For System Integrators

Transcription

1 For System Integrators

2 The Connect2id mantra Your users Your UIs / UX Your rules Your premise / cloud You are in control

3 Top integration concerns of enterprises authz logic user authentication + shape explicit / implicit consent + ID / access token processing + custom token data + plug-in any factor + choose factor based on context + feed attributes into ID token IdP federation claims sources + SAML + social logins + legacy 3 rd party needs + plug-in any data source + DB and / or web service backends + aggregation from N sources Based on our experience

4 Focus on web-based integration Connect2id server web APIs for: Login and admin UIs Plug in of auth factors Plug in of authz rules Managing the complete token and authz lifecycle Managing user sessions Monitoring and stats Web-based integration enables you to leverage existing IT resources

5 How to customise your Connect2id server? Use the available web APIs and Java SPIs Modifying the server code is never needed

6 Server endpoints + interfaces authz session direct authz session store authz store monitoring discovery JWK set client registration token token inspection + revocation userinfo Connect2id server OpenID Connect provider + OAuth 2.0 server claims source SPI grant handler SPIs: password client credentials SAML 2.0 bearer JWT bearer

7 Server endpoints + web APIs

8 Standard endpoints Standard OpenID Provider (OP) and OAuth 2.0 Authorisation Server (AS) endpoints: Discovery metadata about the OP / AS Public JWK set the public RSA and EC keys to verify tokens issued by the OP / AS Client registration to add, update or delete clients; supports open, preauthorised and managed registration Authorisation for end-user authentication and consent Token for receiving ID, access and / or refresh tokens in exchange for a code, password, client credentials, JWT or SAML 2.0 grant Token inspection lets resource servers inspect access tokens Token revocation lets clients revoke tokens and associated authorisations UserInfo releases consented claims about the end-user to clients

9 Integration endpoints Web-based (REST+JSON) endpoints: Authorisation session plug-in a login UI, user authentication factors and consent logic at the OAuth 2.0 authorisation endpoint; federate SAML, social logins and legacy 3 rd party IdPs Direct authorisation obtain ID and access tokens directly; implement token exchange Session store query, monitor and administrate existing user sessions Authorisation store query, update and revoke authorisations, inspect tokens Monitoring back-end health-checks, 100+ server metrics Java Service Provider Interfaces (SPI), permit web-service adapters: Claims sources retrieve ID token / UserInfo claims from one or more data sources Grant handlers plug in your own logic for handling: password grants client credentials grants SAML 2.0 and JWT bearer assertions

10 Sign-in experience Login User Password alice xxxx Consent Allow Wonderland App access to your : profile Allow deny Design your own user experiences around login and consent

11 Sign-in UI, auth and authz HTTP 302 redirect client app login result When a client app wants to login a user with OpenID Connect it redirects the user's browser to the login page of the Connect2id server. The OpenID Connect request is encoded in the URL query string. The login page acts as the authorisation endpoint in OpenID Connect / OAuth 2.0. login request encoded request, session cookie Login User Password alice xxxx HTTP 302 redirect auth / consent prompt, encoded result The login page passes the URL query string to the Connect2id server to decode and process the request. If required, the Connect2id server will prompt the login page for initiate user authentication or gather consent (explicit / implicit). Connect2id server Finally, the Connect2id server produces the encoded authentication response, which the login page then relays back to the client app.

12 Login page pseudo code 1. Pass the URL query string and browser cookie (if any) to the Connect2id server for decoding and processing. 2. If the Connect2id server responds that the user must first be authenticated (due to no session, or insufficient authentication): A. Authenticate the user with the indicated method, then: a) On success: pass the user ID and the authentication details back to the Connect2id server b) On failure: stop 3. If the Connect2id server responds with a consent prompt: A. Present the consent form to the user B. Pass the obtained consent back to the Connect2id server 4. If the Connect2id server responds with a final response: A. Send the browser back to the client application

13 Example login page session (1) Pass the URL query string to the Connect2id server. If a session cookie is found it should also be included. POST /authz-sessions/rest/v2 HTTP/1.1 Authorization: Bearer ztuczs1zyfkgh0tueruutistxhnexmd6 Content-Type: application/json { } "query" : "response_type=code&client_id=s6bhfa&state=xyz..."

14 Example login page session (2) The Connect2id server response if the user needs to be authenticated HTTP/ OK Content-Type: application/json { } "type" : "auth", "sid" : "g6f5k6kf6ey11zc00", "display" : "popup", "select_account" : false

15 Example login page session (3) Submit the user ID to the Connect2id server after successful authentication. The authentication strength (acr) and methods (amr) may also be indicated. PUT /authz-sessions/rest/v2/g6f5k6kf6ey11zc00 HTTP/1.1 Authorization: Bearer ztuczs1zyfkgh0tueruutistxhnexmd6 Content-Type: application/json { } "sub" : "alice", "acr" : " "amr" : [ "mfa", "pwd", "otp" ]

