Commit c50da17
Changed files (1)
presentation.md
@@ -1,27 +1,28 @@
# Token Talk
-OAuth 2.0 - Token Exchange with mo
+### aka OAuth 2.0 - Token Exchange
+## with mo
# Agenda
* 1. Authentication vs Authorization
-* 2. Roles
-* 3. Protocol Flow
-* 4. Grant Types
-* 5. Tokens - Expiration & Refresh
-* 6. Tokens - Stateful vs Stateless
-* 7. Questions
+* 2. Tokens
+* 3. Roles
+* 4. Protocol Flow
+* 5. Grant Types
+* 6. Questions
-#
-
-Authentication vs Authorization
+# Authentication vs Authorization
* Authentication: to verify the identity of the user given the credentials received.
-* Authorization: to determine if the user should be granted access to a particular resource.
+* Authorization: to determine if the user should be granted access to a particular resource or action.
+
+
+# Authentication vs Authorization
-E.g.
+Example 1: Getting pulled over by the police.
Woop-woop! That's the sound of...
@@ -33,12 +34,245 @@ Woop-woop! That's the sound of...
(slightly, flawed example. i know)
-# Roles
+# Authentication vs Authorization
+
+Example 2: Riding the bus
+
+Transit pass/token authorizes you to ride the bus for 90 minutes.
+Authentication is not required.
+
+```text
+ +------------------------------+
+ | transit ticket |
+ | |
+ | |
+ | |
+ | expires: 90 minutes |
+ +------------------------------+
+```
+
+
+# Authentication vs Authorization
+
+Transferring the token to someone else, authorizes them to ride the bus for 90 minutes.
+You're not supposed to transfer your transit token but detection is difficult.
+
+```text
+ +------------------------------+
+ | transit ticket |
+ | |
+ | |
+ | |
+ | expires: 90 minutes |
+ +------------------------------+
+```
+
+
+# Tokens - Types
+
+* Access Token: Used to access a resource.
+* Refresh Token: Exchanged for a new access/refresh token.
+
+
+# Tokens - Access Token
+
+The purpose of the access token is to allow clients to access a
+protected resource scoped to the privileges defined by the token and
+scope.
+
+The `access_token` represents a subject, audience, issuer and expiration.
+
+```text
+ +------------------------------+
+ | transit ticket |
+ | |
+ | |
+ | |
+ | expires: 90 minutes |
+ +------------------------------+
+```
+
+
+# Tokens - Access Token
+
+Subject: Ticket holder
+Audience: Bus Driver
+Issuer: Calgary Transit
+Expiration: 90 minutes from when the ticket was purchased.
+
+```text
+ +------------------------------+
+ | transit ticket |
+ | |
+ | |
+ | |
+ | expires: 90 minutes |
+ +------------------------------+
+```
+
+
+# Tokens - Stateful vs Stateless
+
+Stateful: A stateful token is one where the token
+needs to be looked up in a database to honour it.
+
+Stateless: A stateless token has all the information
+encoded in the token.
+
+
+# Tokens - Stateful
+
+Example: Concert ticket
+
+When you enter a concert venue and you are asked to present your ticket.
+They will likely scan your ticket to verify that the ticket is legit.
+The scan will need to verify that the ticket is in a database.
+
+```text
+ +------------------------------+
+ | KRS-ONE |
+ | |
+ | |
+ | |
+ | |
+ | |XXXX|XXXX|XXXX|XXXX| |
+ +------------------------------+
+```
+
+
+# Tokens - Stateless
+
+Example: Calgary Transit Ticket
+
+When you board a bus in Calgary, you must show the driver the ticket.
+All the data the driver needs to admit you is in the ticket itself.
+
+```text
+ +------------------------------+
+ | transit ticket |
+ | |
+ | |
+ | |
+ | expires: 90 minutes |
+ +------------------------------+
+```
+
+
+# Tokens - JWT
+
+JSON web tokens allow us to create stateless
+tokens that encode the necessary information into the token.
