Les bonnes pratiques

conjuguées au présent, passé simple et futur

Mathieu

Tech Lead

Humbert

Dévelopeur Backend depuis 15 ans

Architecture - DevOps - Sécurité

@math7t

Mathieu

Tech Lead

Humbert

Dévelopeur Backend depuis 15 ans

Architecture - DevOps - Sécurité

@math7t

Qui a déjà travaillé avec Oauth 2.0 / OpenId Connect ?

Qui a déjà travaillé avec Oauth 1 ?

?

Social Login

Single Sign-on

Authentification Fédérée

Le problème initial

Import des contacts

Le problème initial

Import des contacts

API

API

API

On veux obtenir l'autorisation d'accès aux contacts

 

via un Token d'API

Alternative

Un petit tutoriel

Alternative

Un petit tutoriel

1 - Va sur ton service Mail

2 - Authenfie toi si besoin, pas mon problème

3 - Va sur ta page profile, section "developer"

4 - Génère un token d'API, restreint sur la gestion des contacts

5 - Copie le token d'API

6 - Reviens chez moi et donne moi ce token, stp

Alternative

Un petit tutoriel

1 - Va sur ton service Mail

2 - Authenfie toi si besoin, pas mon problème

3 - Va sur ta page profile, section "developer"

4 - Génère un token d'API, restreint sur la gestion des contacts

5 - Copie le token d'API

6 - Reviens chez moi et donne moi ce token, stp

OAuth 2.0 décrit comment automatiser ce besoin

C'est un framework d'

autorisation

Comment ?

Je veux importer mes contacts

Redirect -> https://emails.com/authorize

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

Token

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

- Authentification

- Consentement

Token

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?token=rkj2oirj23

Token

HARD

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?token=rkj2oirj23

Token

IMPLICIT FLOW

Token

IMPLICIT FLOW

Resource Owner (RO)

API Contacts : Resource Server

Contacts : Resource 

Client

Client

AS

Authorization Server (AS)

HARD

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?token=rkj2oirj23

Token

IMPLICIT FLOW

SÉCURISÉ

?

?

BACK-CHANNEL

HTTPS

Client

Server

front-end

back-end

?

BACK-CHANNEL

HTTPS

Client

Server

front-end

back-end

FRONT-CHANNEL

HTTP Redirects

Server

Server

Browser

Tout passe par les URLs

?

FRONT-CHANNEL

HTTP Redirects

Server

Server

Browser

Tout passe par les URLs

Browser History

Browser Add-ons

HTTP Referer

Logs serveur

Redirect -> https://emails.com/authorize

?

client_id=facebook

scope=contacts

redirect_uri=https://...

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?token=rkj2oirj23

Token

Client

AS

Par quoi on le remplace ?

Simple

Par quoi on le remplace ?

Simple

Par un autre token !

Par quoi on le remplace ?

Simple

Par un autre token !

Ephémère

Utilisable qu'une fois

Ne sert qu'à récupérer le vrai token via une requète de back-channel

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Client

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Client

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

Client

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

POST https://emails.com/token

Client

Client

AS

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

POST https://emails.com/token

Token

Client

Client

AS

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

POST https://emails.com/token

Token

Client

Client

AS

Authorization Code flow

AS

SÉCURISÉ

?

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

POST https://emails.com/token

Token

Client

Client

AS

1

2

AS

Redirect -> https://emails.com/authorize

- Authentification

- Consentement

Redirect -> https://facebook.com/callback?code=rkj2oirj23

POST https://emails.com/token

Token

Client

Client

AS

1

2

Comment authentifier le client ?

redirect_uri

client_id

client_secret

AS

Comment authentifier le client ?

client_secret

Mobile

SPA

Backend

PKCE

https://emails.com/authorize

https://emails.com/token

Client

Client

AS

code_verifier

Random string

code_challenge

Hash verifier

AS

https://emails.com/authorize

https://emails.com/token

Client

Client

AS

code_verifier

code_challenge

PKCE

AS

https://emails.com/authorize

https://emails.com/token

Client

Client

AS

code_verifier

code_challenge

PKCE

AS

https://emails.com/authorize

https://emails.com/token

Client

Client

AS

code_verifier

code_challenge

PKCE

+

AS

Authorization Code

PKCE

+

Mobile

SPA

Backend

Refresh flow

POST https://emails.com/token

Token

Client

AS

Refresh Token

Quelques trucs en +

Quelques trucs en +

Redirect URI

Redirect -> https://www.monclient.com/callback?code=rkj2oirj23

Client

redirect_uri

AS

AS

AS

Quelques trucs en +

Pre-registered Redirect URI

https://www.monclient.com/callback

AS

https:// *.monclient.com/callback

https://www.monclient.com/callback?*

https://www.monclient.com/callback

Direct match

Quelques trucs en +

Redirect URI

Redirect -> https://facebook.com/callback_as2?code=rkj2oirj23

Client

AS 2

AS 3

AS 1

Redirect -> https://facebook.com/callback_as3?code=rkj2oirj23

Redirect -> https://facebook.com/callback_as1?code=rkj2oirj23

Librairies standards recommendées par l'IETF

Autorisation

Authentification

access_token :

fj3984jrqjrqp8qoijr11

id_token :

JWT

Autorisation

Authentification

access_token :

fj3984jrqjrqp8qoijr11

id_token :

JWT

{
  "sub": "1234567890",
  "iat": 1516239022,
  "exp": 1516239023,
  "name": "John Doe"
}

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

{
  "sub": "1234567890",
  "iat": 1516239022,
  "exp": 1516239023,
  "name": "John Doe"
}

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "HS256",
  "typ": "JWT"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "none",
  "typ": "JWT"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "none",
  "typ": "JWT"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

Algorithm algorithm = Algorithm.HMAC256("secret");

JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("mon-authorization-server")
        .build();
        
DecodedJWT jwt = verifier.verify(token);
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "none",
  "typ": "JWT"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

Algorithm algorithm = Algorithm.RSA256(publicKey)

JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("mon-authorization-server")
        .build();
        
DecodedJWT jwt = verifier.verify(token);
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "RSA256",
  "typ": "JWT",
  "kid": "27irj93yh2"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

Rotation des clés

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
{
  "alg": "RSA256",
  "typ": "JWT",
  "kid": "27irj93yh2"
}

Header

Payload

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
  )

Signature

Rotation des clés

Pas de     partout

Alternatives au

BISCUIT

par

Alternatives au

BISCUIT

par

Et le futur alors ?

Et le futur alors ?

Financial-Grade API (FAPI)

Grant Negociation and Authorization Protocol (GNAP)

Google's Zanzibar

Passwordless with WebAuthn

Merci !

@math7t

Oauth2 / OpenID Connect

By Mathieu HUMBERT

Made with Slides.com

Oauth2 / OpenID Connect

  • 368