Presentation is loading. Please wait.

Presentation is loading. Please wait.

Token-based Authentication

Published byJohannes Viljo Pääkkönen Modified over 5 years ago

Similar presentations

Presentation on theme: "Token-based Authentication"— Presentation transcript:

1 Token-based Authentication
In single-page and mobile applications Sunday, April 07, 2019 Will Adams Senior Software Engineer Fiserv, Inc.

2 Agenda Overview of token-based authentication. Types of tokens.
Anti-CSRF. Access. Refresh. Token formats. Standards and Guidelines. Demo. Resources

3 Overview Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.

4 Anti-CSRF “sync” Tokens
Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.

5 Anti-CSRF Tokens – cont’d
In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />

6 Access Tokens An access token is just an opaque string representing an authorization granted to a client application. Access tokens can be Bearer or Holder-of-Key tokens. Bearer tokens can be used as-is without requiring proof of ownership. Used by passive, browser-based clients. Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. Refer to OAuth spec: Holder-of-Key tokens require supporting cryptographic material to prove token ownership. Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. Refer to OAuth spec:

7 Access Tokens – cont’d Format explained: Example: {
access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

8 Refresh Tokens An opaque string containing an unique identifier used to retrieve authorization information for a specific client. Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. Refresh tokens should be able to be revoked in case an access token is compromised.

9 Refresh Tokens – cont’d
Example: {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}

10 Token Formats SAML – Security Assertion Markup Language.
JWT – JSON Web Token. SWT – Simple Web Token. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST Default WIF Implementation Yes No Protocols WS-Trust & WS-Federation OAuth 2.0 Support for Signing Support for Encrypting

11 Standards and Guidelines
OpenID Connect is the authentication spec built on top of OAuth It covers the use and format of the JSON Web Token. Refer to: OWASP has good coverage of topics related to security and authentication: Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. JSON Web Token specification: oauth-json-web-token-32.

12 Demo

13 Resources Books: Blog Posts & Articles:
Pro ASP.NET Web API Security By Badrinarayanan Lakshmiraghavan - Programming Windows Identity Foundation by Vittorio Bertocci - Reference/dp/ Blog Posts & Articles: Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin - app-using-asp-net-web-api-2-owin/. WIF 4.5 Overview - us/library/hh291066%28v=vs.110%29.aspx.

14 Resource – cont’d PluralSight Courses:
Claims-based Identity for Windows: The Big Picture - Windows Identity Foundation Patterns: On-Premise and Cloud - AngularJS Security Fundamentals - Thinktecture IdentityServer:

Download ppt "Token-based Authentication"

Similar presentations

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.

Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Securing Angular Apps Brian Noyes

Securing Angular Apps Brian Noyes

Similar presentations

Ads by Google