enterprise openid sso oauth for google apps
Post on 06-Apr-2018
245 Views
Preview:
TRANSCRIPT
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
1/103
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
2/103
OpenID Single Sign On andOAuth Data Access for Google Apps
Ryan Boyd @ryguyrgDave PrimmerMay 2010
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
3/103
Why?
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
4/103
View live notes and questions aboutthis session on Google Wave:
http://bit.ly/magicwave
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
5/103
Agenda
TerminologyHistoryOpen Protocols
OpenID user authenticationOAuth data access
Hybrid authentication + data accessGoogle Apps MarketplaceCase Study - Evolution of 'SaaSy Payroll'Q&A
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
6/103
SaaSy Payroll
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
7/103
SaaSy Payroll
Fictitious app for handling the payroll of SMBs
Used by smart-lawfirm.com for their payroll
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
8/103
Terminology
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
9/103
Authentication and Authorization
Authentication
Goal: Secure knowledge of the identity of the user
AuthorizationGoal: Appropriate access to resources, such asGoogle Data APIs (Calendar, Contacts, Docs, etc)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
10/103
History
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
11/103
History (2001-2005)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
12/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
13/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
14/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
15/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
16/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
17/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
18/103
History (2006-2010)
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
19/103
OpenID Federated Identity
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
20/103
What do we mean by Federated Identity?
Web applications(relying parties)
accept the assertionof identity fromidentity providers,such as Google andYahoo.
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
21/103
What information does OpenID provide an app?
Identity of the user:
http://smart-lawfirm.com/openid?id=0123456789Static each time the user visits the relying party webapplication
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
22/103
"OpenID is a safe, faster, and easier
way to log in to web sites."openid.net
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
23/103
Safe, Faster and Easier
Safe
The user only enters their credentials one place:on the website of their OpenID provider
FasterThe user is often already logged into their
OpenID providerEasierThe user no longer needs to create and maintaina new account and credentials on every web site
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
24/103
Discovery: Determining the OpenIDprovider for a user.
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
25/103
OpenID Login Options
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
26/103
OpenID Login Options
http://www.google.com/accounts/o8/id
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
27/103
Improved UX
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
28/103
OpenID Demo with a Gmail account
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
29/103
But... what if you want to use an
OpenID on your own domainwithout a complicated URL toremember?
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
30/103
Ideal User Experience: WebFinger
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
31/103
Google Accounts versus Google Apps accounts
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
32/103
Google Apps Login
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
33/103
Discovering the OpenID Provider
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
34/103
Format of the OpenID Identity
Google consumer account (including Gmail accounts):
https://www.google.com/accounts/o8/id?id=AItOawlTW-qs7L-bpYc0oxROHDQaFmQHyGRnaLM
Google Apps account:
http://smart-lawfirm.com/openid?id=0123456789
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
35/103
Supported Extensions
Provider Auth Policy Extension (PAPE)
Allows a relying party to ask for security restrictionsOpenID User Interface Extension
Enables pop-up UIOAuth Hybrid
Enables getting both the user's identity and access tosome of the user's dataAttribute Exchange (AX)
Provides additional info about the user
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
36/103
Attribute Exchange (AX)
Remember, without AX we only get a URI:
http://smart-lawfirm.com/openid?id=0123456789We want more information to improve the user experience
First NameLast Name
E-mail AddressLanguage
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
37/103
Attribute Exchange (AX) Trust
Don't trust attributes without verification
Whitelist trusted IDPsSame-origin policy for emailOne-time confirmation messages
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
38/103
How it's done - OpenID Federated Identity
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
39/103
Welcome Bob!ryan@smart-lawfir
***********
Sounds complicated, but not hard in practice!
OpenID Federated Identity
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
40/103
Language Libraries
Java OpenID4Java, Step2
.NET DotNetOpenAuth
PHPphp-openid,
php-openid-apps-discovery
Rubyruby-openid,
ruby-openid-apps-discovery
Any RPX, Ping Identity
OpenID Libraries
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
41/103
OAuth Data Access
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
42/103
OAuth Terms
Protected Resourceresides on server
requires authorization
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
43/103
OAuth Terms
Protected Resourceresides on server
requires authorization
Resource Ownerowns protected resource
approves access
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
44/103
OAuth Terms
Protected Resourceresides on server
requires authorization
Resource Ownerowns protected resource
approves access
Serverreceives http request
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
45/103
OAuth Terms
Protected Resourceresides on server
requires authorization
Resource Ownerowns protected resource
approves access
Serverreceives http request
Client
makes http request
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
46/103
Old OAuth Terminology
Pre 2009 Current
Consumer Client
Service Provider Server / Protected Resource
User User / Resource Owner
More Info: The Authoritative Guide to OAuth 1.0
Now, with more RFC! http://www.rfc-editor.org/info/rfc5849
http://hueniverse.com/oauth/guide/http://www.rfc-editor.org/info/rfc5849http://hueniverse.com/oauth/guide/ -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
47/103
OAuth Components
Key ManagementEstablishes trust between client and server
Access ControlGrants done per-user, or for a whole Google Appsdomain.
