# Authx = Authn + Authz * Authentication: Are you who you say you are? * Authorization: Are you allowed to do that? # Authx - Examples 1. Travel by Plane (High security context) * Authentication: Passport * Authorization: Boarding Pass 1. Travel by Bus (Low security context) * Authentication: Not required * Authorization: Bus ticket # Authx The Resource Server provides the security context and knows if the resource that is being access requires a high or low security context. # Authx Not every resource requires a high security context. i.e. we don't need to make a network call to the PDP for every single authorization decision if the security context is low. # Authx - Challenges * PKI: key rotation, revocation, signing, encryption * Uptime Guarantees * Auditability * Complexity * Interoperability * Extensibility * Observability * ... # OAuth 2.x OAuth is for Authorization. # OAuth 2.x - Protocol Flow ```plaintext +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ ``` https://datatracker.ietf.org/doc/html/rfc6749#section-1.2 # OAuth 2.x - Protocol Endpoints The authorization process utilizes two authorization server endpoints (HTTP resources): - Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection. - Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication. https://datatracker.ietf.org/doc/html/rfc6749#section-3 # OAuth 2.x - Authorization Grants * Authorization Code: `authorization_code` * JWT Bearer: `urn:ietf:params:oauth:grant-type:jwt-bearer` * Refresh Token: `refresh_token` * SAML Assertion: `urn:ietf:params:oauth:grant-type:saml2-bearer` # OAuth 2.x - Authorization Code Grant Protocol Flow ```plaintext +----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) ``` # OAuth 2.x - Implicit Grant (not a recommendation) ```plaintext +--------------------+ | Resource Owner | +--------------------+ ^ (B) +----|-----+ Client Identifier +---------------+ | +----(A)-- & Redirection URI --->| Authorization | | User- | | Server | | Agent -|----(B)-- User authenticates -->| | | |<---(C)--- Redirection URI ----<+---------------+ | | with Access Token | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<+---------------+ +-|--------+ (A) (G) Access Token ^ v +---------+ | Client | +---------+ ``` # OAuth 2.x - Refresh Token Grant Protocol Flow ```plaintext +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ ``` # OpenID Connect (OIDC) OIDC adds Authn to OAuth. # OIDC - Protocol Flow OIDC = Authn + OAuth ```plaintext +--------+ +--------+ | | | | | |---------(1) AuthN Request-------->| | | | | | | | +--------+ | | | | | | | | | | | End- |<--(2) AuthN & AuthZ-->| | | | | User | | | | RP | | | | OP | | | +--------+ | | | | | | | |<--------(3) AuthN Response--------| | | | | | | |---------(4) UserInfo Request----->| | | | | | | |<--------(5) UserInfo Response-----| | | | | | +--------+ +--------+ ``` https://openid.net/specs/openid-connect-core-1_0.html#Overview # WLIF TODO:: Add a protocol flow diagram * https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation#how-it-works * https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/ # Primitives We need: * PKI: Certificate Authority generate and sign intermediate certs * OAuth 2.x Authorization Server * OIDC Provider (OP)