OIDC OpenID Connect - Lightwave

 

OAuth 2.0 / OpenID Connect in Lightwave


  1. Introduction

Lightwave OIDC serves two main purposes.

1. Security Token Service (STS) in the sense that it issues security tokens in the form of JWT tokens (similar to WS-TRUST which issues SAML 2.0 Assertions)

2. single signon (SSO) / single logout (SLO) service for web-based applications (similar to SAML 2.0 Authentication Request and Single Logout protocols aka websso)

 

Implementation (Open source)

  https://github.com/vmware/lightwave/tree/dev/vmidentity/openidconnect

 

  1. Roles

User (Resource Owner)

User agent (browser)

Client (aka Relying Party / RP) e.g: lightwaveui

Authz Server (aka OpenID Provider / OP)

Resource Server (server that wants to implement authz for its API's) e.g: admin server

  1. JWT tokens

OAuth 2.0 defines an access_token and a refresh_token but does not specify their format. We are using JWT as the format.

OpenID Connect additionaly defines an id_token and specifies its format as a JWT.

Lightwave OIDC issues id_tokens, access_tokens, and refresh_tokens. All will be signed using the tenant's private key.

  1. id_token

Represents the authentication of an end user at the Authz Server. The Client will validate this token and read its claims to sign in the end user.

example id_token JSON body:


{

  "sub": "administrator@lw-testdom.com",

  "iss": "https://photon-63mciz57.lw-testdom.com/openidconnect/LW-TESTDOM.COM",

  "groups": [

    "LW-TESTDOM.COM\\Users",

    "LW-TESTDOM.COM\\Administrators",

    "LW-TESTDOM.COM\\CAAdmins",

    "LW-TESTDOM.COM\\Everyone"

  ],

  "token_class": "id_token",

  "token_type": "Bearer",

  "given_name": "Administrator",

  "aud": "administrator@lw-testdom.com",

  "scope": "at_groups rs_admin_server openid offline_access id_groups",

  "exp": 1501698283,

  "iat": 1501694683,

  "family_name": "LW-TESTDOM.COM",

  "jti": "rbdevuzSlBfwgSvQJdgtviOeVUmidOHcDZw79iy6ouQ",

  "tenant": "LW-TESTDOM.COM"

}

  1. access_token

The Client will use this in its protected resource requests against the Resource Server.

The Resource Server, on receiving the access_token from the Client, will validate the token and make an API authz decision based on the user's group membership in the groups claim.

example access_token JSON body:

{

  "sub": "administrator@lw-testdom.com",

  "aud": [

    "administrator@lw-testdom.com",

    "rs_admin_server"

  ],

  "scope": "at_groups rs_admin_server openid offline_access id_groups",

  "iss": "https://photon-63mciz57.lw-testdom.com/openidconnect/LW-TESTDOM.COM",

  "groups": [

    "LW-TESTDOM.COM\\Users",

    "LW-TESTDOM.COM\\Administrators",

    "LW-TESTDOM.COM\\CAAdmins",

    "LW-TESTDOM.COM\\Everyone"

  ],

  "token_class": "access_token",

  "token_type": "Bearer",

  "exp": 1501698283,

  "iat": 1501694683,

  "jti": "0lXE9y17uMevd0gBaIhRZ1ZqoYb7P64EuY7Bh7qyPXY",

  "tenant": "LW-TESTDOM.COM",

  "admin_server_role": "Administrator"

}

  1. refresh_token

The Client uses this token to get a new access_token (and id_token) when the original access_token expires (as reported by a Resource Server).

example refresh_token JSON body:


{

  "sub": "administrator@lw-testdom.com",

  "aud": "administrator@lw-testdom.com",

  "scope": "at_groups rs_admin_server openid offline_access id_groups",

  "iss": "https://photon-63mciz57.lw-testdom.com/openidconnect/LW-TESTDOM.COM",

  "token_class": "refresh_token",

  "token_type": "Bearer",

  "exp": 1501723483,

  "iat": 1501694683,

  "jti": "tKtIlifxWfgt8YpDZ0mwq8uF2xYxANlDnucHIOn7IAI",

  "tenant": "LW-TESTDOM.COM"

}


  1. Supported Flows

    1. Authz Code Flow

sequence diagram:

sample request/response:


Authn Request

    GET /authorize?

        response_type=code&

        client_id=_client_id_xyz_&

        redirect_uri=https://client.example.com/cb&

        state=_state_xyz_&

        nonce=_nonce_xyz_&

        scope=openid offline_access HTTP/1.1

    Host: server.example.com


Authn Response

    HTTP/1.1 302 Found

    Location: https://client.example.com/cb?

