Upload
shiu-fun-poon
View
251
Download
5
Embed Size (px)
Citation preview
IBM Confidential
Token OAuth/OIDC/JWT/SAML [email protected] STSM, Security, APIc/GW, Cloud Division
SAML
2Source : http://www.ibm.com/developerworks/library/ws-SAMLWAS/
OIDC
3Source : http://openid.net/connect
4
• Delegatedauthoriza/on• Permission:Allow/
Denied
• IETFRFC6749• access_token(RFC6750)
• Bearer*• Vendorspecified
• Introspec/on:IETFRFC7662
• Authen/ca/on• Whoareyou?
• OpenID.net• ExtendOAuth2.0with
userinforma/on• id_token
• JSONWebToken(JWT)• SignedwithJWS• EncryptedwithJWE• Signed&Encrypted
Protocol : SAML vs OAuth 2.0 vs OpenID
• FederatedIden/ty• Whoareyou?• Permission:Allow/
Denied
• OASIS/WS-*• SAMLAsser/on
• 1.0,1.1,2.0• XMLbased• Signed/Encrypted
[Token] SAML vs access_token (Bearer) vs id_token (JWT)
5
• Identity assertion token • SAML or id_token (JWT) • e.g. ‘WickedPrinterApp’ requires Alice to authenticate successfully
before presenting its service • Authorization token
• SAML or access_token (bearer) • e.g. ‘WickedPrinterApp’ can print Alice’s photo if access_token is valid
SAML:<saml:Asser2onxmlns:…>
<saml:Issuer>…</saml:Issuer>
<saml:Subject>...</saml:Subject>
<saml:Condi2on>...</saml:Condi2on>
.....
</saml:Asser2on>
access_token:HTTPHeader:
Authoriza2on:Bearerxyzjj….........
Ø Applyintrospec2on(RFC7662)againstthetoken:
{"ac2ve":true,"token_type":"bearer","client_id":”spoon-applica2on","username":”shiufun","sub":”shiufun","exp":1504323675,…}
id_token:HTTPHeader:
Authoriza2on:Bearerxxx.yyy.zzzz
unpackedinto
{“alg”:”HS256”}.
{“iss”:”xx”,”sub”:”yy”…}.
zzzz
[Token] SAML vs access_token (Bearer) vs id_token (JWT)
SAML access_token id_token XML based (OASIS) Opaque (RFC 6750)
* Binary vs defined format
JSON Web Token (RFC 7519)
HTTP(s), Payload HTTP(s), Payload HTTP(s), Payload WS-Security specification Introspection (RFC 7662) JOSE (JWS/JWE) Web service/WebApp WebApp/Mobile WebApp/Mobile * SAML for OAuth – authenticate resource owner or application
* JWT for OAuth – authentication resource owner or client
6
SAML
• Specifica2oniswellestablished• Confiden2ality/Integrity• Howtoprotectitduringtransit• Replay?• Condi2on?• Authen2ca2on/Abribute/Authoriza2onStatementhbps://www.oasis-open.org/commibees/download.php/8733/sstc-saml-sec-consider-2.0-drad-05-diff.pdf
7
OAuth 2.0/OIDC
• Redirect_uri• Client/applica2on
• Howsecureisitscreden2al• Howtosecurelystorethepermission• *well-behaved*• Applica2onauthen2city
• Sessionmanagementoftheenduser• Howtoauthen2catetheuser• Webapplica2on,APIapplica2on
• followthebestprac2cetopreventCSRF,XSS,Session
8
https://tools.ietf.org/html/rfc6819
Transit/local storage
• TLS/SSL• Whoistokenbeingkeptsecurelyonceitisissued• Token/Sessionmanagement
• Ttl==infinity,whatcouldgowrong(?)
9