Single Sign On
@ byte
Why SSO?
- Unified login needed for magento monitor
- Unhappy about tools forced behind SP login
- Unhappy about login of SP in general
SSO options
- SAML (enterprise, XML)
- OAuth2/OpenID Connect (web, mobile, API's, JSON)
What is OAuth2
- Delegated authorization/consent protocol
- Not for authentication!
- Can be used and is used a lot for authentication
OAuth2 actors
- User ("resource owner")
- Client
- Authorization Server
- Resource Server
OAuth2 actors - example
- User ("resource owner")
- Client - LinkedIn
- Wants to access address book
- Authorization Server
- Google OAuth server
- Resource Server
- Google Mail API's
Implicit authentication
- By being able to obtain an API key, user must be who he says he is
- No explicit authentication, access token/api key doesn't say anything about identity of user
OpenID Connect
- Adds id_token to establish identity
- Formalizes some OAuth2 details
- Scope names, claims
- Adds auto discovery, auto registration
- Adds userinfo API to fetch user details
ID Token - JW{K,E,S,T}
- In JWT format
- Signed using JWS
- Optionally encrypted using JWE
- Keys in JWK format
Example
What's changed?
- auth.byte.nl was oauth1, now also oauth2/OIDC
- Servicepanel (staging) now authenticates against auth.byte.nl using Apache mod_auth_openidc
- Scope "roles" has claim "staff" (true/false)
- Encrypted cookie is gone
- Active domain now in separate cookie
- Impostor cookie used to emulate customer logins
Future
- office.byte.nl authenticates against auth.byte.nl
- auth.byte.nl extended with 2FA, etc
- API access for customers using OAuth2?
deck
By maarten