        code=_authz_code_xyz_&

        state=_state_xyz_


Token Request

    POST /token HTTP/1.1

    Host: server.example.com

    Content-Type: application/x-www-form-urlencoded


    grant_type=authorization_code&

    code=_authz_code_xyz_&

    redirect_uri=https://client.example.com/cb&

    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&

    client_assertion=<private_key_jwt>


Token Response

    HTTP/1.1 200 OK

    Content-Type: application/json;charset=UTF-8

    Cache-Control: no-store

    Pragma: no-cache


    {

        "access_token":"<access_token>",

        "token_type":"Bearer",

        "expires_in":3600,

        "id_token":"<id_token>",

        "refresh_token":"_refresh_token_xyz_"

    }

  1. Implicit Flow

  1. sequence diagram:

  3. sample request/response:

    1. Authn Request

    2.     GET /authorize?

    3.         response_type=id_token&

    4.         client_id=_client_id_xyz_&

    5.         redirect_uri=https://client.example.com/cb&

    6.         state=_state_xyz_&

    7.         nonce=_nonce_xyz_&

    8.         scope=openid HTTP/1.1

    9.     Host: server.example.com


    11. Authn Response

    12.     HTTP/1.1 302 Found

    13.     Location: http://example.com/cb#

    14.         state=_state_xyz_&

    15.         id_token=<id_token>

    16. Password Flow

  4. sequence diagram:

  6. sample request/response:


    2. Token Request

    3.     POST /token HTTP/1.1

    4.     Host: server.example.com

    5.     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

    6.     Content-Type: application/x-www-form-urlencoded


    8.     grant_type=password&

    9.     username=_username_xyz_&

    10.     password=_password_xyz_&

    11.     scope=openid offline_access


    13. Token Response

    14.     HTTP/1.1 200 OK

    15.     Content-Type: application/json;charset=UTF-8

    16.     Cache-Control: no-store

    17.     Pragma: no-cache


    19.     {

    20.         "access_token":"<access_token>",

    21.         "token_type":"Bearer",

    22.         "expires_in":3600,

    23.         "id_token":"<id_token>",

    24.         "refresh_token":"_refresh_token_xyz_"

    25.     }

    26. Refresh Token Flow

  7. sequence diagram:

  9. sample request/response:


    2. Token Request

    3.     POST /token HTTP/1.1

    4.     Host: server.example.com

    5.     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

    6.     Content-Type: application/x-www-form-urlencoded


    8.     grant_type=refresh_token&

    9.     refresh_token=_refresh_token_xyz_&

    10.     client_id=_client_id_xyz_


    12. Token Response

    13.     HTTP/1.1 200 OK

    14.     Content-Type: application/json;charset=UTF-8

    15.     Cache-Control: no-store

    16.     Pragma: no-cache


    18.     {

    19.         "access_token":"<access_token>",

    20.         "token_type":"Bearer",

    21.         "expires_in":3600,

    22.         "id_token":"<id_token>"

    23.     }


  1. Metadata endpoint


Spec link: http://openid.net/specs/openid-connect-discovery-1_0.html


OIDC Metadata endpoint publishes a JSON format document that includes server metadata such as server endpoints and server supported capability configurations. Client can use these data to help construct requests used in OIDC workflows.


Metadata endpoint format:


https://[OIDC Server URL]/{tenant}/.well-known/openid-configuration


Request to the metadata endpoint should use HTTP verb: GET. A sample request is listed below:


GET [OIDC Server URL]/{tenant}/.well-known/openid-configuration HTTP/1.1

Host: example.com


A successful response will return HTTP status code 200 (OK), and a JSON object using the application/json content type. The details for claim definitions can be found in the spec above. A sample response is listed below:


HTTP/1.1 200 OK

Content-Type: application/json

{  

   "response_types_supported":[  

      "code",

      "id_token",

      "token id_token"

   ],

   "jwks_uri":"https:\/\/photon-63mciz57.lw-testdom.com\/openidconnect\/jwks\/LW-TESTDOM.COM",

   "end_session_endpoint":"https:\/\/photon-63mciz57.lw-testdom.com\/openidconnect\/logout\/LW-TESTDOM.COM",

   "subject_types_supported":[  

      "public"

   ],

   "id_token_signing_alg_values_supported":[  

      "RS256"

   ],

   "issuer":"https:\/\/photon-63mciz57.lw-testdom.com\/openidconnect\/LW-TESTDOM.COM",

   "authorization_endpoint":"https:\/\/photon-63mciz57.lw-testdom.com\/openidconnect\/oidc\/authorize\/LW-TESTDOM.COM",

   "token_endpoint":"https:\/\/photon-63mciz57.lw-testdom.com\/openidconnect\/token\/LW-TESTDOM.COM"

}


An error response will return HTTP status code 404 (Not Found) or 500 (Internal Server Error).


  1. JWKS endpoint

OIDC server also provides a JWK set endpoint to publish OIDC server public RSA keys in the format of JSON Web Key (JWK) set. The spec for JWK can be found in the link: https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41.