16 Example login page session (4) The Connect2id server response if requested scopes / claims need to be authorised. The client and user session details are provided for context. HTTP/ OK Content-Type: application/json { } "type" : "consent", "sid" : "g6f5k6kf6ey11zc00", "display" : "popup", "sub_session : { "sid" : "9yLXidrzk91r3BCpJeF1Vrf", "sub" : "alice", "auth_time" : , "acr" : " "amr" : [ "mfa", "pwd", "otp" ], "data" : { "name" : "Alice Adams", " " : "alice@wonderland.net" } }, "client" : { "client_id" : "8cc2043", "application_type" : "web", "name" : "My Web Store", "uri" : " "logo_uri" : " }, "scope" : { "new" : [ "openid", " " ], "consented" : [ ] }, "claims" : { "new" : { "essential" : [ " ", " _verified" ], "voluntary" : [ ] }, "consented" : { "essential" : [ ], "voluntary" : [ ] } }

17 Example login page session (5) Submit the consented (explicitly or implicitly) scope and claims. Additional ones may also be freely included. The default token settings may be overridden, if required. PUT /authz-sessions/rest/v2/g6f5k6kf6ey11zc00 HTTP/1.1 Authorization: Bearer ztuczs1zyfkgh0tueruutistxhnexmd6 Content-Type: application/json { } "scope" : [ "openid", "profile", " " ], "claims" : [ " ", " _verified" ], "access_token" : { "lifetime" : 600, "encrypt" : true }, "id_token" : { "lifetime" : 3600 }, "refresh_token : { "issue" : true }

18 Example login page session (6) Finally, the Connect2id server generates the redirect response for the client app HTTP/1.1 OK Content-Type: application/json { } "type" : "response", "mode" : "query", "parameters" : { "uri" : " &state=nygv4clq" }

19 The session store endpoint Web API to enable query and management of the user sessions stored in the Connect2id server The user session contains the user's ID and the authentication details Arbitrary JSON data may also be stored Can be used by the login page to personalise / localise the UI Can be used by an admin or analytics tool / UI to view the users who are currently online and what sessions they have Can be used to implement custom logout

20 Example user session { } "sub" : "alice", "auth_time" : , "acr" : "c2id.acr.hisec", "amr" : [ "pwd", "otp" ] "creation_time" : , "max_life" : 20160, "auth_life" : 1440, "max_idle" : 15, "data" : { "name" : "Alice Adams", " " : "alice@wonderland.net" }

21 The direct authorisation Enables direct issue of ID / access / refresh tokens for a client / user Implement token exchanges (draft-ietf-oauth-tokenexchange-05) endpoint

22 Example direct authorisation request POST /direct-authz/rest/v2 HTTP/1.1 Authorization: Bearer ztuczs1zyfkgh0tueruutistxhnexmd6 Content-Type: application/json { "sub_sid" : "g6f5k6kf6ey11zc00", "client_id" : "8cc2043", "scope" : [ "openid", " ", "app:admin" ], "audience" : [ " ], "claims" : [ " ", " _verified" ], "claims_transport" : "USERINFO", "preset_claims" : { "id_token" : { "login_ip" : " ", "login_geo" : { "long" : " ", "lat" : " " } }, "userinfo" : { "groups" : [ "admin", "audit" ] } }, "access_token" : { "lifetime" : 600, "type" : "IDENTIFIER" } }

23 Example direct authorisation response HTTP/ OK Content-Type: application/json { } "id_token" : "eyjhbgcioijsuzi1niisimtpzci6ijflowdkazcif.ew...", "access_token" : "b15b843981cf", "token_type" : "Bearer", "expires_in" : 600, "refresh_token" : "YWxpY2U.NjU1NjRlYjAwNThk._W--XjP0UDZDiDYPkd4E_Q", "scope" : "openid profile app:admin", "sub_sid" : "g6f5k6kf6ey11zc00"

24 Authorisation store endpoint Web API to the store where long-lived authorisations are persisted, keyed by subject and client ID Supports query, update and revocation of the authorisation objects Optional call to inspect issued access tokens { } "sub" : "alice", "cid" : "65564eb0058d", "scp" : [ "openid", " ", "app:write" ], "clm" : [ " ", " _verified" ], "irt" : true, "atl" : 3600, "iss" : " "iat" : , "dat" : { "abc" : "xyz" }

25 The claims source SPI Enables plugin of one or more UserInfo claims sources. Standard Java Service Provider Interface (SPI). The SPI is published as open source package. The Connect2id server comes with a ready implementation for retrieving UserInfo claims from an LDAP directory (also opensource). The SPI supports claims l10n. The SPI supports claim name advertising, to conserve resources. The SPI can be decoupled via a web-service adaptor.

26 Claims source aggregation Connect2id server LDAP directory SQL database UserInfo request access_token: eyj9f... claims source SPI web service Claims aggregation from multiple data sources

27 Backend databases LDAP v3 MySQL PostgreSQL 9.5+ Redis 2.8+, 3.0+ Supported databases for persisting Connect2id server data (client regs, long-lived authorisations, etc)

28 Thank you! Q A