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
48/103
Basic steps to use OAuth
Step 1 Client Registration
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
49/103
SaaSy App - www.saasyapp.com
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
50/103
SaaSy App - www.saasyapp.com
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
51/103
Getting your OAuth client key and secret
Step 1 - For the Developer:
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
52/103
A Google Client App Registration Page
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
53/103
Access Control
Step 2 - For the Resource Owner:
T t f A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
54/103
Two types of Access Control
Resource Owner: An entity capable of approving access to a
protected resource.
Sometimes the resource owner is not the same as the user
Consumer Business
Individual User isResource Owner
Company Admin isResource Owner
T t f A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
55/103
Two types of Access Control
Consumer Business
Individual User isResource Owner
Company Admin isResource Owner
Three-LeggedOAuth
Two-LeggedOAuth
T t f A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
56/103
Two types of Access Control
Authorization usingbrowser redirection
Requests pre-authorizedfor a group of users
Individual prompted User not prompted
Three-LeggedOAuth
Two-LeggedOAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
57/103
Manage OAuth Client Data Access
Approval for a group of users:
G l A Ad i i t t A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
58/103
Google Apps Administrator Access Control
G l A Ad i i t t A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
59/103
Google Apps Administrator Access Control
G l A Ad i i t t A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
60/103
Google Apps Administrator Access Control
G l A Ad i i t t A C t l
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
61/103
Google Apps Administrator Access Control
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
62/103
Demo: Two-Legged OAuth cURL
Step #3 Access the resource
Two Legged OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
63/103
Two-Legged OAuthWhat is it?
An authenticated HTTP request. Very much like HTTPDigest Auth.
Client has a role account name and password:consumer_key -> account name
consumer_secret -> password
Request param to indicate the userxoauth_requestor_id=ryan@smart-lawfirm.com
Some request attributes are bundled up and signed ina standard way. That's it.
Two Legged OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
64/103
Two-Legged OAuthWhy?
You don't want to bother the user with approval
The common Enterprise IT scenario
Server to Server -- no browser involved
Main trust relationship:
Resource Owner (admin) tells the Server, via ACLto trust the client
Permission stored in server ACL, not a token
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
65/103
Three-legged OAuth
The "other" style of authorization
Three Legged OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
66/103
Three-Legged OAuthWhat is it?
Describes the access control delegation to a Client bya Resource Owner
Redirection-Based Authorization
The authorization flow is what most people think ofwhen they talk about OAuth. It is the process inwhich the user's browser is redirected to the serverto approve access
Three Legged OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
67/103
Three-Legged OAuthWhat is it?
Adds an Access Token to the 2LO request during dataaccess that identifies the permission granted.
"Joe gives the SaaSy Payroll client permission to write to Joe's Google
Calendar."
oauth_token=1%2FSTnrUiu8N4OQvrwEpsltnpYwFX5an2j2i-VAK5l_3No
SaaSy App www saasyapp com
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
68/103
SaaSy App - www.saasyapp.com
SaaSy App www saasyapp com
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
69/103
SaaSy App - www.saasyapp.com
Authorization by Resource Owner
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
70/103
Authorization by Resource Owner
Authorization by Resource Owner
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
71/103
Authorization by Resource Owner
Three-Legged OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
72/103
Three-Legged OAuthWhy?
Appropriate for access grant by individual user(Also works for Apps users)
User identity is opaque to client application
Main trust relationship:
User is the Resource Owner and trusts the clientapp with an Access Token
OAuth 2
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
73/103
OAuth 2
Already? Why?
Make it IETF standardAdd new use cases
Avoid crypto!
