OAuth2 SCIM Client Registration & Software Statement Exchange

Slides:

Advertisements

Similar presentations

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Advertisements

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Inter-Institutional Registration UNC Cause December 4, 2007.

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Understanding Active Directory

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Enabling Cloud Native Security with Multi-Tenant UAA

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:

Secure Mobile Development with NetIQ Access Manager

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.

OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Application Authentication using Azure AD

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Identity Events IIW April 2016.

OAuth WG Conference Call, 11th Jan. 2013

Phil Hunt, Hannes Tschofenig

OAuth2 WG User Authentication for Clients

9/11/ :51 AM Cloud Roadshow © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO.

6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.

draft-ietf-behave-nat-behavior-discovery-01

Chairs: Derek Atkins and Hannes Tschofenig

OAuth Assertion Documents

Considering issues regarding handling token

Secure communication among services

Overview of E2E Security CRs

Agenda OAuth WG IETF 87 July, 2013.

OAuth2, OpenID Connect, and Science Gateways

IETF101 London Web Authorization Protocol (OAuth)

Azure AD Line Of Business Application Integration

BY: SHIVI AGRAWAL ( ) CSE-(6)C

Microsoft Connect /15/2018 3:03 AM

Office 365 Development July 2014.

Introduction to the FAPI Read & Write OAuth Profile

KMIP Entity Object and Client Registration

Office 365 Development July 2014.

Matthew Levy Azure AD B2B vs B2C Matthew Levy

SharePoint Online Authentication Patterns

HingX Project Overview

STIR WG IETF-99 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-00) July, 2017 Ray P. Singh, Martin Dolly, Subir Das, and An.

Office 365 Development.

SMART on FHIR for managed authorised access to medical records

TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

SCCM in hybrid world Predrag Jelesijević Microsoft 7/6/ :17 AM

Security for Science Gateways Initial Design Discussions

Building Windows Store Apps with Windows Azure Mobile Services

Azure AD Simon May Technical Evangelist.

Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019

IETF102 Montreal Web Authorization Protocol (OAuth)

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02

INTEGRATIONS WITH Single Sign-On

INTEGRATIONS WITH Enterprise HRIS

Presentation transcript:

OAuth2 SCIM Client Registration & Software Statement Exchange Phil Hunt July 31, 2013 IETF87 OAuth and SCIM WG

OAuth-SCIM-Client-Reg Intro Draft enables OAuth 2 clients to register with a SCIM endpoint to obtain client id and optional credentials. Based on draft-ietf-oauth-dyn-reg-12 Essentially the same attribute model Uses SCIM API and SCIM Schema Extensions Additional items Uses software_id, software_version Software Assertion Scope, and target API

Agenda Profile Flow and Representation Software Assertion (Statement) Alternate Software Statement Exchange Flow Discussion

Basic Flow +------------+ +--------------+ +------------+ +--------------+ | Client App +-(A)---------------------------------->| Software API | | Developer | [Register] | Publisher | | |<--------------------------------------+ | +------+-----+ +--------------+ v +------------+ + Builds App | |Distribution| [Package & Distribute] +-----+------+ +--------------+ (B) +---(C)-----------------------------------+ Pre-reg Auth | | | +--------------+ v V | +-(D)-----------------------------------> | | | [POST/Register-Add] | | | | +-----------+ | OAuth2 | | +-(E)------------->| OAuth2 AS | | SCIM JIT | | Client App | [Token Request] | Token | | Registration | | Deployment |<-----------------+ Endpoint | | Endpoint | | Instance | +-----------+ | | | +-(F)---------------------------------->| | | | [PATCH/Update][PUT/Replace][GET/Read] | | | | | | | +-(G)---------------------------------->| | | | [DELETE/Unregister] | |

Example Client Representation { "schemas":["urn:scim:schemas:core:1.0", "urn:scim:schemas:oauth:2.0:Client"], "id":"2060107e82-fbe3-42bd-b199-15df7081a8ae", "software_id":"5ed2dd14-3ef7-4655-a41d-b5bd4c5266cc", "software_version":"5.1.2.3.4", "client_name":"Example Social Client", "logo_uri":"https://client.example.org/logo.png", "jwks_uri":"https://client.example.org/my_public_keys.jwks", "token_endpoint_auth_method":"client_secret_post", "scope":"read write dolphin", "client_id":"2060107e82-fbe3-42bd-b199-15df7081a8ae", "client_secret":"Z7tk2XqLKo1CfE14374teR4V554e8JUS", "redirect_urls":[""https://client.example.org/callback", "https://client.example.org/callback2"], "targetEndpoint":"https://social.example.com/base" }

Software Statement A signed JWT bearer assertion issued by resource API software publisher to developer that may be used during registration Enables extended developer registration when publisher is not the deployer of resource APIs Enables OAuth Registration endpoint to recognize publisher registered software Enables OAuth registration endpoint to approve clients, or publishers for automatic registration registration endpoints do not need continuous updates Statement is not an authentication or proof that the client is in fact the software asserted Purpose is to serve as a "letter of introduction" Client attributes are signed by publisher

Security Consideration Concern that some sites may mistake this as "proof" that a client is what it claims Are we confusing registration with authentication? The "statement" is intended to indicate to the registration server as to what the client claims to be A client that says it is one thing and behaves differently stands out (caught in a lie) Making no statement means clients are totally anonymous except by looking at other registration data. Use techniques like secure app store for distribution Administrators can test, and create local distributions with locally issued "initial access tokens".

Software Statement Attrs iss – a unique identifier (URI) for the entity that issued the JWT. The value corresponds to the Software API Publisher sub – a unique value corresponding to "software_id". Typically assigned by the Software API Publisher aud – contains a value that identifies one or more Software API deployments where the client MAY be registered OR "urn:oauth:scim:reg:generic" indicating the assertion is intended for any OAuth registration endpoint. exp – an expiry date for the assertion. May contain any other client attribute from schema.

Software Statement Flow Dev Software API Publisher Client Application Deployment AS Developer registers and obtains Software Statement Developer includes statement in client software distribution Client exchanges statement for Client Assertion

Software Statement Exchange Flow Eliminate registration API Registration occurs primarily between developer and Software API Publisher (not standardized) Uses signed Software Statements Leverages JWT/SAML Bearer flow Client exchanges Software Statement for a Client Bearer Assertion Concern: How could this work for other client credential types?

Discussion What are the primary objectives? 3 possible flows Assign a client_id Issue a client authentication credential Provide service provider with information about client other? 3 possible flows Dynamic Reg SCIM Client Reg Software Statement Exchange Which 1 or 2 is the way to go? Should the software statement (assertion) be generalized in its own draft