《Cloud Native Security Con NA 2023 - OIDC.pdf》由会员分享,可在线阅读,更多相关《Cloud Native Security Con NA 2023 - OIDC.pdf(34页珍藏版)》请在三个皮匠报告上搜索。
1、Whooooooo Are You?I Really Want to Know the Magic Behind OIDCEddie ZaneskieddiezaneHi,Im Eddie!Staff DevRel+OSS Engineer chainguard_deveddiezaneDenver,COClimb big mountainsMaintainer for the Kubernetes and Sigstore projectsNot a Cryptographer or Security EngineerDisclaimerAuthentication(AuthN)vsAuth
2、orization(AuthZ)https:/ 2.0OAuth 2.0Designed for Authorization(not Authentication)Resource Provider has a resourceFlowsAuthorization codeClient credentialsDeviceImplicitScopesuser-read-emailokta.users.readhttps:/ Demohttps:/ DemoIssues With OAuthDevelopers wanted to use it for AuthenticationNo stand
3、ard scopesNo standard whoami endpointLong lived credentialsDiscovery?https:/ OIDCOIDCOpenID ConnectExtension to OAuth 2.0ID token(JWT)UserInfo endpointStandard set of scopesopenidprofileWell known discoveryJSON Web Token3 sectionsHeaderPayload(claims)SignatureClaimssub-client idaud-auth serveriss-is
4、suer of this tokeniat-issued at timestampexp-expires at timestamphttps:/jwt.iostep-cliOkta DemoOIDC DiscoveryIssuerhttps:/ Web Key Set)https:/ Object Signing and Encryption)FederationFederationTrust relationship between issuer and resource providerNo long lived credentials!Assume roles/identities fo
5、r permissionsStill aduitableWhere?CI/CDGitHub/GitLab/CircleCIJenkins pluginCloud resourcesKubernetesSigstore signinghttps:/ DemoKubernetes DemoOIDC Wave 2Standalone token issuer detached from OAuthGitHub ActionsMachine IdentityWho do you want signing releases?Trust But VerifyAnyone can mint a tokenClaims matteriss,sub,audWhat happens if a service were to issue whatever?https:/justtrustme.devAWS+GCP DemoProtectionVerify token and claimsPass audience alongside tokenhttps:/ else?DexPortal to other appsUsed with SigstoreSPIFFE/SPIREQuestions?eddiezaneThanks!