+
+```text
+{header}.{body}.{signature}
+```
+
+
+# Tokens - JWT
+
+Example Token
+
+```text
+{header}.{body}.{signature}
+```
+
+```text
+eyJhbGciOiJSUzI1NiJ9. eyJleHAiOjE1NTMyMDYxNDMsImlhdCI6MTU1MzExOTc0MywiaXNzIjoiaHR0cHM6Ly9zaGlyby50ZXN0L21ldGFkYXRhIiwibmJmIjoxNTUzMTE5NzQzLCJqdGkiOiIzMGVlNGYwNi0zZTJiLTRlZjQtOTYxZS01YTFkZmQ1MzBjYTUiLCJzdWIiOiJkOThlY2MwNS1lYWI4LTQ2ODMtODI4OC0yNDkzMTJkM2Y1OTIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZW1haWwiOiJtb2toYUBjaXNjby5jb20iLCJmaXJzdF9uYW1lIjoiVHN1eW9zaGkiLCJsYXN0X25hbWUiOiJHYXJyZXR0Iiwib3JnYW5pemF0aW9uX25hbWUiOiJ2b2x0cm9uIiwicm9sZXMiOlsiYWNjb3VudF9hZG1pbiJdfQ. BrWtDArYiut47Oo76UTD2FGDMgrpFDa2wURVHCMuHb4P6lNP8-fcHqVAOl0bjEqT0RWx6w2MabWBELAWxUWpdVPR-pM_yfIlV0elIQvsFkQOItm8CJlkA-uHGEkBTiqBcOg9ia8ciPKX-sm4SZ0ufYS6kpR0udAOl1Rg0SSJMBkEmkCL4c7wDjACRdm_6M9vXlgpmr388o9wp7Dvd3ts-gRQ4T6BDHxm5F5ckEsnXEIRKstJdFWqgLKCPpyzXYRe5_QAIoB0qWKtzav8tPsKq_hHeKMSXniIY_WF9qMYk3XjxB5aHuqIWaw-zQnZyOUakCYIbgo-CWT8ta0sA0mt9g
+```
+
+
+# Tokens - JWT
+
+```json
+{
+ "alg": "RS256"
+}
+```
+```json
+{
+ "exp": 1553206143,
+ "iat": 1553119743,
+ "iss": "https://shiro.test/metadata",
+ "nbf": 1553119743,
+ "jti": "30ee4f06-3e2b-4ef4-961e-5a1dfd530ca5",
+ "sub": "d98ecc05-eab8-4683-8288-249312d3f592",
+ "token_type": "access_token",
+ "email": "mokha@cisco.com",
+ "first_name": "Tsuyoshi",
+ "last_name": "Garrett",
+ "organization_name": "voltron",
+ "roles": [
+ "account_admin"
+ ]
+}
+```
+
+
+# Tokens - Refresh Token
+
+An `access token` can expire. When an `access token` expires a
+client can exchange a `refresh token` to gain a new `access token`
+and `refresh token`.
+
+The purpose of the `refresh token` is to allow a client to get a new
+`access token` and `refresh token` pair. Once a `refresh token` is used
+it cannot be re-used.
+
+```text
+ +------------------------------+
+ | Credit Card |
+ | |
+ | XXXX-XXXX-XXXX-XXXX |
+ | |
+ | expires: 2024-01 |
+ +------------------------------+
+```
+
+
+# Tokens - Refresh Token
+
+Refresh Token Grant: This grant can be used by a client to exchange a
+`refresh token` for a new `access token` and `refresh token`.
+
+Request:
+
+```text
+POST /token HTTP/1.1
+Authorization: Basic base64(client_id:client_secret)
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
+```
+
+Response:
+
+```text
+HTTP/1.1 200 OK
+Content-Type: application/json;charset=UTF-8
+Cache-Control: no-store
+Pragma: no-cache
+
+{
+ "access_token":"2YotnFZFEjr1zCsicMWpAA",
+ "token_type":"bearer",
+ "expires_in":3600,
+ "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
+}
+```
+
+
+# Tokens - Expiration & Refresh
+
+To understand when to request a new access and refresh token we need
+to talk about OAuth 2.0.
-* RO - Resource Owner: The HUMAN!
-* RS - Resource Server: The Api
-* AS - Authorization Server: The OAuth 2.0 server.
-* C - Client: Your service, web app, SPA, mobile app.
+
+# Roles - OAuth 2.0
+
+* Resource Owner: The HUMAN!
+* Resource Server: The Api
+* Authorization Server: The OAuth 2.0 server.
+* Client: Your service, web app, SPA, mobile app.
# Protocol Flow
@@ -68,6 +302,32 @@ behalf.
```
+# Protocol Flow
+
+OAuth 2 is a delegation protocol. The `client` does not know the
+credentials of the `resource owner` but can access resources on it's
+behalf.
+
+```text
+ +--------+ +---------------+
+ | |--(A)- Authorization Request ->| |
+ | | | HUMAN |
+ | |<-(B)-- Authorization Grant ---| |
+ | | +---------------+
+ | |
+ | | +---------------+
+ | |--(C)-- Authorization Grant -->| |
+ | my app | | auth.amp.* |
+ | |<-(D)----- Access Token -------| |
+ | | +---------------+
+ | |
+ | | +---------------+
+ | |--(E)----- Access Token ------>| |
+ | | | api.amp.* |
+ | |<-(F)--- Protected Resource ---| |
+ +--------+ +---------------+
+```
+
# Protocol Flow
@@ -95,12 +355,36 @@ behalf.