Relying parties and resource servers need to retrieve this public key so they can verify token signature signed by the OIDC server.


JWK set endpoint format:


https://[OIDC Server URL]/jwks/{tenant}


Request to the JWK set endpoint should use HTTP verb: GET. A sample request is listed below:


GET [OIDC Server URL]/jwks HTTP/1.1

Host: example.com


A successful response will return HTTP status code 200 (OK), and a JSON object using the application/json content type. A sample response is listed below:


HTTP/1.1 200 OK

Content-Type: application/json

{

 "keys":

 [

  {

   "e": "AQAB",

   "n": "......",

   ...... 

  }

 ]

}


An error response will return HTTP status code 404 (Not Found) or 500 (Internal Server Error).

  1. Holder Of Key tokens

Solution Users or Clients that have a backing Solution User can request HOK tokens. The token request will include a proof of possession of the private key in the form of a solution_user_assertion or client_assertion which are JWT's signed using the private key.

OIDC server will use the Solution User's registered certificate to validate the signature of the JWT.

The issued access_token will contain an "hotk" claim that is a JWK Set containing the Solution User's public key.

The Client will then send signed requests to Resource Servers that support HoK access_tokens.

The Resource Server will validate the signature of the request using the public key in the access_token's "hotk" claim.


  1. Act As tokens

ActAs tokens are HOK tokens whose subject is a Person User. A token request that includes PersonUser and SolutionUser credentials at the same time will result in ActAs tokens.

There are many forms  of Person User credentials, for example username/password or authorization code.

Solution User credentials will be in the form of solution_user_assertion or client_assertion which are both JWT's signed using the Solution User's private key.

The most common form of acquiring ActAs tokens is the Authorization Code Flow. The authorization code represents Person User credentials (the user who logged) and the token request is required to have a client_assertion which represents a registered OIDC client with a backing Solution User. 

  1. Login

When a user is redirected to the Authz Server, if the Authz Server does not receive a session cookie, it will serve a login form.

The user can then login using username/password (or RSA SecurID, Kerberos, Smart Card, if enabled).

Single Sign On

SSO is achieved by the use of cookies.

When a user logs in to the Authz Server (after being redirected to it by a Client), a session cookie is returned " oidc_session_id-<tenant>=<session_id>".

When the user attempts to login to another Client, the other Client will redirect the user to the same Authz Server, the browser will then include the Authz Server session cookie which will allow the Authz Server to login the same user without prompting for credentials.

  1. Logout

  2. Implemented according to OpenID Connect Session Management 1.0 - draft 23 Section 5. "RP-Initiated Logout"

  3. sequence diagram:

  5. sample request/response:


    2. Logout Request

    3.     GET /logout?

    4.         id_token_hint=<id_token>&

    5.         post_logout_redirect_uri=https://client.example.com/cb&

    6.         state=_state_xyz_

    7.     Host: server.example.com

    8.     Cookie:oidc_session_id-vsphere.local=<session_id>


    10. Logout Response

    11.     HTTP/1.1 302 Found

    12.     Location: https://client.example.com/cb?

    13.         state=_state_xyz_

    14.     Set-Cookie:oidc_session_id-vsphere.local=""

Single Log Out

  1. Implemented according to OpenID Connect HTTP-Based Logout 1.0 - draft 00

  2. When Authz Server receives a logout request, it returns an html page with iframe tags whose source is the logout_uri of all the Clients the user has logged into.

  3. The browser will make HTTP GET requests and include session cookies which will allow the Client to logout the user.


Implementation

Server State

The following classes keep track of server state using LinkedHashMaps (wrapped by oidc.server.SlidingWindowMap):


class

purpose

map key

map value

SessionManager

HTTP session cookie maps to a user logged in to a number of Clients

SessionID


PesonUser, LoginMethod, Set<ClientID>, Set<ClientInfo>

AuthorizationCodeManager

state for issued authz codes

AuthorizationCode

PersonUser, SessionID, original AuthenticaitonRequest


Request Processing

Every endpoint has a Controller which is the first point of processing:


MetadataController

JWKSController

AuthenticationController

TokenController

LogoutController


Metdata and jwks requests are simple GET requests and will be handled directly by their corresponding Controller whereas the rest will be handled by RequestProcessor's:


AuthenticationRequestProcessor

TokenRequestProcessor

LogoutRequestProcessor


These will encapsulate requests and responses:


AuthenticationRequest

AuthenticationResponse

AuthenticationSuccessResponse

AuthenticationErrorResponse


TokenRequest

TokenResponse

TokenSuccessResponse

TokenErrorResponse


LogoutRequest

LogoutResponse

LogoutSuccessResponse

LogoutErrorResponse


Code Organization

Code is organized into 5 components that build into separate jars


component

role

dependencies

server

request processing, state management

common, protocol

client

client library

common, protocol

protocol

request and response encapsulation, token definition

common

common

public types and enums


sample

sample Client/Relying Party, builds into a war file

common, client


Data Sheet

Endpoints

endpoint

supported?

