Single Sign On

@ byte

Why SSO?

• Unified login needed for magento monitor
• Unhappy about tools forced behind SP login
• Unhappy about login of SP in general

SSO options

• SAML (enterprise, XML)
• OAuth2/OpenID Connect (web, mobile, API's, JSON)

What is OAuth2

• Delegated authorization/consent protocol
• Not for authentication!
• Can be used and is used a lot for authentication

OAuth2 actors

• User ("resource owner")
• Client
• Authorization Server
• Resource Server

OAuth2 actors - example

• User ("resource owner")
• Client - LinkedIn
  • Wants to access address book
• Authorization Server
  • Google OAuth server
• Resource Server
  • Google Mail API's

Implicit authentication

• By being able to obtain an API key, user must be who he says he is
• No explicit authentication, access token/api key doesn't say anything about identity of user

OpenID Connect

• Adds id_token to establish identity
• Formalizes some OAuth2 details
  • Scope names, claims
• Adds auto discovery, auto registration
• Adds userinfo API to fetch user details

ID Token - JW{K,E,S,T}

• In JWT format
• Signed using JWS
• Optionally encrypted using JWE
• Keys in JWK format

Example

http://jwt.io/

What's changed?

• auth.byte.nl was oauth1, now also oauth2/OIDC
• Servicepanel (staging) now authenticates against auth.byte.nl using Apache mod_auth_openidc
• Scope "roles" has claim "staff" (true/false)
• Encrypted cookie is gone
• Active domain now in separate cookie
• Impostor cookie used to emulate customer logins

Future

• office.byte.nl authenticates against auth.byte.nl
• auth.byte.nl extended with 2FA, etc
• API access for customers using OAuth2?