-
Notifications
You must be signed in to change notification settings - Fork 1
The Security Stack for Modern Applications
The first module, I want to give you a quick overview. Where these technologies are actually used and how they build what I call the new security stack for modern applications.
So I personally come from enterprise security background, and so I spend a lot of time in my life building security features for enterprise type of applications. And, quite frankly we had this luxury of, you know, living in this in this blue triangle here. Typically an active directory where the client, machine, the user, the servers and the security infrastructure were all managed in the sense of, you know, you join this machine to the domain, and you had a number of protocols there, like Kerberos for doing the authentication, authorization part. You have LDAP, which kept your user directory together.
You could assign people to roles and query information about the user. And it was all, you know, very, very clear how these things worked. Also, that there wasn't really a trust issue because basically this, this triangle, everything was inside of that. It's kind of a trusted subsystem, so the client machines that provisioned by the enterprise, the servers are provisioned by the enterprise, and the users, you know. There was a certain trust position. So at the moment when they joined the enterprise they got an enterprise account, so they were provisioned and, and everything was you know very clear how things work.
It became more of a problem once we went into the scenarios of like business to business federation for example. So Kerberos and LDAP are clearly protocols which are, which work really well in the intranet, but don't work at all across intranets.
So, there were a number of newer protocols that we use to connect outside resources either that our internal employees could do single sign on, for example, to external websites. Or that external process or services yeah could could talk to our internal services. And that was the whole era of the WS specifications like WS security, WS trust, WS federation. Or the Security Assertion Markup Language -SAML protocol or the SAML token type.
Obviously this was all around XML and SOAP(Simple Object Access Protocol). And we could make these things work business to business, because in business scenarios both ends of the environment are typically tightly controlled, and with a certain amount of negotiations they could work together.
A completely new form factor of personal computer hit the market. And that was obviously the smartphone or mobile revolution, and after that obviously the tablets that, that followed them. And these devices were kind of a game changer, yeah. So they didn't care about enterprise at all, they were at first at least consumer devices. They didn't have these enterprise stacks like SOAP and SAML and WS. What they have HTTP and JSON, they are really good at what they are. also, the company that you know, produced them they din't you know, didn't have much of enterprise back on at all. And that was fine for people, as I said.
At first, they were considered like, yeah, they are consumer devices, but as we all know, these consumer devices kind of, they're brought into the enterprise scenario so they're typically from management, down to, you know, the information worker. And they they changed the market.
So when I talk today to customers, there is not a single customer who's says like, oh well we don't care about mobile devices. It's typically that maybe mobile device are not their, their their main focus or maybe, maybe not right now. But they certainly know that at some point you know, that there might be more mobile devices out there than desktop computers, maybe there are all ready. So based on the fact that we have these devices there are at least two but I want to point out two very, very common scenarios, and that shows now why they are business critical.
So first of all, is obviously the mobile enterprise applications. So meaning that now suddenly, you want to use these type of devices to connect to your mobile sorry, to your enterprise services. You know that might be like for example like, like someone that wants to, you know, walk around with this mobile thing, and accept the access enterprise data or maybe, you know, at day time, they are in the domain but, and you know, this, this guy leaves leaves the, leaves the building, puts his mobile device in his pocket, and suddenly he lives outside of that, you know, that magic triangle which, you know, just took care of everything for us in the past. So very typical scenarios Basically like accessing like, data on the road for example, or you know, querying services which live inside of your enterprise.
So, what is OAuth good for?
So, OAuth is about authorization or delegated authorization and the idea is you're writing an application, and that application needs to access some sort of backend service.
Authorisation Server
/\
/ \
------
^ |
| |
1) Request Token for | | 2) Forwards Token to
Backend Consumption | | Backend(Web API)
v
Client
Now the way this works is, or the way this could work. Like when we think of, you know traditional enterprise scenarios is, you're writing the applications. You popup like a log on dialog for example, and you collect the users password for example. This might work if you know the client and the service, and the authentication they all come from the same vendor. Like, like in the way it was in enterprise systems.
But now that we are talking about a multitude of client platforms, talking to a multitude of back end services. And even a multitude of authentication providers. I can also think of you know things like Facebook logins and Google logins and so on, we want to modularise that a little bit more. And also that means that maybe you are using a client application that wasn't written by the same company that is providing the back end services. So do you really want to give that client application your password? Or do you want to use something you know that you only type in the password into the backend system and this somehow makes it happen that the application can access that. So that is OAuth2.
So OAuth2 is about requesting so called access tokens from an authorization server, and then you can use the access tokens to talk to a backend service.
OpenID Connect is, it solves a different problem, and it's about authentication. So, the idea is that maybe this, this application doesn't need to talk to a back-end service.
Authentication Server
/\
/ \
------
^ |
| |
1) Request token for | | 2) Parse and Validate
Backend Consumption | | Token
v
Client
At least not in the first place. So what, but, but it needs to know who the user is. So, in OpenID Connect you're doing an, a round trip to a so-called authentication server, you type in the password at the authentication server and this returns a token back to the client application that allows it, to validate, your identity. And maybe at some point later, they're using OAuth to get another token to talk to a backend service, but that, you know, out of two distinct a use case this year.
Open ID connects for Authentication and OAuth for delegating Authorisation.
You've seen that basically, the security landscape is changing and a big part of that is the, the fact that people are using more and more mobile devices these days, which don't have support for this, you know. This old school kind of heavy, protocols like SAML and WS security and and all these things.
And also, where I said in the beginning that we, we could use these older protocols very well for business to business, for business to customer they are not really an option. So I guess what, what it all boils down to is that after after we realize that, and after we know that these mobile devices are really also very good at, you know, doing HTTP, for example, and JSON and all these things, we need new, new common denominator technologies That work really well what these devices to offer.
So, for example, HTML 5 is, is, is a good example. So people use more and more HTML 5 and JavaScript and CSS as as a technology to write client applications. Why? Because they work on almost any platform without code changes. And the same happened to the authentication, authorisation story.
We're now using protocols and techniques that work well both with desktop devices and laptop, but also on the small form factors like mobiles and, and smartphones and, and tablets. And these are basically OAuth for Authorization and Open ID for Authentication and chasing them token as the format that we sent back and forth.