diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-02 14:29:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-02 14:29:41 -0600 |
| commit | c583bcd1473205104a1e1af812ed4976d30c7baa (patch) | |
| tree | 933edf78a4ac8aea55256e42641e56bbb4c58834 /doc/share/authz/SLIDES.md | |
| parent | 91defaefca47e9cebbe92c6abf33c4423df9bc7d (diff) | |
refactor: remove anything unrelated to the authz daemon
Diffstat (limited to 'doc/share/authz/SLIDES.md')
| -rw-r--r-- | doc/share/authz/SLIDES.md | 207 |
1 files changed, 0 insertions, 207 deletions
diff --git a/doc/share/authz/SLIDES.md b/doc/share/authz/SLIDES.md deleted file mode 100644 index c14387bc..00000000 --- a/doc/share/authz/SLIDES.md +++ /dev/null @@ -1,207 +0,0 @@ -# Authx = Authn + Authz - -* Authentication: Are you who you say you are? -* Authorization: Are you allowed to do that? - -# Authx - Examples - -1. Travel by Plane (High security context) - * Authentication: Passport - * Authorization: Boarding Pass -1. Travel by Bus (Low security context) - * Authentication: Not required - * Authorization: Bus ticket - -# Authx - -The Resource Server provides the security context and knows if the resource that -is being access requires a high or low security context. - -# Authx - -Not every resource requires a high security context. - -i.e. we don't need to make a network call to the PDP for every single authorization decision if the security context is low. - -# Authx - Challenges - -* PKI: key rotation, revocation, signing, encryption -* Uptime Guarantees -* Auditability -* Complexity -* Interoperability -* Extensibility -* Observability -* ... - -# OAuth 2.x - -OAuth is for Authorization. - -# OAuth 2.x - Protocol Flow - -```plaintext - +--------+ +---------------+ - | |--(A)- Authorization Request ->| Resource | - | | | Owner | - | |<-(B)-- Authorization Grant ---| | - | | +---------------+ - | | - | | +---------------+ - | |--(C)-- Authorization Grant -->| Authorization | - | Client | | Server | - | |<-(D)----- Access Token -------| | - | | +---------------+ - | | - | | +---------------+ - | |--(E)----- Access Token ------>| Resource | - | | | Server | - | |<-(F)--- Protected Resource ---| | - +--------+ +---------------+ -``` - -https://datatracker.ietf.org/doc/html/rfc6749#section-1.2 - -# OAuth 2.x - Protocol Endpoints - -The authorization process utilizes two authorization server endpoints (HTTP resources): - -- Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection. -- Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication. - -https://datatracker.ietf.org/doc/html/rfc6749#section-3 - -# OAuth 2.x - Authorization Grants - -* Authorization Code: `authorization_code` -* JWT Bearer: `urn:ietf:params:oauth:grant-type:jwt-bearer` -* Refresh Token: `refresh_token` -* SAML Assertion: `urn:ietf:params:oauth:grant-type:saml2-bearer` - -# OAuth 2.x - Authorization Code Grant Protocol Flow - -```plaintext - +----------+ - | Resource | - | Owner | - | | - +----------+ - ^ - | - (B) - +----|-----+ Client Identifier +---------------+ - | -+----(A)-- & Redirection URI ---->| | - | User- | | Authorization | - | Agent -+----(B)-- User authenticates --->| Server | - | | | | - | -+----(C)-- Authorization Code ---<| | - +-|----|---+ +---------------+ - | | ^ v - (A) (C) | | - | | | | - ^ v | | - +---------+ | | - | |>---(D)-- Authorization Code ---------' | - | Client | & Redirection URI | - | | | - | |<---(E)----- Access Token -------------------' - +---------+ (w/ Optional Refresh Token) -``` - -# OAuth 2.x - Implicit Grant (not a recommendation) - -```plaintext - +--------------------+ - | Resource Owner | - +--------------------+ - ^ - (B) - +----|-----+ Client Identifier +---------------+ - | +----(A)-- & Redirection URI --->| Authorization | - | User- | | Server | - | Agent -|----(B)-- User authenticates -->| | - | |<---(C)--- Redirection URI ----<+---------------+ - | | with Access Token - | | +---------------+ - | |----(D)--- Redirection URI ---->| Web-Hosted | - | | without Fragment | Client | - | | | Resource | - | (F) |<---(E)------- Script ---------<+---------------+ - +-|--------+ - (A) (G) Access Token - ^ v - +---------+ - | Client | - +---------+ -``` - -# OAuth 2.x - Refresh Token Grant Protocol Flow - -```plaintext - +--------+ +---------------+ - | |--(A)------- Authorization Grant --------->| | - | | | | - | |<-(B)----------- Access Token -------------| | - | | & Refresh Token | | - | | | | - | | +----------+ | | - | |--(C)---- Access Token ---->| | | | - | | | | | | - | |<-(D)- Protected Resource --| Resource | | Authorization | - | Client | | Server | | Server | - | |--(E)---- Access Token ---->| | | | - | | | | | | - | |<-(F)- Invalid Token Error -| | | | - | | +----------+ | | - | | | | - | |--(G)----------- Refresh Token ----------->| | - | | | | - | |<-(H)----------- Access Token -------------| | - +--------+ & Optional Refresh Token +---------------+ -``` - -# OpenID Connect (OIDC) - -OIDC adds Authn to OAuth. - -# OIDC - Protocol Flow - -OIDC = Authn + OAuth - -```plaintext -+--------+ +--------+ -| | | | -| |---------(1) AuthN Request-------->| | -| | | | -| | +--------+ | | -| | | | | | -| | | End- |<--(2) AuthN & AuthZ-->| | -| | | User | | | -| RP | | | | OP | -| | +--------+ | | -| | | | -| |<--------(3) AuthN Response--------| | -| | | | -| |---------(4) UserInfo Request----->| | -| | | | -| |<--------(5) UserInfo Response-----| | -| | | | -+--------+ +--------+ -``` - -https://openid.net/specs/openid-connect-core-1_0.html#Overview - -# WLIF - -TODO:: Add a protocol flow diagram - -* https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation#how-it-works -* https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/ - -# Primitives - -We need: - -* PKI: Certificate Authority generate and sign intermediate certs -* OAuth 2.x Authorization Server -* OIDC Provider (OP) |