Presentation is loading. Please wait.

Presentation is loading. Please wait.

A JWT profile for OAuth2 Access Tokens

Published byMonica Bond Modified over 5 years ago

Similar presentations

Presentation on theme: "A JWT profile for OAuth2 Access Tokens"— Presentation transcript:

1 A JWT profile for OAuth2 Access Tokens
@vibronet

2 TL;DR OAuth2 doesn’t mandate a format for access tokens
Many AS products are issuing access tokens in JWT format… …but everyone does it slightly differently A JWT profile for ATs would make it possible to create vendor-agnostic SDKs for API make it easier for developers to move their code across vendors Aspects to specify Mandatory claims for validation Metadata docs for validation info Claims carrying authorization information Optional claims in common use

3 Agenda Analysis of JWT use in ATs issued by production services today
Draft proposal of a JWT as AT profile

4 ATs as JWTs in the wild

5 Why are providers using JWT for ATs
Format based validation is a well proven approach Performant No extra network traffic No bottlenecks Resilient No throttling Not sensitive to network issues Not sensitive to AS outages Easy troubleshooting Easy setup/ubiquitous validation SDKs Easy extensibility (custom claims etc)

6 Products considered Auth0 Azure AD Ping Identity IdentityServer OKTA
AWS Thanks to Daniel Dobalian, Brian Campbell, Dominick Bauer, Karl Guinness for providing sample ATs in JWT format

7 Common traits Nearly everyone use id_token/introspection infrastructural claims Nearly everyone use OIDC discover to advertise issuer, signing keys Different claim types for scopes Wide gamut of additional identity, client & auth info, authorization claims

8 Claims idtoken Auth0 Azure AD PingIdentity IdentityServer AWS OKTA
Profile Validation iss aud exp iat nonce auth_time nbf jti [aud] iad Identity sub lots <any> name preferred_username oid ipaddr unique_name uid [sub] username cid Authorization N/A scope roles scp groups memberOf ?roles, groups Context/misc azp acr amr gty aio app_displayname appid idp tid uti ver xms_tcdt --- azpacr idpid client_id token_use ?idp ?azpacr Idtoken validation:

9 A profile for ATs as JWT

10 ATs as JWT Proposal - summary
ATs are JWTs signed with RS256 (or any other asymm algo) Strongly typed to ensure they are not interchangeable w it_tokens typ=access_token+jwt Validation coordinates (issuer, signature check keys…) published via OIDC discovery and/or AS metadata 8414 (more or less) same validation rules as id_token in OIDC Core But ensuring strong type check, disallowing nonce, etc Mandatory + optional claims layout Thanks to Brian Campbell, Filip Skokan for early feedback and valuable insights

11 ATs as JWT – claims layout
Functional area claim type origin Validation iss as for id_token in OIDC core, introspection exp, iat auth_time aud resource indicators jti 7519 JWT Identity sub <oidc profile claims> as for id_token in OIDC core Authorization scope from token_exchange groups, roles, entitlements 7643 (SCIM) Context/misc client_id acr, amr azpacr <new?> idp <new?> OIDC federation? Bold == mandatory

12 Discussion

13 Auth0 { { "iss": "https://flosser.auth0.com/",
"sub": "auth0|5ba552d674717b20e52f56cd", "aud": [ " " ], "iat": , "exp": , "azp": "xHMI55zgwY0PnaztfSQflbFAwxxHUM8_", "scope": "openid profile read:reports read:appointments offline_access" } { "iss": " "sub": "aud": " "iat": , "exp": , "azp": "uNkUAIDPx1zgXfuodmR7CNHutYWPZ96L", "scope": "read:users", "gty": "client-credentials" } Validation Identity Authorization Context

14 Azure AD { "aud": "ef1da9d4-ff77-4c3e-a005-840c3f830745",
"iss": " "iat": , "nbf": , "exp": , "acr": "1", "aio": "AXQAi/8IAAAAFm+E/QTG+gFnVxLjWdw8K+61AGrSOuMMF6ebaMj7XO3IbmD3fGmrOyD+NvZyGn2VaT/kDKXw4MIhrgGVq6Bn8wLXoT1LkIZ+FzQVkJPPLQOV4KcXqSlCVPDS/DiCDgE222TImMvWNaEMaUOTsIGvTQ==", "amr": [ "wia" ], "appid": "75dbe77f-10a3-4e59-85fd-8c127544f17c", "appidacr": "0", " ": "family_name": "Lincoln", "given_name": "Abe (MSFT)", "idp": " "ipaddr": " ", "name": "abeli", "oid": "02223b6b-aa1d-42d4-9ec0-1b2bb ", "rh": "I", "scp": "user_impersonation", "sub": "l3_roISQU222bULS9yi2k0XpqpOiMz5H3ZACo1GeXA", "tid": "fa15d692-e9c a743-29f2956fd429", "unique_name": "uti": "FVsGxYXI30-TuikuuUoFAA", "ver": "1.0" } Azure AD { "aud": "6e74172b-be ff4-e66a39bb12e3", "iss": " "iat": , "nbf": , "exp": , "aio": "AXQAi/8IAAAAtAaZLo3ChMif6KOnttRB7eBq4/DccQzjcJGxPYy/C3jDaNGxXd6wNIIVGRghNRnwJ1lOcAnNZcjvkoyrFxCttv33140RioOFJ4bCCGVuoCag1uOTT22222gHwLPYQ/uf79QX+0KIijdrmp69RctzmQ==", "azp": "6e74172b-be ff4-e66a39bb12e3", "azpacr": "0", "name": "Abe Lincoln", "oid": "690222be-ff1a-4d56-abd1-7e4f7d38e474", "preferred_username": "rh": "I", "scp": "access_as_user", "sub": "HKZpfaHyWadeOouYlitjrI-KffTm222X5rrV3xDqfKQ", "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47", "uti": "fqiBqXLPj0eQa82S-IYFAA", "ver": "2.0" } { "aud": " "iss": " "iat": , "nbf": , "exp": , "aio": "42JgYNilxTPr/L1HxVu+ZvT�nmZWBQA=", "app_displayname": "TestSecVuln", "appid": "50ddfc06-811f-4fcf-85c9-e7febdfd7885", "appidacr": "1", "idp": " "oid": " ca67-44e5-851b-79685d996ba2", "roles": [ "User.Read.All" ], "sub": " ca67-44e5-851b-79685d996ba2", "tid": "26039cce-489d b0c5134eacb", "uti": "XHWCcMtGeE-u_E-Dv1IOAA", "ver": "1.0", "xms_tcdt": }

