identity management: using oidc to empower the next-generation apps

28
Identity Management: Using OIDC to Empower the Next- Generation of Applications Tom Freestone LDS Church © 2016 by Intellectual Reserve, Inc. All rights reserv

Upload: tom-freestone

Post on 15-Jan-2017

69 views

Category:

Internet


0 download

TRANSCRIPT

Page 1: Identity Management: Using OIDC to Empower the Next-Generation Apps

 Identity Management: Using OIDC to Empower the Next-

Generation of Applications

Tom FreestoneLDS Church

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 2: Identity Management: Using OIDC to Empower the Next-Generation Apps

The future computing platforms are MOBILE and CLOUD!

Mobile Computing - present and the future2.4 billion mobile devices in 2013 and 2.5 billion in 2014. 81+ billion apps downloaded in 2013. There are 6.8 billion people on the planet at present. 4 billion own mobile phones. Gartner Group - World Wide Devices Shipments

Internet of ThingsIn the Cloud EVERYTHING is an API. APIs are an integral part of what are arguably the three major forces currently transforming the Web and IT landscape —Mobile, Social and Cloud Computing.

API

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 3: Identity Management: Using OIDC to Empower the Next-Generation Apps

• How do we design and develop solutions that meet the growth and the diversity of a global user base?

• How do we move large enterprise solutions and systems to embrace mobile and cloud computing?

• How do we maximize our past investments in technology solutions and embrace new and evolving industry technology advancements?

• How do we significantly reduce costs and encourage greater reuse of core systems and services across the enterprise?

Preparing for the future - MOBILE and CLOUD!

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 4: Identity Management: Using OIDC to Empower the Next-Generation Apps

Legacy Applications& Systems

Mon

olith

icAp

plic

ation

-cen

tric

DB-c

oupl

edComponent & Services

Architecture

Web ServicesIntegrations

Mobile/WebComponents

Mobile – Web - Device

Platform as a Service

Hybrid CloudData Center

AWS Azure

Cloud Mobile Application Architecture

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 5: Identity Management: Using OIDC to Empower the Next-Generation Apps

IdentityIdentity

?

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 6: Identity Management: Using OIDC to Empower the Next-Generation Apps

Identity

?

AuthorizationAuthentication

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 7: Identity Management: Using OIDC to Empower the Next-Generation Apps

?Who is the user?

Entity Claims Attributes

Identity is a set of claims.© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 8: Identity Management: Using OIDC to Empower the Next-Generation Apps

Entity

Attributes

https://www.flickr.com/photos/74373690@N00/13949707621/ via Compfight (License: https://creativecommons.org/licenses/by-nc/2.0/)

Page 9: Identity Management: Using OIDC to Empower the Next-Generation Apps

What is the user allowed to do?

Who

What Why

WhenHow

Attributes Policy

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 10: Identity Management: Using OIDC to Empower the Next-Generation Apps

What is the user allowed to do?

AuthenticatedUsers

Users thatwork for …

Users thatbelong to WebAccess Mgmt.

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 11: Identity Management: Using OIDC to Empower the Next-Generation Apps

Reverse Proxies• Passes Headers• Protects URL’s• Manages SSO

Session• Data Center Co-

location

The Traditional Solution: Authorization/Authentication?

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 12: Identity Management: Using OIDC to Empower the Next-Generation Apps

The world of reverse proxies … protected, but ...

https://www.flickr.com/photos/13748147@N02/2070083736/ via Compfight (License: https://creativecommons.org/licenses/by-nc-nd/2.0/)

Page 13: Identity Management: Using OIDC to Empower the Next-Generation Apps

The real world is complex and interconnected.

http://steffondavis.com/visualizing-taste-in-art-with-big-data-curation-analysis-curalytics-and-curiator/

Page 14: Identity Management: Using OIDC to Empower the Next-Generation Apps

Enterprise

SaaS

Private Cloud

PaaS (Cloud foundry)

Development Stacks

Web Services

PaaSWeb Services

Public CloudPublic CloudHybrid Cloud

Cloud ApproachHybrid Cloud:A cloud computing service that is composed of some combination of private, public, and community cloud services, from different service providers, for capacity or capability

Cloud Mobile Integration• Must support existing systems (legacy) = Hybrid• Everything moving to “Services” (APIs)• Mobile/Web Development (Open Standards)• Services Oriented Architecture (SOA)• Migration/On Ramp (Security, SaaS, etc.)

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 15: Identity Management: Using OIDC to Empower the Next-Generation Apps

How do we move to the cloud and still authenticate our users?

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 16: Identity Management: Using OIDC to Empower the Next-Generation Apps

Federation

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 17: Identity Management: Using OIDC to Empower the Next-Generation Apps

Traditional vs. Federated

Reverse Proxies• Passes Headers• Protects URL’s• Manages SSO

Session• Data Center

Colocation

Application• Consumes attributes• Protects its own URL’s• Manages its own

session• Data Center

Independence

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 18: Identity Management: Using OIDC to Empower the Next-Generation Apps

Icon design by Paomedia and Ivan Boyko

Interoperable Flexible Secure Simple

OIDC Benefits

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 19: Identity Management: Using OIDC to Empower the Next-Generation Apps

Basic OIDC ProtocolEnd UserOIDC

ProviderClient

1. AuthN Request

2. AuthN & AuthZ

3. AuthN Response

4. UserInfo Request

5. UserInfo Response

Abstract OIDC Protocol: 1.2 OIDC-Core Spec

Client application requiring End-User

Authentication and Claims from an OIDC Provider.

