CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell

MOBILE SSOARE WE THERE YET?

BRIAN CAMPBELL@__b_c

Copyright © 2015 Brian Campbell. All rights reserved. 2

Formalities, Introductions, etc.

• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available

– at http://www.slideshare.net/briandavidcampbell– & at https://twitter.com/__b_c

• 2 underscores +• b +• 1 underscore +• c

Copyright © 2015 Brian Campbell. All rights reserved. 3Yeah, that guy


Formalities, Introductions, etc.

• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available

– at http://www.slideshare.net/briandavidcampbell– & at https://twitter.com/__b_c

• 2 underscores +• b +• 1 underscore +• c


• Disclaimers– Views or opinions presented herein are solely my own

and do not necessarily represent those of the my employer

– Wholly unqualified to talk about mobile– Primarily do server side development– And not even very much of that anymore

• So, um… WTF?– I know a few people involved with CIS– And I do use a mobile phone…

My ‘Safe Harbor’ Slide


Though not very well


But Sometimes…

An outsider’s perspective can help see where things just aren’t quite right

Copyright © 2015 Brian Campbell. All rights reserved. 8as demonstrated by a semi-contrived little story about me and my phone

Premise: Single Sign-On just isn’t quite right

on mobile


I’m very busy and important

As you can see by my

opulent travel budget.


So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…


Just trying to join a meeting while out on the road.
















Please excuse any intermittent time travel.

I had some technical difficulties with

something called “focus” and had to reshoot a few

images.




There’s my meeting!



(This happened on first use a long time ago)




!













Awkw

ard

Tra

nsiti

on


• Behind the Scenes– Web Single Sign-On – OAuth 2.0 (ish)


Web Single Sign-On in one Slide

• Typically– SAML 2.0– OpenID Connect

• But also– SAML 1.1/1.0– OpenID 2.0– WS-Federation

• And maybe– Facebook Connect/Login– Whatever Twitter does– Various non-standard

approaches

Identity Provider

(IDP)

Service Provider

(SP)

Web Single Sign-On (SSO)

You O

nly L

ogin O

nce


OAuth 2.0 in one slide

• client: An application obtaining authorization and making protected resource requests. – Native app on mobile device

• resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs).

• authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization.

A few other OAuth terms• Access token (AT) – Presented by client when accessed protected

resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token

without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS• Authorization endpoint – used by the client to obtain authorization

from the resource owner via user-agent redirection• Token endpoint – used for direct client to AS communication• Authorization Code – One time code issued by an AS to be

exchanged for an AT.

ClientResource

Server

Get a token

Use a token

AuthorizationServer


Web SSO + OAuth = Mobile SSO

Device

NativeApp

System Browser

1

https:// Home Service

12

3

Authorization Endpoint

Token Endpoint

3

45

Enterprise or Social Identity

Provider


(1) Request Authorization• When user first needs to access some

protected resource (not logged in), the app launches the system browser with an authorization request

• ‘IDP Discovery’ can be done in the native application

Device

NativeApp

System Browser

1


1


Token Endpoint


Provider

https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z

A quick note about

Apple…


(1a) PKCE

https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z

• Proof Key for Code Exchange by OAuth Public Clients (PKCE)

– Binds the code exchange to the authorization request

– (RFC in waiting) https://tools.ietf.org/html/draft-ietf-oauth-spop


(2) Authenticate and Approve• Redirect to IDP for SSO & Service Provider

is the SP

Device

NativeApp

System Browser


2


Token Endpoint


Provider

• User approves the requested access

– (don’t skip this)


(3) Handle Callback• Authorization server returns control to the

app using HTTP redirection and includes an authorization code

– URI with a custom scheme registered to the app

• Reversed domain name as redirect_uri scheme

– Resistant to accidental collisions – Proof of domain ownership provides better recourse

against malicious collisions

Device

NativeApp

System Browser


3


Token Endpoint

3


Provider

HTTP/1.1 302 FoundLocation: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4


(4) Trade Code for Token(s)

Device

NativeApp

System Browser



Token Endpoint

4


Provider

POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8

client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z

token endpoint request


(4a) PKCE Again





(4b) Trade Code for Token(s)

Device

NativeApp

System Browser



Token Endpoint

4


Provider



HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store

{ "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc”}


token endpoint response


(5) Use Access TokenAuthenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header

Device

NativeApp

System Browser



Token Endpoint

5


Provider

POST /api/update-status HTTP/1.1Host: rs.example.orgAuthorization: Bearer PeRTSD9RltacecQriuFfsxV41Content-Type: application/json

{"status" : "almost done with this presentation"}


Rinse and Repeat

• If All Goes well,

• And if not, HTTP 401• Use the refresh token to get a new access token• And if that doesn’t work or you don’t have a

refresh token, initiate the authorization request flow again

HTTP/1.1 200 OK


Some Folks Like to …

Device

NativeApp

System Browser

1


12

3


Token Endpoint

3

45


Provider


… Use a Web-View

Device

NativeApp

1


12

3


Token Endpoint

3

45

Web-View


Provider

but…


The Web-View Anti-Pattern

• Usability Issues– No shared context (cookie)– Requires sign-in once per app even when web SSO is possible

• Security Issues– Web-view typically isn’t sandboxed from invoking app so

credentials and authentication cookies can be stolen– Requires/encourages users to enter credentials without the

address bar and associated visual cues of site authenticity (HTTPS)

• Missing Features– Some web-views unable to access to client certificates– Generally unable to use password managers, etc.


What about OpenID Connect?

• A simple[sic] single sign-on and identity layer on top of OAuth 2.0

• Adds an ID Token (JWT) for user authentication to the client

• And a bunch of other stuff


What about OpenID Connect?

• Great for the web SSO part

• Can be layered on the OAuth part

Device

NativeApp

System Browser

1


12

3


Token Endpoint

3

45


Provider


What about NAPPS?

• Intended to be a profile of OpenID Connect to enable an SSO model for native applications installed on mobile devices

• A Token Agent as the shared context


NAAPS NAPPS is Great!• It’s just not real (yet, anyway)

this one

um, no

“eventually”


Don’t Sleep on NAPPS?

• But not totally incompatible with approach discussed herein– (latest thinking,

anyway)


And really, who couldn’t use more NAPPS?


Near Term Recommendations

• Use OAuth 2.0 + PKCE – & maybe OpenID Connect

• Use Web SSO• Prompt for user consent (every time)• Use the System Browser• Use a reversed Internet domain name in

the custom scheme for the callback URI

MOBILE SSOARE WE THERE YET?

BRIAN CAMPBELL@__b_c

THANKS! (time permitting)

QUESTIONS?

Technology

CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell