

Adam Renberg

Jonas Oscarsson

Sony Mobileaccount.sonymobile.com

• Eran Hammer

• OAuth 1.0 2007

• OAuth 1.0a 2009

• OAuth 2.0 2012

• Resource Owner user@example.com

• Clientettforum.se

• Authorization ServerResource Serverexample.com

• Resource Owner user@example.com

• Clientettforum.se

• Authorization ServerResource Serverexample.com

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

302GET /oauth/authorize

GET /write-post

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

GET /oauth/authorize ?response_type=code &client_id=se.ettforum &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback &scope=profile HTTP/1.1 Host: example.com

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

GET /sign-in

302GET /oauth/authorize

302GET /login/callback

Inloggning

GET /login/callback?code=HXbKPYnMx7 HTTP/1.1 Host: www.ettforum.se

Webbläsare

Resource Owner

Client Authorization Server

example.comettforum.se

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /write-post

Inloggning

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

POST /oauth/token HTTP/1.1 Host: example.com !grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

grant_type=authorization_code &code=HXbKPYnMx7 &client_id=se.ettforum &client_secret=jybjCBnHCm &redirect_uri=http%3A%2F%2Fwww.ettforum.se%2Flogin%2Fcallback

CODE HXbKPYnMx7

USER_ID user@example.com

CLIENT_ID se.ettforum

SCOPE profile

REDIRECT_URI http://www.ettforum.se/login/callback

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

HTTP/1.1 200 OK Content-Type: application/json !{ "access_token": "ZEcRiGOSP4", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "N2LUsdxD5h" }

Webbläsare

Resource Owner

Client Server

example.comettforum.se

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

GET /write-post

Inloggning

GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4

GET /user HTTP/1.1 Host: example.com Authorization: Bearer ZEcRiGOSP4

HTTP/1.1 200 OK Content-Type: application/json !{ "email": "user@example.com", "name": "Example User", "profile_image": "http://example.com/img/12134.jpg" }

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Mission Accomplished

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Inloggning

Webbläsare

Resource Owner

Client Server

example.comettforum.se

GET /write-post

302GET /oauth/authorize

302GET /login/callback

POST /oauth/token

GET /user

302

GET /write-post

200

Hur gör vi?

Valtech IDP

HerokuappHerokuappHerokuappHerokuappHerokuappAzureapp

HerokuappHerokuapp...

AD

Valtech

.........

OAuth 2OAuth 2

OAuth 2

LDAP

• Redirecta till /oauth/authorize

• Ta emot en code

• Byt code mot access_token

[AllowAnonymous] public class LoginController : Controller { private readonly ValtechIdpClient client; ! public LoginController() { client = new ValtechIdpClient() { ClientIdentifier = Config.GetOAuthClientId(), ClientCredentialApplicator = DotNetOpenAuth.OAuth2.ClientCredentialApplicator.NetworkCredential( Config.GetOAuthClientSecret()) }; } ! public ActionResult Index() { if (Request.IsAuthenticated) return RedirectToAction("Index", "Consultants"); client.RequestUserAuthorization(new string[] { "none" }, new Uri(Config.GetOAuthClientRedirectUri())); return null; } ! public ActionResult Callback() { DotNetOpenAuth.OAuth2.IAuthorizationState auth = client.ProcessUserAuthorization(); FormsAuthentication.SetAuthCookie(auth.AccessToken, false); return RedirectToAction("Index", "Consultants"); } }

• RFC6749 (OAuth 2.0)

• RFC6750 (Bearer Tokens)

• RFC6819 (Threat Model)

• RFC6749 (OAuth 2.0)

• RFC6750 (Bearer Tokens)

• RFC6819 (Threat Model)

adam.renberg@valtech.se jonas.oscarsson@valtech.se

Recommended

Knock Knock
Documents
Knock knock Magazine
Documents
Knock knock! – Who's there? – The Law! Open up! 2... · Centrul pentru Studiul Criminalitatii Informatice :: Cybercrime Research Centre – Romania Paperwork & Evidence Bullet
Documents
Who's there
Education
Who's There? Anybody Out There?
Business
Knock, Knock. Who’s There? On the Security of LG’s Knock …Knock, Knock. Who’s There? On the Security of LG’s Knock Codes Raina Samuel New Jersey Institute of Technology res9@njit.edu
Documents
 · OHA joke page cup with a smoothie. Knock, Knock. Who's there ? Feel. Feel who ? Feel Fill
Documents
Knock Knock - Who's There?
Technology
VERY VEGGIE WORD SEARCH - Extension · Honeydew you wanna hear some garden jokes? Knock, Knock! Who’s there? Leaf. Leaf Who? Leaf me alone. Knock knock! Who’s there? Figs. Figs
Documents
“Go to your bosom: Knock there, ~William Shakespeare
Documents
Knock Knock, Who is there? - DiVA portalliu.diva-portal.org/smash/get/diva2:459205/FULLTEXT01.pdfLinköping University Medical Dissertations No 1280. Knock Knock Knock, Who is there?
Documents
Knock knock! Who's there? Doze. - Yonatan Levin
Technology
WHO's WHO's
Documents
Knock Knock! Who's There? Building & Planning · Buzzin' Around B-Town Thank you to Cub Scouts Pack 128 from St. Ephrem’s for helping us to officially open the Community Garden
Documents
Session on. 8. 2011: Who's buried in there?, by Christine Suter
Technology
Knock Knock Knock
Documents
Knock Knock Jokes
Documents
Jesus Wants Us To Be Friends. Knock, Knock Who’s there?
Documents
Knock Knock, Who’s There? Membership Inference …Knock Knock, Who’s There? Membership Inference on Aggregate Location Data Apostolos Pyrgelis University College London apostolos.pyrgelis.14@ucl.ac.uk
Documents
Knock, Knock. Who's There? On the Security of LG's Knock Codes · 64.3, for the control 2x2 treatment, the larger 2x3 treatment, and the blocklist informed 2x2 treatment, respectively).Entry
Documents