```
+# Protocol Flow - Accessing a Protected Resource
+
+`GET /api/policies/`
+
+```text
+GET /api/policies/
+Authorization: Bearer access_token
+Accept: application/json
+Content-Type: application/json
+
+
+
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+ { "name": "Audit" },
+ { "name": "Protect" },
+]
+```
+
+
# Grant Types
* Authorization Code: for web apps
* Implicit: for single page apps.
* Password Credentials: for trusted clients.
* Client Credentials: for service authentication.
+* Refresh: for exchanging a refresh token for an access token.
+* Extensions: saml bearer, jwt bearer
# Grant Types - Authorization Code
@@ -149,7 +433,7 @@ https://www.example.com/oauth/authorize
?response_type=code
&client_id=client_id
&redirect_uri=https://www.example.org/oauth/callback
- &scope='read:scim.me write:scime.me'
+ &scope='read:scim.me write:scim.me'
```
----------------------------------------------------
@@ -177,7 +461,7 @@ https://www.example.org/oauth/callback
?grant_type=authorization_code
&code=secret
&redirect_uri=https://www.example.org/oauth/callback
- &scope='read:scim.me write:scime.me'
+ &scope='read:scim.me write:scim.me'
```
@@ -240,137 +524,6 @@ Transfer-Encoding: chunked
```
-# Tokens - Types
-
-* Access Token: Used to access a resource.
-* Refresh Token: Exchanged for a new access/refresh token.
-
-
-# Tokens - Access Token
-
-The purpose of the access token is to allow clients to access a
-protected resource scoped to the privileges defined by the token and
-scope.
-
-The `access_token` represents a subject (mo), and audience (mobile
-application) an issuer (OAuth authorization server) and an expiration.
-
-```text
- +------------------------------+
- | transit ticket |
- | |
- | |
- | |
- | expires: 90 minutes |
- +------------------------------+
-```
-
-
-# Tokens - Access Token
-
-`GET /api/body_weight/`: returns the resource owners body weight over time.
-
-Request:
-
-```text
-GET /api/body_weight/
-Authorization: Bearer access_token
-Accept: application/json
-Content-Type: application/json
-```
-
-Response:
-
-```text
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-[
- {
- "body_weight": "200",
- "unit": "lbs",
- "created_at": "2015-01-01T00:00:00+00:00"
- },
- {
- "body_weight": "210",
- "unit": "lbs",
- "created_at": "2016-01-01T00:00:00+00:00"
- },
- {
- "body_weight": "220",
- "unit": "lbs",
- "created_at": "2017-01-01T00:00:00+00:00"
- },
- {
- "body_weight": "250",
- "unit": "lbs",
- "created_at": "2018-01-01T00:00:00+00:00"
- },
- {
- "body_weight": "260",
- "unit": "lbs",
- "created_at": "2019-01-01T00:00:00+00:00"
- }
-]
-```
-
-
-# Tokens - Refresh Token
-
-An `access_token` can expire. When an `access_token` expires a
-client can exchange a `refresh_token` to gain a new `access_token`
-and `refresh_token`.
-
-The purpose of the `refresh_token` is to allow a client to get a new
-`access_token` and `refresh_token` pair. Once a `refresh_token` is used
-it cannot be re-used.
-
-```text
- +------------------------------+
- | Credit Card |
- | |
- | XXXX-XXXX-XXXX-XXXX |
- | |
- | expires: 2024-01 |
- +------------------------------+
-```
-
-
-# Tokens - Refresh Token
-
-Refresh Token Grant: This endpoint is used by a client to exchange a
-`refresh_token` for a new `access_token` and `refresh_token`.
-
-Request:
-
-```text
-POST /token HTTP/1.1
-Authorization: Basic base64(client_id:client_secret)
-Content-Type: application/x-www-form-urlencoded
-
-grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
-```
-
-Response:
-
-```text
-HTTP/1.1 200 OK
-Content-Type: application/json;charset=UTF-8
-Cache-Control: no-store
-Pragma: no-cache
-
-{
- "access_token":"2YotnFZFEjr1zCsicMWpAA",
- "token_type":"bearer",
- "expires_in":3600,
- "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
-}
-```
-
-
-# Tokens - Stateful vs Stateless
-
-JWT ... yada yada yada.
# Conclusion
@@ -388,4 +541,7 @@ is revoked.
References:
+* https://auth.amp.cisco.com/doc
+* https://jwt.io/
* https://tools.ietf.org/html/rfc6749
+* https://tools.ietf.org/html/rfc7519