Provides identity as a service using OIDC through the Token endpoint,

UserInfo endpoint, & Authorization

endpoint.

Also referred to as the “User Agent,”

meaning the browser.

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 20: Identity Management: Using OIDC to Empower the Next-Generation Apps

AntiPattern #1LDAP Service Accounts

Application / Client

GetUse

Protected API (Resource Server)

LDAP

1. Request (Basic Auth username: password)

2. LDAP Bind username:password

3. Data

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 21: Identity Management: Using OIDC to Empower the Next-Generation Apps

Pattern #1 Service Account

using OIDCApplication / Client

GetUse

1. Request Token (Client_id / userId)

Token

Token

2.

3. Make Request

Protected API

Authorization Server

4. Validate Token

5. Valid Token

7. Return Data

Token

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 22: Identity Management: Using OIDC to Empower the Next-Generation Apps

Pattern #1 Service Account – Getting Tokens

curl https://openam.example.com:8443/openam/.well-known/openid-configuration { "response_types_supported": [ "token id_token", "code token", "code token id_token", "token", "code id_token", "code", "id_token" ], "registration_endpoint": "https://ident.example.com:8443/openam/oauth2/connect/register", "token_endpoint": "https://ident.example.com:8443/openam/oauth2/access_token", "end_session_endpoint": "https://ident.example.com:8443/openam/oauth2/connect/endSession", "version": "3.0", "userinfo_endpoint": "https://ident.example.com:8443/openam/oauth2/userinfo", "subject_types_supported": [ "public" ], "issuer": "https://ident.example.com:8443/openam", "jwks_uri": "https://ident.example.com:8443/openam/oauth2/connect/jwk_uri?realm=/", "id_token_signing_alg_values_supported": [ "HS256", "HS512", "RS256", "HS384" ], "check_session_iframe": "https://ident.example.com:8443/openam/oauth2/connect/checkSession", "claims_supported": [ "phone", "email", "address", "openid", "profile" ], "authorization_endpoint": "https://ident.example.com:8443/openam/oauth2/authorize" }

curl \ --request POST \ --user "masterClient:password" \ --data "grant_type=password&username=someUser&password=password" \ https://ident.example.com:8443/openam/oauth2/access_token { "expires_in": 59, "token_type": "Bearer", "refresh_token": "26938cd0-6870-4e31-ade9-df31afc37ee1", "access_token": "515d6551-4512-4279-98b6-c0ef3f03a722" }

Authorization, Bearer 515d6551-4512-4279-98b6-c0ef3f03a722

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 23: Identity Management: Using OIDC to Empower the Next-Generation Apps

1. Using AppClient Login Page

Owner

3. Post User/password to login page4. Get cookies

5. Request Data

6. Data

2. Collect User/Password

GetUse

AntiPattern #2Session Hijack

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 24: Identity Management: Using OIDC to Empower the Next-Generation Apps

1. Using AppClient Authorization Server

Owner

3.Authorize

4. Authorization Code5. Authorization Code

Token6.

Resource ServerToken Token7. Request Data

8. Validate Token

9. Valid Token10. Data

2. Redirect to Login

GetUse

Pattern #2Service Provider

Access Using OIDC

[1]R. Boyd, Getting started with Oauth 2.0. Sebastopol, CA: O’Reilly, 2012.c

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 25: Identity Management: Using OIDC to Empower the Next-Generation Apps

Pattern #2 Service Provider Access -- Responses

[2] Backstage.forgerock.com, ‘ForgeRock BackStage’, 2015. [Online]. Available: https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-opened-connect. [Accessed: 08- Oct- 2015].

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 26: Identity Management: Using OIDC to Empower the Next-Generation Apps

Legacy Applications& Systems

Mon

olith

icAp

plic

ation

-cen

tric

DB-c

oupl

edComponent & Services

Architecture

Web ServicesIntegrations

Mobile/WebComponents

Mobile – Web - Device

Platform as a Service

Hybrid CloudProvo/ChurchData Center

AWS Azure

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Cloud Mobile Application Architecture

Page 27: Identity Management: Using OIDC to Empower the Next-Generation Apps

The future computing platforms are MOBILE and CLOUD!

Mobile Computing - present and the future2.4 billion mobile devices in 2013 and 2.5 billion in 2014. 81+ billion apps downloaded in 2013. There are 6.8 billion people on the planet at present. 4 billion own mobile phones. Gartner Group - World Wide Devices Shipments

Internet of ThingsIn the Cloud EVERYTHING is an API. APIs are an integral part of what are arguably the three major forces currently transforming the Web and IT landscape —Mobile, Social and Cloud Computing.

API

© 2016 by Intellectual Reserve, Inc. All rights reserved.

Page 28: Identity Management: Using OIDC to Empower the Next-Generation Apps

Questions?

© 2016 by Intellectual Reserve, Inc. All rights reserved.