Oauth2.0 and OpenID Connect with F5 APM - Part 1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi son for watching this video in 15 minutes I'm gonna try to explain what he's about v2 and open ID connect what the link between boss and just minimum to know to start using v2 an open-ended connect with a 5 solution the gold video is not to demonstrate how to implement what an operator connect with a p.m. but to know the baddest on how to use it so first of all have a look on what it ought what is the parody connect and the link between both now you can see it's pretty simple the old v2 use for authorization and on top of old v2 we had it open ID connect for authentication or identification so the open ID connect is just there to know who you are so when you connect to to an application mobile application or a web application when you see on the top right top right corner welcome Matthew this is open ID connect okay so the authorization server I'm going to show you what it is but an authorization server someone who will know you provide it to the mobile application your first name your last name your profile and sometime if you connect with Facebook or Google you can see your profile picture or avatar this is already correct okay so the open ID connected just there to get information read in your ID each notification photo rest for the access to grant an access code v2 for authorization so open ID Connect is on top of old into token the name of the token is ID token I'm going to show you okay ID underscore token a just provide affirmation or getting yourself and that's it so that's a kill list take an example where Batman Batman is known as resource owner Batman owns something for instance mailbox contacts there is a client the client in the example would be a brother connecting to ever not and unaware that there is an icon please connect with Google or please connect with Facebook this is odd ok so Batman wants to connect with his Google account for that ever not can retrieve and brought access from Google and get information like profile picture profile and contacts because he wants to share ever not nuts and not books with his contact okay so when Batman clicks on connect with Google ever not redirect Batman to Google authorization server or authorization server Okun's google.com you can try so Batman arrived on Google operation server and Batman authenticates as you can see in the request and I will show you later on Dartmouth formation regarding the way to connect and wait to come back to it or not ok so you can see the response type is cod it's very important so with authorization code flow we exchange a card to intuit ok let's have a look so Batman authenticate with your name password MFA we don't care and then that man has to confront ok so Batman couldn't to to accept a ver not to get affirmation from his email address is basic profile information and to manage the contacts ok man means download delete we don't know okay but it's managed the contacts when Batman approved okay it's a low there is redirect bright so but the Batman is related to ever not with notarization card it's not a token it just a nutrition card that back-end application okay so this card can be seen by the broader but ever not will use this authorization card to request an access token and an ID toad okay so the ID token just wait to see Batman in the Welcome page okay so hello Batman ever had the access token if the authorization token is a whole token so this one will be used to request information for instance for the contact okay so ever not the backing application so that's why it's do 10 line as you can see some lines are some arrows are full sums are dotted line the full are the front end and can be catched by the proto the dotted line are back end okay so it's only between a backhand application and an authorization server or something yes okay so as you can see here the backend Evernote application is exchanging a requesting access to contact the Google comm with the access token okay so very is pretty simple to understand so now let's continue let's have a look on how it works exactly so the risk is pretty simple we don't talk about a fight right now okay so I want to understand the walk through exactly how it works so on the right I have two automation server I will start with one Google and I'm going to 2001 Microsoft eyes were 80 the first one for Google is pretty simple so on the right have a client okay so the idea is to simulate an open ID and out between open ID Connect workflow so open ID connect debugger is very useful for that so first of all on Google API x'd I tried a new client so I created its taste YDC postman why because we're going to use postman as well I don't have to do it a lot of things just create a new application this is a name okay on you cannot shorten Google and I got a client ID a client secret never shared it crying secret okay and have to specify really right UI okay so it's just a way to identify the application requesting a new tradition card so here it would be all wide is the bigger my website or postman okay have a postman here now we're gonna use just after so now on a parody connect debugger let's try to simulate the client the client request the tokens the ruse or server validates to took us okay make sense if I come back to my slide it's important to understand this one the client request tokens automation card then the Brousseau server here validates the stalkers okay so so far air will simulate website that needs tokens to communicate with contacted google.com for instance so authorize right in in add variety its breezy to find this information in Google is more difficult you have to read the duck read the manual so if you go to the Google identity platform you find the old protocol and inside documentation you will find the authorize URI the authorized rewrite is URI views to request a token my migrant flow