Authx = Authn + Authz
- Authentication: Are you who you say you are?
- Authorization: Are you allowed to do that?
Authx - Examples
- Travel by Plane (High security context)
- Authentication: Passport
- Authorization: Boarding Pass
- Travel by Bus (Low security context)
- Authentication: Not required
- Authorization: Bus ticket
Authx
The Resource Server provides the security context and knows if the resource that is being access requires a high or low security context.
Authx
Not every resource requires a high security context.
i.e. we don’t need to make a network call to the PDP for every single authorization decision if the security context is low.
Authx - Challenges
- PKI: key rotation, revocation, signing, encryption
- Uptime Guarantees
- Auditability
- Complexity
- Interoperability
- Extensibility
- Observability
- …
OAuth 2.x
OAuth is for Authorization.
OAuth 2.x - Protocol Flow
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
https://datatracker.ietf.org/doc/html/rfc6749#section-1.2
OAuth 2.x - Protocol Endpoints
The authorization process utilizes two authorization server endpoints (HTTP resources):
- Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
- Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
https://datatracker.ietf.org/doc/html/rfc6749#section-3
OAuth 2.x - Authorization Grants
- Authorization Code:
authorization_code - JWT Bearer:
urn:ietf:params:oauth:grant-type:jwt-bearer - Refresh Token:
refresh_token - SAML Assertion:
urn:ietf:params:oauth:grant-type:saml2-bearer
OAuth 2.x - Authorization Code Grant Protocol Flow
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
OAuth 2.x - Implicit Grant (not a recommendation)
+--------------------+
| Resource Owner |
+--------------------+
^
(B)
+----|-----+ Client Identifier +---------------+
| +----(A)-- & Redirection URI --->| Authorization |
| User- | | Server |
| Agent -|----(B)-- User authenticates -->| |
| |<---(C)--- Redirection URI ----<+---------------+
| | with Access Token
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<+---------------+
+-|--------+
(A) (G) Access Token
^ v
+---------+
| Client |
+---------+
OAuth 2.x - Refresh Token Grant Protocol Flow
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
OpenID Connect (OIDC)
OIDC adds Authn to OAuth.
OIDC - Protocol Flow
OIDC = Authn + OAuth
+--------+ +--------+
| | | |
| |---------(1) AuthN Request-------->| |
| | | |
| | +--------+ | |
| | | | | |
| | | End- |<--(2) AuthN & AuthZ-->| |
| | | User | | |
| RP | | | | OP |
| | +--------+ | |
| | | |
| |<--------(3) AuthN Response--------| |
| | | |
| |---------(4) UserInfo Request----->| |
| | | |
| |<--------(5) UserInfo Response-----| |
| | | |
+--------+ +--------+
https://openid.net/specs/openid-connect-core-1_0.html#Overview
WLIF
TODO:: Add a protocol flow diagram
- https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation#how-it-works
- https://docs.google.com/document/d/1XyuQXuUJE0kGC2jqy_vaLPGxAFjzMvJWOS74QoP7UA8/
Primitives
We need:
- PKI: Certificate Authority generate and sign intermediate certs
- OAuth 2.x Authorization Server
- OIDC Provider (OP)