Token-based Authentication In single-page and mobile applications Sunday, April 07, 2019 Will Adams Senior Software Engineer Fiserv, Inc. wbadev@gmail.com
Agenda Overview of token-based authentication. Types of tokens. Anti-CSRF. Access. Refresh. Token formats. Standards and Guidelines. Demo. Resources
Overview Token-based authentication is the process of verifying a user’s identity then creating and returning a unique set of claims (i.e. key- value pairs) that describe the user. Token-based authentication allows you to outsource authentication from your application and instead consume a token based on a trusted relationship between your app and an identity provider.
Anti-CSRF “sync” Tokens Use if you’re relying on cookies for authentication – e.g. ASP.NET’s forms authentication ticket. Websites that use any persistent authentication mechanism such as Windows Authentication, Basic, etc. can also be subject to CSRF attacks and should use sync tokens. Sync tokens are random-generated values included in any form/request and are based on the synchronizer token pattern. This pattern utilizes two anti-CSRF tokens submitted to the server with each HTTP POST: one token as a cookie and the other as a form value. When the tokens are submitted, the server compares the two and allows the request to proceed only if both tokens pass a comparison check.
Anti-CSRF Tokens – cont’d In a claims-based application, ASP.NET will generate and validate these tokens based on the current user’s identity. This identity is established by WIF and available via the IIdentity interface. Denote the unique claim in your app if you’re using something other than NameIdentifier. Add a line similar to the following line in the Application_Start method in Global.asax.cs: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; OWASP provides a good explanation of these tokens along with links to the Microsoft implementations in this article: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET. ASP.NET MVC example: <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" />
Access Tokens An access token is just an opaque string representing an authorization granted to a client application. Access tokens can be Bearer or Holder-of-Key tokens. Bearer tokens can be used as-is without requiring proof of ownership. Used by passive, browser-based clients. Must be transmitted over SSL/TLS to prevent man-in-the-middle attacks. Refer to OAuth spec: https://tools.ietf.org/html/rfc6750. Holder-of-Key tokens require supporting cryptographic material to prove token ownership. Guarantees end-to-end message key security since the token is signed and encrypted and keys are shared out-of-band. Refer to OAuth spec: https://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01.
Access Tokens – cont’d Format explained: Example: { access_token: string containing the token issued by the identity provider. token_type: the type of token issued. expires_in: the lifetime in seconds of the access token. scope: optional parameter defining which parts of protected resources can be accessed on behalf of the user. state: optional parameter used for security checks. Value sent by the client is the same one returned in the response. refresh_token: optional parameter used to request a new access token. Example: { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
Refresh Tokens An opaque string containing an unique identifier used to retrieve authorization information for a specific client. Refresh tokens are presented to an authorization server by a client when the access token becomes invalid or expires. Refresh tokens are long-lived as compared to access tokens whose lifetime is much shorter. Refresh tokens should be able to be revoked in case an access token is compromised.
Refresh Tokens – cont’d Example: {"token":"VggA1h4- Mj31Z4GY2JeU0OvTIy0Al8aB7OPeMAkgg1DsBghe5JF0RDPqwDvn0mXMGbc4cL gfE9obH2AEm6Fo601FSpz9rXPzA6YhTThRNDjEwEdjUrLRbRkK2IOvK5Uj95iy0yj k-eUtzBOAseWGo2GsCMQWq4pYak7tPfa0XDL9jJcEdCitT1BTHYr1zKw- fciKaH8FO1gpBaYc3YJHikpVWyigc6wlSlbJQ4q4-aokK1- hNaq4nrKmZAMC00MKSeON74AcW6DeWHW4Znc5XK-Gsp- bUqgTkwwLrJ3SLz7S2IPE9IyskKMI1rPhumiCQlv2a1ibhvPfvqIcQMeKgazsfQY","us erName":“FooBar","refreshToken":"03715a432ead4dbc91a371eb26c24931","useRe freshTokens":true}
Token Formats SAML – Security Assertion Markup Language. JWT – JSON Web Token. SWT – Simple Web Token. SAML SWT JWT Format XML HTML Form Encoding JSON Designed For SOAP REST Default WIF Implementation Yes No Protocols WS-Trust & WS-Federation OAuth 2.0 Support for Signing Support for Encrypting
Standards and Guidelines OpenID Connect is the authentication spec built on top of OAuth 2.0. It covers the use and format of the JSON Web Token. Refer to: http://openid.net/specs/openid-connect-core-1_0.html. OWASP has good coverage of topics related to security and authentication: https://www.owasp.org/index.php/Authentication_Cheat_Sheet. https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet. JSON Web Token specification: https://tools.ietf.org/html/draft-ietf- oauth-json-web-token-32.
Demo
Resources Books: Blog Posts & Articles: Pro ASP.NET Web API Security By Badrinarayanan Lakshmiraghavan - http://www.apress.com/microsoft/asp-net/9781430257820?gtmf=c. Programming Windows Identity Foundation by Vittorio Bertocci - http://www.amazon.com/Programming-Identity-Foundation-Developer- Reference/dp/0735627185. Blog Posts & Articles: Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin - http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs- app-using-asp-net-web-api-2-owin/. WIF 4.5 Overview - https://msdn.microsoft.com/en- us/library/hh291066%28v=vs.110%29.aspx.
Resource – cont’d PluralSight Courses: Claims-based Identity for Windows: The Big Picture - http://www.pluralsight.com/courses/claims-based-identity-big-picture. Windows Identity Foundation Patterns: On-Premise and Cloud - http://www.pluralsight.com/courses/wif-patterns-premise-cloud. AngularJS Security Fundamentals - http://www.pluralsight.com/courses/angularjs-security-fundamentals. Thinktecture IdentityServer: https://github.com/IdentityServer/IdentityServer3.