usage

authorization_endpoint

interactive user login

token_endpoint

obtain id_token,access_token,refresh_token

userinfo_endpoint


obtain user profile information

jwks_uri

obtain public key corresponding to the private signing key (per-tenant)

discovery

OIDC Discovery

registration_endpoint


OIDC Dynamic Client Registration

end_session_endoint

logout

check_session_iframe


a way of implementing single logout


Response types

response_type

supported?

usage

code

authz code flow

id_token

implicit flow

id_token token

implicit flow

token


implicit flow (OAuth 2.0)

code id_token


hybrid flow

code id_token token


hybrid flow

code token 


hybrid flow


Grant types

grant_type

supported?

usage

authorization_code

authz code flow

implicit

implicit flow

password

password flow

refresh_token

refresh token flow

certificate

extension grant type

gss ticket

extension grant type

securid

extension grant type

perosn user certificate

extension grant type

client_credentials

client credentials flow

JWT


JWT Profile for Authz Grants

SAML 2.0


SAML 2.0 Profile for Authz Grants


Subject identifier types

subject_type

supported?

public

pairwise



Client authentication methods

token_endpoint_auth_method

supported?

client_secret_basic


client_secret_post


client_secret_jwt


private_key_jwt


JWT signature algorithms

signature algorithm

supported?

RS256

RS384


RS512


PS256


PS384


PS512



Error Codes


OAuth2 .0 error code

returned?



invalid_request

unauthorized_client

invalid_client

invalid_scope

unsupported_response_type

unsupported_grant_type

invalid_grant

access_denied

server_error

temporarily_unavailable




OpenID Connect error code




interaction_required


login_required


account_selection_required


consent_required


invalid_request_uri


invalid_request_object


request_not_supported


request_uri_not_supported


registration_not_supported






Comments

Post a Comment

Popular posts from this blog

sde-interview-ramp-up

SDE/SDET Interview questions that will ramp-up your interview preparation Note : These questions might help you ramp-up your speed in path of preparing to SDE /SDET interviews in most techie companies.   SDE - Software Development Engineer  SDET - Software Development Engineer in Test  Heap - Max Heaps and Min Heaps Conversions : Decimal ,Binary, Hex, Octal (All other possible combinations)  90 Degrees Matrix conversion Quick Sort + Applications Merge Sort + Applications Remove duplicates in a String -- In place Reverse a string - Inplace Decide if 2 strings are anagrams or not ? Binary Search Reverse SLL without using any extra nodes Maximum Sub array [Kadane Algorithm] Find an element which is repeated more than n/2 times in a given set/array. [Moores Voting algorithm] Find and element in rotated Binary sorted array Implement power function without pow() function  Verify if given linked list is circular/cyclic o...
Read more

Installing YUM on OpenSUSE

Install yum on OpenSUSE Linux Based servers How to install "yum" on OpenSUSE Linux based servers Yum is an awesome util to install various linux based binaries. However, OpenSUSE missed it. Here I mention a workaround on how to get it and start enjoying using yum. STEPS : (RPM Based installation) Step #1 Download dependent RPMs including yum Step #2 Install the RPMs #1 Download yum and all its dependencies from this link: http://download.opensuse.org/distribution/10.2/repo/oss/suse/i586/ python-urlgrabber python-sqlite rpm-python yum-metadata-parser (used option --nodeps) yum #2. Install them all using this command: -> rpm -Uvh (name of packages above) but for yum-metadata-parser use -> rpm -Uvh --nodeps yum-metadata-parser 3. Prepare yum config file a. -> cd /etc/yum.repos.d/ b. create file with .repo (ex: suse.repo) containing: [base] name=OpenSUSE_10.2 Base type=rpm-md baseurl=http://download.opensuse.org/distribution/10.2/repo/oss...
Read more

Youtkit - Java Profiler

" Yourkit " is a useful profiler for Java based applications. The "Yourkit" is not a free product but it does come with a free trial of one month or so when writing this article. Its worth to give a hands on trial with this tool : You can read more on "Yourkit" profiler itself here : https://www.yourkit.com/ As a developer, one important factor to consider while writing your code is how well your application handles stress/load, latencies, memory foot prints, CPU usage etc. The main goal of this article is to show how to use YOURKIT profiler and debug performance of applications (typically JAVA  - atleast what I have tried so far..) Lets go through some basics of Yourkit agents. There exists a "yourkit" agent on server side which we can directly attach to a running JAVA process. One thing to note its awesomeness is that there is no need to re-run/stop the JAVA process for attaching this debugging agent (aka Yourkit agent) on fly. On cli...
Read more