cis 2015- mobile sso: are we there yet? - brian campbell
Post on 13-Apr-2017
370 Views
Preview:
TRANSCRIPT
MOBILE SSOARE WE THERE YET?
BRIAN CAMPBELL@__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 2
Formalities, Introductions, etc.
• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available
– at http://www.slideshare.net/briandavidcampbell– & at https://twitter.com/__b_c
• 2 underscores +• b +• 1 underscore +• c
Copyright © 2015 Brian Campbell. All rights reserved. 3Yeah, that guy
Copyright © 2015 Brian Campbell. All rights reserved. 4
Formalities, Introductions, etc.
• I work @ Ping• You might know me as ‘that guy’ with the camera• Slides will be available
– at http://www.slideshare.net/briandavidcampbell– & at https://twitter.com/__b_c
• 2 underscores +• b +• 1 underscore +• c
Copyright © 2015 Brian Campbell. All rights reserved. 5
• Disclaimers– Views or opinions presented herein are solely my own
and do not necessarily represent those of the my employer
– Wholly unqualified to talk about mobile– Primarily do server side development– And not even very much of that anymore
• So, um… WTF?– I know a few people involved with CIS– And I do use a mobile phone…
My ‘Safe Harbor’ Slide
Copyright © 2015 Brian Campbell. All rights reserved. 6
Though not very well
Copyright © 2015 Brian Campbell. All rights reserved. 7
But Sometimes…
An outsider’s perspective can help see where things just aren’t quite right
Copyright © 2015 Brian Campbell. All rights reserved. 8as demonstrated by a semi-contrived little story about me and my phone
Premise: Single Sign-On just isn’t quite right
on mobile
Copyright © 2015 Brian Campbell. All rights reserved. 9
I’m very busy and important
As you can see by my
opulent travel budget.
Copyright © 2015 Brian Campbell. All rights reserved. 10
So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
Copyright © 2015 Brian Campbell. All rights reserved. 11
Just trying to join a meeting while out on the road.
Copyright © 2015 Brian Campbell. All rights reserved. 12
Copyright © 2015 Brian Campbell. All rights reserved. 13
Copyright © 2015 Brian Campbell. All rights reserved. 14
Copyright © 2015 Brian Campbell. All rights reserved. 15
Copyright © 2015 Brian Campbell. All rights reserved. 16
Copyright © 2015 Brian Campbell. All rights reserved. 17
Copyright © 2015 Brian Campbell. All rights reserved. 18
Copyright © 2015 Brian Campbell. All rights reserved. 19
Copyright © 2015 Brian Campbell. All rights reserved. 20
Copyright © 2015 Brian Campbell. All rights reserved. 21
Copyright © 2015 Brian Campbell. All rights reserved. 22
Copyright © 2015 Brian Campbell. All rights reserved. 23
Copyright © 2015 Brian Campbell. All rights reserved. 24
Copyright © 2015 Brian Campbell. All rights reserved. 25
Copyright © 2015 Brian Campbell. All rights reserved. 26
Please excuse any intermittent time travel.
I had some technical difficulties with
something called “focus” and had to reshoot a few
images.
Copyright © 2015 Brian Campbell. All rights reserved. 27
Copyright © 2015 Brian Campbell. All rights reserved. 28
Copyright © 2015 Brian Campbell. All rights reserved. 29
There’s my meeting!
Copyright © 2015 Brian Campbell. All rights reserved. 30
Copyright © 2015 Brian Campbell. All rights reserved. 31
(This happened on first use a long time ago)
Copyright © 2015 Brian Campbell. All rights reserved. 32
Copyright © 2015 Brian Campbell. All rights reserved. 33
Copyright © 2015 Brian Campbell. All rights reserved. 34
!
Copyright © 2015 Brian Campbell. All rights reserved. 35
Copyright © 2015 Brian Campbell. All rights reserved. 36
Copyright © 2015 Brian Campbell. All rights reserved. 37
Copyright © 2015 Brian Campbell. All rights reserved. 38
Copyright © 2015 Brian Campbell. All rights reserved. 39
Copyright © 2015 Brian Campbell. All rights reserved. 40
Copyright © 2015 Brian Campbell. All rights reserved. 41
Copyright © 2015 Brian Campbell. All rights reserved. 42
Copyright © 2015 Brian Campbell. All rights reserved. 43
Copyright © 2015 Brian Campbell. All rights reserved. 44
Copyright © 2015 Brian Campbell. All rights reserved. 45
Copyright © 2015 Brian Campbell. All rights reserved. 46
Awkw
ard
Tra
nsiti
on
Copyright © 2015 Brian Campbell. All rights reserved. 47
• Behind the Scenes– Web Single Sign-On – OAuth 2.0 (ish)
Copyright © 2015 Brian Campbell. All rights reserved. 48
Web Single Sign-On in one Slide
• Typically– SAML 2.0– OpenID Connect
• But also– SAML 1.1/1.0– OpenID 2.0– WS-Federation
• And maybe– Facebook Connect/Login– Whatever Twitter does– Various non-standard
approaches
Identity Provider
(IDP)
Service Provider
(SP)
Web Single Sign-On (SSO)
You O
nly L
ogin O
nce
Copyright © 2015 Brian Campbell. All rights reserved. 49
OAuth 2.0 in one slide
• client: An application obtaining authorization and making protected resource requests. – Native app on mobile device
• resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs).
• authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization.
A few other OAuth terms• Access token (AT) – Presented by client when accessed protected
resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token
without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS• Authorization endpoint – used by the client to obtain authorization
from the resource owner via user-agent redirection• Token endpoint – used for direct client to AS communication• Authorization Code – One time code issued by an AS to be
exchanged for an AT.
