Authentication fundamentals: Web applications | Microsoft Entra ID

Microsoft Azure

4 Dec 201906:02

Summary

TLDRIn this video, Stuart Kwan explains the process of modern authentication for web applications. He breaks down how a client, like a browser, interacts with an identity provider for sign-in. Alice, the user, navigates to a website and is redirected to the identity provider for authentication. After signing in, a token is returned to the website, which validates the token and sets a session using a signed cookie. Kwan also covers popular protocols like SAML, OpenID Connect, and WS Federation, highlighting their differences in token encoding and bindings.

Takeaways

😀 Alice starts the process by navigating to the website without being authenticated.
😀 The website does not know who Alice is and redirects her to an identity provider (IdP) for authentication.
😀 The identity provider (IdP) can use various methods, such as a username and password or a smart card, to authenticate Alice.
😀 Once authenticated, the identity provider issues a token and sends it back to the website via Alice’s browser.
😀 The website validates the token using the identity provider's public sign-in key.
😀 After validating the token, the website considers Alice authenticated and establishes a session.
😀 The website uses a cookie stored in Alice’s browser to maintain her session for subsequent requests.
😀 The cookie is signed to prevent tampering, ensuring that Alice cannot alter its contents to impersonate someone else.
😀 The website’s signature key (K2) is used to sign the cookie, and it’s independent of the identity provider’s signing key.
😀 Common protocols used for web authentication include SAML, OpenID Connect, and WS Federation, with differences in encoding (XML vs. JSON).
😀 The authentication flow and session management are standardized through these protocols to secure user interactions with websites.

Q & A

What is modern authentication for web applications?
-Modern authentication for web applications involves using identity providers to authenticate users. It typically involves protocols like SAML, OpenID Connect, and WS Federation, where an identity provider authenticates users and issues a token that the website can validate to allow access.
What is the role of the identity provider in the authentication process?
-The identity provider is responsible for authenticating users. Once authenticated, it issues a token that is sent back to the website to confirm the user's identity. The identity provider is trusted by the website to manage authentication securely.
How does the website know that Alice is not authenticated initially?
-The website knows Alice is not authenticated when it doesn't recognize her identity. The website then redirects Alice's browser to the identity provider to get her signed in.
What is the significance of the redirect from the website to the identity provider?
-The redirect is the mechanism that allows the website to send an authentication request to the identity provider. Alice's browser acts as an intermediary to complete the sign-in process with the identity provider.
How is the authentication request passed from the website to the identity provider?
-The authentication request is passed from the website to the identity provider through a redirect in Alice's browser. This is done via a URL that contains parameters indicating the sign-in request.
What happens after Alice successfully signs in with the identity provider?
-After Alice successfully signs in, the identity provider issues a token, which is sent back to the website through Alice's browser. The token is usually sent via an HTTP POST request.
What role do tokens play in the authentication process?
-Tokens are used to validate the identity of the user. The website checks the token's signature using the identity provider's public key to ensure it is authentic and valid. Once validated, the website knows Alice is authenticated.
How does the website maintain Alice's session after authentication?
-Once Alice is authenticated, the website sets a cookie in her browser. This cookie is used to maintain the session, allowing Alice to remain logged in for subsequent requests without needing to authenticate again.
What is the purpose of the cookie in maintaining a session?
-The cookie serves as a session identifier that is sent with every request to the website. It ensures that Alice’s browser is recognized and maintains a continuous authenticated session with the website.
How does the website ensure that cookies cannot be tampered with?
-Cookies are signed using a key owned by the website. This prevents tampering by ensuring that any alteration to the cookie would render it invalid, as the website can verify the cookie’s signature using its private key.
What are the main protocols used in modern web authentication?
-The main protocols used for modern web authentication are SAML, OpenID Connect, and WS Federation. These protocols manage the authentication process, handle token issuance, and use different encoding formats like XML or JSON.
What is the key difference between OpenID Connect and SAML/WS Federation?
-The primary difference is in the encoding format. OpenID Connect uses JSON for its tokens and protocol, while SAML and WS Federation use XML for their tokens and protocol.