15 PingIdentity { { "sub": "mdorey+adminaudit@pingidentity.com", {
"idpid": "24ad9bc6-a69f-4498-a9be beaa6f", "scope": "openid", "iss": " "memberOf": [ "Domain "PINGONE.CLOUD.DIRECTORY.GROUP.UI.ENTITLEMENT.OKRGSKYHXRGFKJGBNOGIKRSAZZQJNYFCMKHFULMJPTFRBI" ], "exp": , "jti": "IDa57ef23fb8909d a89d29d56cfdf981fc6d7fe2c f895ea0", "client_id": "cdd237bb ad4-90eb-d2e " } { "sub": "idpid": "24ad9bc6-a69f-4498-a9be beaa6f", "scope": "openid", "iss": " "memberOf": [ "Domain "PINGONE.CLOUD.DIRECTORY.GROUP.UI.ENTITLEMENT.OKRGSKYHXRGFKJGBNOGIKRSAZZQJNYFCMKHFULMJPTFRBI" ], "exp": , "jti": "ID96448e408baaed53c8210c3a3788f cb4d7ffe ad90", "client_id": "cdd237bb ad4-90eb-d2e " } { "sub": "idpid": "24ad9bc6-a69f-4498-a9be beaa6f", "scope": "openid", "iss": " "memberOf": [ "Domain "PINGONE.CLOUD.DIRECTORY.GROUP.UI.ENTITLEMENT.OKRGSKYHXRGFKJGBNOGIKRSAZZQJNYFCMKHFULMJPTFRBI" ], "exp": , "jti": "ID9cb74fbe81592cadd9bb3d3a e73b92714ca64ffef af72e8", "client_id": "cdd237bb ad4-90eb-d2e " } { "scope": "profile sure:whatever ok:fine", "client_id": "bdc", "sub": "test", "uid": "2d425f77", "rtttl": , " ": "exp": } { "scope": "sure:whatever ok:fine", "client_id": "bdc", "iss": " "aud": "urn:some:api", "sub": "test", "uid": "2d425f77", "rtttl": , " ": "exp": } { "scope": "profile sure:whatever ok:fine", "aud": "really this can be anything", "sub": "test", "uid": "2d425f77", "rtttl": , " ": "exp": }

16 IdentityServer { "nbf": 1551775904, "exp": 1551779504,
"iss": " "aud": [ " "api1" ], "client_id": "mvc.hybrid", "sub": " ", "auth_time": , "idp": "local", "scope": [ "openid", "profile", " ", "api1", "offline_access" "amr": [ "pwd" ] } IdentityServer { "nbf": , "exp": , "iss": " "aud": [ " "api1" ], "client_id": "client", "scope": [ ] }

17 OKTA { "ver": 1, "jti": "AT.0mP4JKAZX1iACIT4vbEDF7LpvDVjxypPMf0D7uX39RE", "iss": " "aud": " "sub": "00ujmkLgagxeRrAg20g3", "iat": , "exp": , "cid": "nmdP1fcyvdVO11AL7ECm", "uid": "00ujmkLgagxeRrAg20g3", "scp": [ "openid", " ", "flights", "custom" ], "custom_claim": "CustomValue" }

Download ppt "A JWT profile for OAuth2 Access Tokens"

Similar presentations

IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
The Widgets Shall Inherit the Web Widget Summit 4 November 2008.

The Widgets Shall Inherit the Web Widget Summit 4 November 2008.
In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…

In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.

(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
101 ways to authenticate with Azure Active Directory

101 ways to authenticate with Azure Active Directory
Building consumer apps with Azure AD B2C

Building consumer apps with Azure AD B2C
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
Securing Angular Apps Brian Noyes

Securing Angular Apps Brian Noyes
In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…

In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…
Claims-based security with Windows Identity Foundation.

Claims-based security with Windows Identity Foundation.
OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect

OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,

Similar presentations

Ads by Google