is is a authorization card sorry so I with wasting a cut so this is the way I most of the time the URI finish by oath or authorize we can search in a page okay so I won't open any connected bugger to make a call to google.com slash bla bla bla bla ashpod to request and cut ok so I need a client ID my client ID is here copy and then there is a concept of whisk up for the reg electrolyte sorry as you can see it match if I make a mistake my request will be denied ok this cop either way to retrieve information from Google the authorization the the access token doesn't have any information regarding myself ok so I need to make and will show you a make of code to Google afterward please tell me who is okay and the Scott is profiles in in Google documentation you can go to API Scott and you can see all the Scott's profile email surname and so on okay so now I think I'm good and I need to select my my grunt flow I told you the most the first one is authorization code flow this is a more secure must've grown flow because the client never see the access token he just sees a notation card to tell useless so if I request a token this is the implicit the second one so let's do let's go with the card so I call this real high i I just provide my client ID I provide this go up and I send a request I select my kundo this is my login and consent I live in an i consent but I don't put any constant here and I got a new tradition card okay if you remember my my slide now have a card here okay in the client side and I need to exchange this code for an access token an ID token so this has to be done by the back hand side okay so to simulate this back end we can I use plasma okay because there is no with open ID connect debugger there is no backing simulation so now I'm here and what I need to do first is to find the URI from Google to request this toolkit most of the time is slash token okay so you can read the documentation it's pretty simple and out of time we're gonna see the to cut this one okay exchange authorization code for reflection access token perfect swell I need okay so I take this one and as you can see here I need to provide my client secret okay you saw it previously so here we are this is the you hi I need to provide a parameter with your hoodie like you I monetary and then the body itself so the code okay so let's passed the code we just get that this one just get from open and Akane the burger ok the client good session state decision state you can see either depending some authorization server we need are not in here as you can see there is no position state so I don't care for as ready run type automation cut yes I present to you a card please response with an access token the client ID I stood there my secret key ok put in variables basic secret key use so in a in the Google console and now I can send my request okay so now has a back-end application I reserve an access token here the one that I need to use and an ID token ok so this one is a notepad to cut it means we can't read it ok if I copy it if I try to decode by 64 don't expect to decorate is useless ok so if I go to joke that I oh it's a way to check if my if my token is OPAC or joy there are two kind of seconds ok Google provide with a back as we were provided with joint so the joy can be decoded the back kinetically so in the next video I will explain how to use or to validate no back and hot weather to join with a p.m. but today what is important is now I have an access token to I can request Google API from now with the access token I can retrieve my contact I can retrieve my information and here as you can see have an ID underscore token so ID token is the open ID token and this one this one is a joker open ID token open ID connect token is joyed always so if I passed it as you can see there are free part aiders in in red the payload and proper and signatures in blue these token is Auto sign so very useful for APM because we we can buy day to token with a teenager so here as you can see I got some affirmation wrong on my account in in Google okay so I told you I did talking just a way to see your name in the client for instance or see your picture in the client so here you can see my name is Maddy this is what I said in my Google profile so this is what works okay it's not so complicated [Music] every authorization server Google as ready and the one is different so it's important to to have a look in the documentation for everyone in other ages we can see these are the endpoints okay so there are v1 and v2 a slideshow to write for a fog for Microsoft but it's it's a personal you are a pair to mint okay so this is my to note and you can see my auto right and my token so if I do the same with open ID debugger and postman and when I use this to you I this is why it works okay see you in the next video and I will explain how to use now this access token to access the backend application protected by IBM
Info
Channel: Matthieu Dierick, F5
Views: 3,049
Rating: 5 out of 5
Keywords:
Id: vpYfm_YCBRA
Channel Id: undefined
Length: 17min 32sec (1052 seconds)
Published: Thu May 02 2019
Related Videos
The Ending Of Interstellar Finally Explained
Looper
7.3M
Oauth 2.0 tutorial Explain Like I’m 5
Gabriel Zimmermann
8.8K
API Management and Security with F5 and NGINX
Matthieu Dierick, F5
1.9K
But how does bitcoin actually work?
3Blue1Brown
10M
What is BIG-IP APM?
F5 DevCentral
31K
Introducing new Azure API Management capabilities | Azure Friday
Microsoft Developer
53K
Catching Criminals Using Their Relative's DNA
Veritasium
2.8M
OpenID Connect Tutorial(1/2)
Hannes Tschofenig
10K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1M
ToTP Multi Factor Authentication OpenVPN with pfsense and FreeRadius
Lawrence Systems
24K
Explaining Open Banking and API Security
F5 DevCentral
5.5K
Use Open ID Connect for Kubernetes API server
kubucation
18K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.