OAuth 1 + WRAP = OAuth 2
Facebook has working OAuth 2 prototypes, MicrosoftAzure and Google have WRAP prototypes.
http://tools.ietf.org/html/draft-ietf-oauth-v2
http://tools.ietf.org/html/draft-ietf-oauth-v2http://tools.ietf.org/html/draft-ietf-oauth-v2 -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
74/103
Hybrid OpenID + OAuth
Hybrid OpenID + OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
75/103
Hybrid OpenID + OAuth
Identity and Data Access in 1 step
Google Calendar
Hybrid OpenID + OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
76/103
Hybrid OpenID + OAuth
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
77/103
Google Apps Marketplace
Features: Simple installation flow
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
78/103
Features: Simple installation flow
Features: True Single Sign On
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
79/103
Features: True Single Sign On
SaaSy PayrollVideo
Groups
Features: True Single Sign On
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
80/103
Features: True Single Sign On
Features: True Single Sign On
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
81/103
Features: True Single Sign On
Features: 2-legged OAuth access to Data APIs
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
82/103
Features: 2 legged OAuth access to Data APIs
Features: 2-legged OAuth access to Data APIs
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
83/103
Features: 2 legged OAuth access to Data APIs
Consumer Key and Secret available in the Marketplace
Features: 2-legged OAuth access to Data APIs
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
84/103
gg
Consumer Key and Secret available in the Marketplace
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
85/103
Summary of Protocols
Summary of Protocols
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
86/103
y
ClientLogin Don't use for new apps
AuthSub Don't use for new apps
3-Legged OAuth Access data for individual users
2-Legged OAuth Access data for an entire Google Apps domain
OpenID Access a user's identity. Can be used for Gmail
OpenID withGoogle Apps
extensions
Access a user's identity for Google Apps accounts
OpenID / OAuthHybrid
On-board new users and get their data in one step
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
87/103
Evolution of an Integrated App
Evolution of 'SaaSy Payroll'
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
88/103
y y
email password
john@foo.com AxNAAFSnz
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=BvjjnI0jb5Ahttp://www.youtube.com/watch?v=BvjjnI0jb5A -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
89/103
y y
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=BvjjnI0jb5Ahttp://www.youtube.com/watch?v=BvjjnI0jb5A -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
90/103
y y
email password token
john@foo.com AxNAAFSnz ZD1FNKL4
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=53uqdkPxcIshttp://www.youtube.com/watch?v=53uqdkPxcIs -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
91/103
y y
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=53uqdkPxcIshttp://www.youtube.com/watch?v=53uqdkPxcIs -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
92/103
y y
email password openid token
john@foo.com AxNAAFSnz ----- ZD1FNKL4
jane@goo.com ----- http://goo.com/1234 JFNB2ANS
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=hV0IjdA3cZghttp://www.youtube.com/watch?v=hV0IjdA3cZg -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
93/103
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=hV0IjdA3cZg -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
94/103
email password openid token type secret
john@foo.com AxNAAFSnz ----- ZD1FNKL4 AS ----
jane@goo.com ----- http://goo.com/1234 JFNB2ANS AS ----
alan@bar.com ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=ZA0NaiHzkSQhttp://www.youtube.com/watch?v=ZA0NaiHzkSQ -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
95/103
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=ZA0NaiHzkSQ -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
96/103
email password openid token type secret
john@foo.com AxNAAFSnz ----- ZD1FNKL4 AS ----
jane@goo.com ----- http://goo.com/1234 JFNB2ANS ---- ----
alan@bar.com ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f
kim@smart-lawfi ---- http://smb.com/123 ----- 2LO ----
ryan@smart-law ---- http://smb.com/456 ----- 2LO ----
dmb@smart-law ---- http://smb.com/789 ----- 2LO ----
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=VB5NdqkmEwshttp://www.youtube.com/watch?v=VB5NdqkmEws -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
97/103
Evolution of 'SaaSy Payroll'
http://www.youtube.com/watch?v=VB5NdqkmEws -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
98/103
Improved User Experience
Easier on-boarding of usersAccess granted by appropriate resource owners
Access to over 2 million businessesMultiple code paths
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
99/103
Resources
Resources
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
100/103
Google Apps Marketplace:
http://developer.googleapps.com/marketplaceTechnical docs on Google Apps:http://code.google.com/googleapps/Technical docs on OpenID and OAuth:http://code.google.com/apis/accounts/
OAuth Playground:http://www.googlecodesamples.com/oauth_playground
http://goog_1173348811/http://goog_897298849/http://goog_1173348811/http://goog_897298849/http://goog_897298847/http://goog_897298844/ -
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
101/103
Q & A
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
102/103
Ask your questions on Google Wave:
http://bit.ly/magicwave
-
8/3/2019 Enterprise Openid Sso Oauth for Google Apps
103/103
top related