2013 Open Stack Identity Summit - France

Access Management for Cloud and Mobile

Stateful Session

Single Sign On Web

Application Fat Client Application

web gateway SP IDP

Stateless Session

Authentication Authorization Attributes

Session Store (Memory or Persisted) with option to enable Session Failover/replication

Federation

Create, Leverage & Upgrade Session Leverage session

Session Lifecycle

Management

The Good, The Bad and The Ugly

“You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”

On-Premise vs Cloud/Social/Mobile

SOAP XML

REST JSON

OAuth2, OpenID Connect, REST

REST Endpoints

Mobile Social Cloud Enterprise Things

OpenAM Core

HTTP(s) JSON

AuthN AuthZ Session Validation

Identity Management OAuth2 Realm

Mgmt OpenID Connect Logging

Web App

Native App

Native App

Web App

Login App

RE

ST

O

Aut

h2

Ope

nID

Con

nect

Authentication

Authorization

Attribute Delivery

Federation

SSO

Token Persistence

Session Mgmt

OAuth2 Provider

OpenAM

Cloud

Enterprise

Mobile IAM for the Modern Web

“You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”

Demo

2 Native apps in iPhone OAuth2 Demo •  Obtains an OAuth2 Refresh and Access Token using the

Authorization Code Grant and then stores it locally in the iPhone keyring

•  Access User Profile info with the Access Token

•  Refreshes the Access Token when it expires using the refresh token

SSO Demo •  Retrieves the Access Token from the iPhone keyring

•  Access User Profile info with the Access Token

OAuth2 •  Authorization protocol

•  Grant access to third parties

•  Parties do not share sensitive user information, i.e. no credentials are shared

•  Used to grant limited access during limited time to specific resources

•  Developed by the IETF Working group

Who is using OAuth2

OAuth2 Tokens ACCESS Token

•  Used to access a protected resource

•  Obtained through one of the grant flow

•  Life time short (minutes, hours

REFRESH Token

•  Used to obtain a new access token

•  Obtained through one of the grant flows

•  Life time long (days, weeks, months)

Possible flow

Client Provider

Protected Resource

1

2

3

4

5

6

7

retrieve refresh token

retrieve access token

leveraging access token

Resource Owner Password Flow

Client

Provider

<< 1

2

3

Protected Resource

4

retrieve access token

application provides userid/password credentials

leveraging access token

Presenter’s Logo Here

Supported grants Use Case: For Web Applications §  Authorization Code Flow Grant

§  Implicit Flow Grant

Use Case: For Mobile Applications §  Resource Owner Password

Use Case: For Application to Application §  Client Credentials Flow

§  SAMLv2 Token Insertion

Use Case : Implicit flow Grant

Cheat sheet http://www.cheatography.com/kayalshri/cheat-sheets/oauth-end-points/

What is it not •  OpenID Connect is not OpenID

•  OpenID is old social protocol, without a mandatory contract between client and provider

•  OpenID is unsecure

What is OAUTH2 again ? •  OAuth2 is an AUTHORIZATION protocol

•  Access/Refresh token represents access to resource for anybody who has that token

•  There is not system in place to restrict resource usage to a user identity

OpenID Connect •  OpenID Connect uses TWO access/refresh tokens

•  One to authorize the resource (see OAUTH2 before) •  One to authorize the user identity accessing that resource

•  OpenID Connect maintains the relationship between the resource and the user

•  User can only access the resource with its access token provided the user access token is entitled to it

Protected Resource OAUTH2

Access Token

User identity OAUTH2

Access Token

2013 Open Stack Identity Summit - France

Coming from a different angle

OpenAM Authentication •  MSISDN

•  HOTP (Text Messages via cell phone)

•  OATH (3rd party Token generators)

Banking grade authentication

Thomas Bostrøm Jørgensen - CEO, Encap