ClientResource
Server
Get a token
Use a token
AuthorizationServer
Copyright © 2015 Brian Campbell. All rights reserved. 50
Web SSO + OAuth = Mobile SSO
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
Copyright © 2015 Brian Campbell. All rights reserved. 51
(1) Request Authorization• When user first needs to access some
protected resource (not logged in), the app launches the system browser with an authorization request
• ‘IDP Discovery’ can be done in the native application
Device
NativeApp
System Browser
1
https:// Home Service
1
Authorization Endpoint
Token Endpoint
Enterprise or Social Identity
Provider
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
A quick note about
Apple…
Copyright © 2015 Brian Campbell. All rights reserved. 52
(1a) PKCE
https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code&scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z
• Proof Key for Code Exchange by OAuth Public Clients (PKCE)
– Binds the code exchange to the authorization request
– (RFC in waiting) https://tools.ietf.org/html/draft-ietf-oauth-spop
Copyright © 2015 Brian Campbell. All rights reserved. 53
(2) Authenticate and Approve• Redirect to IDP for SSO & Service Provider
is the SP
Device
NativeApp
System Browser
https:// Home Service
2
Authorization Endpoint
Token Endpoint
Enterprise or Social Identity
Provider
• User approves the requested access
– (don’t skip this)
Copyright © 2015 Brian Campbell. All rights reserved. 54
(3) Handle Callback• Authorization server returns control to the
app using HTTP redirection and includes an authorization code
– URI with a custom scheme registered to the app
• Reversed domain name as redirect_uri scheme
– Resistant to accidental collisions – Proof of domain ownership provides better recourse
against malicious collisions
Device
NativeApp
System Browser
https:// Home Service
3
Authorization Endpoint
Token Endpoint
3
Enterprise or Social Identity
Provider
HTTP/1.1 302 FoundLocation: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
Copyright © 2015 Brian Campbell. All rights reserved. 55
(4) Trade Code for Token(s)
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
4
Enterprise or Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request
Copyright © 2015 Brian Campbell. All rights reserved. 56
(4a) PKCE Again
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
token endpoint request
Copyright © 2015 Brian Campbell. All rights reserved. 57
(4b) Trade Code for Token(s)
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
4
Enterprise or Social Identity
Provider
POST /as/token.oauth2 HTTP/1.1Host: as.example.comContent-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=org.example.myapp&grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&code_verifier=7gEsCAcCLtCTbDl2fml2z
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store
{ "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc”}
token endpoint request
token endpoint response
Copyright © 2015 Brian Campbell. All rights reserved. 58
(5) Use Access TokenAuthenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header
Device
NativeApp
System Browser
https:// Home Service
Authorization Endpoint
Token Endpoint
5
Enterprise or Social Identity
Provider
POST /api/update-status HTTP/1.1Host: rs.example.orgAuthorization: Bearer PeRTSD9RltacecQriuFfsxV41Content-Type: application/json
{"status" : "almost done with this presentation"}
Copyright © 2015 Brian Campbell. All rights reserved. 59
Rinse and Repeat
• If All Goes well,
• And if not, HTTP 401• Use the refresh token to get a new access token• And if that doesn’t work or you don’t have a
refresh token, initiate the authorization request flow again
HTTP/1.1 200 OK
Copyright © 2015 Brian Campbell. All rights reserved. 60
Some Folks Like to …
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
Copyright © 2015 Brian Campbell. All rights reserved. 61
… Use a Web-View
Device
NativeApp
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Web-View
Enterprise or Social Identity
Provider
but…
Copyright © 2015 Brian Campbell. All rights reserved. 62
The Web-View Anti-Pattern
• Usability Issues– No shared context (cookie)– Requires sign-in once per app even when web SSO is possible
• Security Issues– Web-view typically isn’t sandboxed from invoking app so
credentials and authentication cookies can be stolen– Requires/encourages users to enter credentials without the
address bar and associated visual cues of site authenticity (HTTPS)
• Missing Features– Some web-views unable to access to client certificates– Generally unable to use password managers, etc.
Copyright © 2015 Brian Campbell. All rights reserved. 63
What about OpenID Connect?
• A simple[sic] single sign-on and identity layer on top of OAuth 2.0
• Adds an ID Token (JWT) for user authentication to the client
• And a bunch of other stuff
Copyright © 2015 Brian Campbell. All rights reserved. 64
What about OpenID Connect?
• Great for the web SSO part
• Can be layered on the OAuth part
Device
NativeApp
System Browser
1
https:// Home Service
12
3
Authorization Endpoint
Token Endpoint
3
45
Enterprise or Social Identity
Provider
Copyright © 2015 Brian Campbell. All rights reserved. 65
What about NAPPS?
• Intended to be a profile of OpenID Connect to enable an SSO model for native applications installed on mobile devices
• A Token Agent as the shared context
Copyright © 2015 Brian Campbell. All rights reserved. 66
NAAPS NAPPS is Great!• It’s just not real (yet, anyway)
this one
um, no
“eventually”
Copyright © 2015 Brian Campbell. All rights reserved. 67
Don’t Sleep on NAPPS?
• But not totally incompatible with approach discussed herein– (latest thinking,
anyway)
Copyright © 2015 Brian Campbell. All rights reserved. 68
And really, who couldn’t use more NAPPS?
Copyright © 2015 Brian Campbell. All rights reserved. 69
Near Term Recommendations
• Use OAuth 2.0 + PKCE – & maybe OpenID Connect
• Use Web SSO• Prompt for user consent (every time)• Use the System Browser• Use a reversed Internet domain name in
the custom scheme for the callback URI
MOBILE SSOARE WE THERE YET?
BRIAN CAMPBELL@__b_c
THANKS! (time permitting)
QUESTIONS?
top related