blob: c14387bc624447e0fac05ea0a1cf0c42391cfe0c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
# Authx = Authn + Authz
* Authentication: Are you who you say you are?
* Authorization: Are you allowed to do that?
# Authx - Examples
1. Travel by Plane (High security context)
* Authentication: Passport
* Authorization: Boarding Pass
1. Travel by Bus (Low security context)
* Authentication: Not required
* Authorization: Bus ticket
# Authx
The Resource Server provides the security context and knows if the resource that
is being access requires a high or low security context.
# Authx
Not every resource requires a high security context.
i.e. we don't need to make a network call to the PDP for every single authorization decision if the security context is low.
# Authx - Challenges
* PKI: key rotation, revocation, signing, encryption
* Uptime Guarantees
* Auditability
* Complexity
* Interoperability
* Extensibility
* Observability
* ...
# OAuth 2.x
OAuth is for Authorization.
# OAuth 2.x - Protocol Flow
```plaintext
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
```
https://datatracker.ietf.org/doc/html/rfc6749#section-1.2
# OAuth 2.x - Protocol Endpoints
The authorization process utilizes two authorization server endpoints (HTTP resources):
- Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
- Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
https://datatracker.ietf.org/doc/html/rfc6749#section-3
# OAuth 2.x - Authorization Grants
* Authorization Code: `authorization_code`
* JWT Bearer: `urn:ietf:params:oauth:grant-type:jwt-bearer`
* Refresh Token: `refresh_token`
* SAML Assertion: `urn:ietf:params:oauth:grant-type:saml2-bearer`
# OAuth 2.x - Authorization Code Grant Protocol Flow
```plaintext
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
```
# OAuth 2.x - Implicit Grant (not a recommendation)
```plaintext
+--------------------+
| Resource Owner |
+--------------------+
^
(B)
+----|-----+ Client Identifier +---------------+
| +----(A)-- & Redirection URI --->| Authorization |
| User- | | Server |
| Agent -|----(B)-- User authenticates -->| |
| |<---(C)--- Redirection URI ----<+---------------+
| | with Access Token
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<+---------------+
+-|--------+
(A) (G) Access Token
^ v
+---------+
| Client |
+---------+
```
# OAuth 2.x - Refresh Token Grant Protocol Flow
```plaintext
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
```
# OpenID Connect (OIDC)
OIDC adds Authn to OAuth.
# OIDC - Protocol Flow
OIDC = Authn + OAuth
```plaintext
+--------+ +--------+
| | | |
| |---------(1) AuthN Request-------->| |
| | | |
| | +--------+ | |
| | | | | |
| | | End- |<--(2) AuthN & AuthZ-->| |
| | | User | | |
| RP | | | | OP |
| | +--------+ | |
| | | |
| |<--------(3) AuthN Response--------| |
| | | |
| |---------(4) UserInfo Request----->| |
| | | |
| |<--------(5) UserInfo Response-----| |
| | | |
+--------+ +--------+
```
https://openid.net/specs/openid-connect-core-1_0.html#Overview
# WLIF
TODO:: Add a protocol flow diagram
* https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation#how-it-works
* https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/
# Primitives
We need:
* PKI: Certificate Authority generate and sign intermediate certs
* OAuth 2.x Authorization Server
* OIDC Provider (OP)
|
