Token-based Authentication

Slides:

Advertisements

Similar presentations

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Advertisements

Prabath Siriwardena | Johann Nallathamby.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Session 11: Security with ASP.NET

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Securing Angular Apps Brian Noyes

Secure Mobile Development with NetIQ Access Manager

Today’s Applications Web API Browser Native app Web API Web API

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Building Secure Microservices

Application Authentication using Azure AD

Access Policy - Federation March 23, 2016

Dr. Michael B. Jones Identity Standards Architect at Microsoft

562: Power of Single Sign-On in OpenEdge

Setting and Upload Products

Consuming OAuth Services in Alfresco Share

Introduction to Windows Azure AppFabric

Federation made simple

Hannes Tschofenig, Derek Atkins

Embed Power BI in your Web application

API Security Auditing Be Aware,Be Safe

Migrating SharePoint Add-ins from Azure ACS to Azure AD

WEB-API & MVC5 - Identity & Security

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

All about social networking

Windows Azure AppFabric

How to Check if a site's connection is secure ?

Addressing the Beast: Single Sign-On II

S/MIME T ANANDHAN.

Azure AD Line Of Business Application Integration

BY: SHIVI AGRAWAL ( ) CSE-(6)C

Web Server Administration

11/14/ :30 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

OpenID Connect Working Group

ACS Functionality.

Office 365 Identity Management

Agenda OAuth Concepts Programming OAuth.

X-Road as a Platform to Exchange MyData

SharePoint Online Authentication Patterns

API DOCUMENTATION Swetha Mohandas Microsoft Connect 2016

Office 365 Development.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

CS5220 Advanced Topics in Web Programming Secure REST API

07 | Introduction to Authentication

OpenID Connect Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

Computer Network Information Center, Chinese Academy of Sciences

Erik Porter Program Manager ASP.NET Microsoft Corporation

D Guidance 26-Jun: Would like to see a refresh of this title slide

A lap around Azure AD B2C custom policies

OpenID Enhanced Authentication Profile (EAP) Working Group

Presentation transcript:

Token-based Authentication In single-page and mobile applications Sunday, April 07, 2019 Will Adams Senior Software Engineer Fiserv, Inc. wbadev@gmail.com

Agenda Overview of token-based authentication. Types of tokens. Anti-CSRF. Access. Refresh. Token formats. Standards and Guidelines. Demo. Resources

Overview Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.

Anti-CSRF “sync” Tokens Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.

Anti-CSRF Tokens – cont’d In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET. ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />

Access Tokens An access token is just an opaque string representing an authorization granted to a client application. Access tokens can be Bearer or Holder-of-Key tokens. Bearer tokens can be used as-is without requiring proof of ownership. Used by passive, browser-based clients. Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. Refer to OAuth spec: https://tools.ietf.org/html/rfc6750. Holder-of-Key tokens require supporting cryptographic material to prove token ownership. Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.

Access Tokens – cont’d Format explained: Example: { access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

Refresh Tokens An opaque string containing an unique identifier used to retrieve authorization information for a specific client. Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. Refresh tokens should be able to be revoked in case an access token is compromised.

Refresh Tokens – cont’d Example: {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}

Token Formats SAML – Security Assertion Markup Language. JWT – JSON Web Token. SWT – Simple Web Token. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST Default WIF Implementation Yes No Protocols WS-Trust & WS-Federation OAuth 2.0 Support for Signing Support for Encrypting

Standards and Guidelines OpenID Connect is the authentication spec built on top of OAuth 2.0. It covers the use and format of the JSON Web Token. Refer to: http://openid.net/specs/openid-connect-core-1_0.html. OWASP has good coverage of topics related to security and authentication: https://www.owasp.org/index.php/Authentication_Cheat_Sheet. https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. JSON Web Token specification: https://tools.ietf.org/html/draft-ietf- oauth-json-web-token-32.

Demo

Resources Books: Blog Posts & Articles: Pro ASP.NET Web API Security By Badrinarayanan Lakshmiraghavan - http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c. Programming Windows Identity Foundation by Vittorio Bertocci - http://www.amazon.com/Programming-Identity-Foundation-Developer- Reference/dp/0735627185. Blog Posts & Articles: Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs- app-using-asp-net-web-api-2-owin/. WIF 4.5 Overview - https://msdn.microsoft.com/en- us/library/hh291066%28v=vs.110%29.aspx.

Resource – cont’d PluralSight Courses: Claims-based Identity for Windows: The Big Picture - http://www.pluralsight.com/courses/claims-based-identity-big-picture. Windows Identity Foundation Patterns: On-Premise and Cloud - http://www.pluralsight.com/courses/wif-patterns-premise-cloud. AngularJS Security Fundamentals - http://www.pluralsight.com/courses/angularjs-security-fundamentals. Thinktecture IdentityServer: https://github.com/IdentityServer/IdentityServer3.