diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-09 13:30:33 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-09 13:30:33 -0600 |
| commit | 6cc7253b2b82c4b73392c81be99a30ea488dec01 (patch) | |
| tree | 3ec448cc73bf847286463d23aedc266be06f4ec0 | |
| parent | 51c1a2cbe4fc55d80bd010f49560ca1c6b61d55b (diff) | |
doc: put together a short slide deck
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 9 | ||||
| -rw-r--r-- | doc/share/authz/SLIDES.md | 202 |
3 files changed, 212 insertions, 0 deletions
@@ -1 +1,2 @@ tmp +*.pdf @@ -14,3 +14,12 @@ install-tools: @command -v protoc-gen-twirp_ruby @command -v step @command -v step-ca + +clean: + @rm -f slides.pdf + +slides.pdf: clean + @pandoc -t beamer -V fontsize=8pt -s doc/share/authz/SLIDES.md -o slides.pdf + +presentation: slides.pdf + @xdg-open slides.pdf diff --git a/doc/share/authz/SLIDES.md b/doc/share/authz/SLIDES.md new file mode 100644 index 0000000..63a58a7 --- /dev/null +++ b/doc/share/authz/SLIDES.md @@ -0,0 +1,202 @@ +# Authx = Authn + Authz + +* Authentication: Are you who you say you are? +* Authorization: Are you allowed to do that? + +# Authx - Examples + +1. Travel by Plane (High security context) + * Authentication: Passport + * Authorization: Boarding Pass +1. Travel by Bus (Low security context) + * Authentication: Not required + * Authorization: Bus ticket + +# Authx + +The Resource Server provides the security context and knows if the resource that +is being access requires a high or low security context. + +# Authx + +Not every resource requires a high security context. + +i.e. we don't need to make a network call to the PDP for every single authorization decision if the security context is low. + +# Authx - Challenges + +* PKI: key rotation, revocation, signing, encryption +* Uptime Guarantees +* Auditability +* Complexity +* Interoperability +* Extensibility +* Observability +* ... + +# OAuth 2.x + +OAuth is for Authorization. + +# OAuth 2.x - Protocol Flow + +```plaintext + +--------+ +---------------+ + | |--(A)- Authorization Request ->| Resource | + | | | Owner | + | |<-(B)-- Authorization Grant ---| | + | | +---------------+ + | | + | | +---------------+ + | |--(C)-- Authorization Grant -->| Authorization | + | Client | | Server | + | |<-(D)----- Access Token -------| | + | | +---------------+ + | | + | | +---------------+ + | |--(E)----- Access Token ------>| Resource | + | | | Server | + | |<-(F)--- Protected Resource ---| | + +--------+ +---------------+ +``` + +https://datatracker.ietf.org/doc/html/rfc6749#section-1.2 + +# OAuth 2.x - Protocol Endpoints + +The authorization process utilizes two authorization server endpoints (HTTP resources): + +- Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection. +- Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication. + +https://datatracker.ietf.org/doc/html/rfc6749#section-3 + +# OAuth 2.x - Authorization Grants + +* Authorization Code: `authorization_code` +* JWT Bearer: `urn:ietf:params:oauth:grant-type:jwt-bearer` +* Refresh Token: `refresh_token` +* SAML Assertion: `urn:ietf:params:oauth:grant-type:saml2-bearer` + +# OAuth 2.x - Authorization Code Grant Protocol Flow + +```plaintext + +----------+ + | Resource | + | Owner | + | | + +----------+ + ^ + | + (B) + +----|-----+ Client Identifier +---------------+ + | -+----(A)-- & Redirection URI ---->| | + | User- | | Authorization | + | Agent -+----(B)-- User authenticates --->| Server | + | | | | + | -+----(C)-- Authorization Code ---<| | + +-|----|---+ +---------------+ + | | ^ v + (A) (C) | | + | | | | + ^ v | | + +---------+ | | + | |>---(D)-- Authorization Code ---------' | + | Client | & Redirection URI | + | | | + | |<---(E)----- Access Token -------------------' + +---------+ (w/ Optional Refresh Token) +``` + +# OAuth 2.x - Implicit Grant (not a recommendation) + +```plaintext + +--------------------+ + | Resource Owner | + +--------------------+ + ^ + (B) + +----|-----+ Client Identifier +---------------+ + | +----(A)-- & Redirection URI --->| Authorization | + | User- | | Server | + | Agent -|----(B)-- User authenticates -->| | + | |<---(C)--- Redirection URI ----<+---------------+ + | | with Access Token + | | +---------------+ + | |----(D)--- Redirection URI ---->| Web-Hosted | + | | without Fragment | Client | + | | | Resource | + | (F) |<---(E)------- Script ---------<+---------------+ + +-|--------+ + (A) (G) Access Token + ^ v + +---------+ + | Client | + +---------+ +``` + +# OAuth 2.x - Refresh Token Grant Protocol Flow + +```plaintext + +--------+ +---------------+ + | |--(A)------- Authorization Grant --------->| | + | | | | + | |<-(B)----------- Access Token -------------| | + | | & Refresh Token | | + | | | | + | | +----------+ | | + | |--(C)---- Access Token ---->| | | | + | | | | | | + | |<-(D)- Protected Resource --| Resource | | Authorization | + | Client | | Server | | Server | + | |--(E)---- Access Token ---->| | | | + | | | | | | + | |<-(F)- Invalid Token Error -| | | | + | | +----------+ | | + | | | | + | |--(G)----------- Refresh Token ----------->| | + | | | | + | |<-(H)----------- Access Token -------------| | + +--------+ & Optional Refresh Token +---------------+ +``` + +# OpenID Connect (OIDC) + +OIDC adds Authn to OAuth. + +# OIDC - Protocol Flow + +OIDC = Authn + OAuth + +```plaintext ++--------+ +--------+ +| | | | +| |---------(1) AuthN Request-------->| | +| | | | +| | +--------+ | | +| | | | | | +| | | End- |<--(2) AuthN & AuthZ-->| | +| | | User | | | +| RP | | | | OP | +| | +--------+ | | +| | | | +| |<--------(3) AuthN Response--------| | +| | | | +| |---------(4) UserInfo Request----->| | +| | | | +| |<--------(5) UserInfo Response-----| | +| | | | ++--------+ +--------+ +``` + +# WLIF + +* https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/ + +# Primitives + +We need: + +* PKI: Certificate Authority generate and sign intermediate certs +* OAuth 2.x Authorization Server +* OIDC Provider (OP) |