Breakout session at the security zone OAuth and OpenID Connect – also within the company?

Federation protocols such as OAuth and OpenID Connect have become increasingly popular in the context of social media platforms. What's behind it and how relevant are these protocols for the enterprise environment?

In modern web architectures in the age of Facebook & Co, it is more and more the standard case that an application invokes REST-based web services from another organisation in order to access content and data belonging to the user of the application. The application of a professional photo printing service that needs direct access to the images of the user in cloud services such as Picasa and Instagram may serve as example. On the one hand, the user does not want to trust the printing application with the credentials of the cloud service. The cloud service, on the other hand, must only grant access to the images if the request was initiated and explicitly approved by the owner of the images.

OAuth 2.0: how it works

The authorization protocol OAuth 2.0 provides a solution to this problem: The cloud service operates an OAuth authorization server that issues authorization tokens and takes care of the related user authentication. In order to use the authorization server of the cloud service, an application needs to be registered with it beforehand. The application is then assigned a clientID and a client credential that have to be passed on during the communication with the authorization server.

 

If the user attempts to access his images in the cloud, the printing application refers him to the authorization server of the cloud service via HTTP redirect. Once authenticated, the user receives a so-called user consent dialog, informing him of the data access of the printing application and obtaining his consent. If the user agrees, the authorization server issues an authorization code which enables the application to request an access token for accessing the service.


The intermediate step of the authorization code has the advantage that the access token is not exposed in the browser of the end user. For mobile applications or applications that are executed as JavaScript client in the browser, the OAuth protocol offers an additional simplified protocol flow where the intermediate step of the access code is omitted.


The application can then access the images and other data of the user by means of the access token. The Oauth resource server validates the token. This functionality can either be implemented directly in the called service or in an upstream security component.

And in the enterprise environment?

focus_oauth_oidc_img1
Zoom
Modern manufacturing and service processes integrate suppliers and customers, mobile and smart devices

In the context of social media platforms, Oauth e.g., is already widely used. Yet how relevant are protocols such as OAuth and OpenID Connect in the enterprise environment? In order to answer this question, one needs to visualize how value chains in the service and industrial sectors are set up today. On closer examination, it becomes immediately apparent that there are hardly any manufacturing or service processes anymore that are handled completely isolated within a company. To efficiently design cross-company processes, the companies therefore face the challenge to integrate service interfaces of suppliers and customers as seamlessly as possible into their own IT landscape. In addition, there are mobile applications and "smart devices" which also need access to corporate data via web-based interfaces.

The OAuth and OpenID Connect protocols have specifically been designed for these use cases. With a security infrastructure that is able to master these protocols, companies can respond quickly to a changing environment and integrate IT systems of new customers, partners and suppliers instantaneously into their own processes. Nowadays, this quick and secure adaption of IT-based processes is an important competitive factor for most companies not to be underestimated.


Breakout session at the security zone

This Focus article is a slightly abbreviated version of the article in the security-zone 2014 newsletter. In the breakout session of Wednesday, September 17, 10:15 – 10:45 am, the author highlights the internals of OAuth and OpenID Connect. The background of the unresolved security controversy around OAuth 2.0 is also addressed – it concerns the compromise between performance (lightweight design) and security. The speaker demonstrates which function blocks are necessary in order to enable a large-scale and secure application of the protocols in the enterprise environment.