OIDC in the Cloud: Using OAuth/OIDC in AWS and Azure

What Is OpenID Connect (OIDC)? OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol, enabling clients to verify the identity of end-users based on the authentication performed by an authorization server. By providing a standardized way to authenticate users, OIDC facilitates secure access to various web services and applications. It integrates with OAuth 2.0, adding an identity layer by introducing ID tokens, which carry information about the authenticated user. OIDC simplifies user authentication processes, reducing the need for applications to handle user credentials directly, thus minimizing security risks. It supports a range of applications, including web and mobile apps, and is widely adopted across the industry due to its flexibility. This standardization ensures interoperability among different platforms and systems, promoting a more secure and user-friendly authentication ecosystem. Refer to this in-depth blog post for more background on OIDC authentication. Importance of OIDC in Cloud Environments OIDC plays a crucial role in cloud environments by enhancing the security of cloud applications and services. Given the distributed nature of cloud systems, secure and reliable identity verification is essential. OIDC provides an effective framework for authenticating users across various services, reducing the risk of unauthorized access and data breaches. This is particularly important in multi-tenant cloud environments, where resources are shared among multiple users and organizations. In addition to security, OIDC improves user experience by enabling single sign-on (SSO) capabilities. Users can access multiple services within a cloud environment using a single set of credentials, reducing the need to remember multiple passwords. This not only enhances security but also boosts productivity and user satisfaction, making OIDC a valuable component of modern cloud security strategies. OIDC in AWS What Is AWS IAM? AWS Identity and Access Management (IAM) is a service that helps you securely control access to AWS resources. With IAM, you can manage users and their permissions in the AWS environment. IAM allows you to create and manage AWS users and groups and use permissions to allow and deny access to AWS resources. IAM is pivotal for enforcing security policies and managing access controls in AWS. By leveraging IAM, organizations ensure that only authorized personnel can access specific resources, thereby maintaining the integrity and security of their cloud infrastructure. It also supports collaboration by defining and assigning precise access levels to different parties involved. Create an OpenID Connect identity provider in IAM To create and manage an IAM OIDC identity provider in AWS, follow these steps: Register your application with the IdP Obtain the client ID (audience) for your application from your identity provider (IdP). This is a unique identifier for your app. Open the IAM console 2. Navigate to the IAM console at AWS Management Console. Add a new provider 3. In the navigation pane, select Identity providers, then choose Add provider. Configure the provider 4. For Configure provider, choose OpenID Connect. 5. Enter the Provider URL. Ensure the URL: 1. Is case-sensitive. 2. Begins with https://. 3. Does not contain a port number. 6. Enter the Audience value, which is the client ID obtained from the IdP. Additional client IDs can be added later if needed. Add tags (optional) 7. You can add key-value pairs to help identify and organize your IdPs. Tags can also control access to AWS resources. Verify and add the provider 8. Review the information provided. Choose Add provider to proceed. 9. IAM will attempt to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider. Manage certificates and thumbprints 10. If the OIDC IdP uses a certificate not signed by a trusted CA, AWS will use thumbprints set in the IdP's configuration for secure communication. Adjustments can be made in the Endpoint verification tab within the IAM console. Assign IAM roles 11. Create one or more IAM roles for the identity provider. These roles enable federated users authenticated by your IdP to request temporary security credentials for accessing AWS resources. 12. Ensure the roles are in the same account as the identity provider and define permissions based on your organization's needs. By following these steps, you can establish a secure and reliable OIDC identity provider in AWS IAM, facilitating access to AWS resources for users authenticated through your external IdP. OIDC in Azure What Is Microsoft Identity Platform? The Microsoft Identity Platform is a cloud identity service for application developers. It enables users to sign in using their Microsoft identities or social accounts, and grants access to APIs, including Microsoft's own APIs like Microsoft Graph. The platform supports both single-tenant line-of-business (LOB) applications and multi-tenant software-as-a-service (SaaS) applications. It is built on several key components: Authentication service: This service is compliant with OAuth 2.0 and OpenID Connect standards, allowing authentication of various identity types such as work or school accounts provisioned through Microsoft Entra ID, personal Microsoft accounts (like Skype or Xbox), and social or local accounts via Azure AD B2C and Microsoft Entra External ID. Open-source libraries: Microsoft Authentication Library (MSAL) and other standards-compliant libraries are part of the platform. MSAL is recommended for its built-in support for Conditional Access, single sign-on (SSO) experiences, and token caching. It supports different authorization grants and token flows suitable for various application types and scenarios. Identity platform endpoint: The endpoint is OIDC certified and works with MSAL or any standards-compliant library, implementing human-readable scopes in line with industry standards. Application management portal: This portal, located in the Microsoft Entra admin center, offers a registration and configuration experience along with other application management capabilities. Application configuration API and PowerShell: These tools enable programmatic configuration of applications through the Microsoft Graph API and PowerShell, facilitating automation of DevOps tasks. Developer content: The platform provides technical documentation, including quickstarts, tutorials, how-to guides, API references, and code samples to aid developers in leveraging the platform effectively. OpenID Connect on the Microsoft Identity Platform OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. It enables single sign-on (SSO) between OAuth-enabled applications using a security token called an ID token. Protocol Flow: Sign-in The basic OIDC sign-in flow involves the client application requesting an ID token from the Microsoft Identity Platform. This token contains information (claims) about the authenticated user, enabling the client application to verify the user's identity. Enable ID Tokens ID tokens are not issued by default for applications registered with the Microsoft Identity Platform. To enable ID tokens, you can follow these steps: Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Authentication. Add a platform configuration: Select the platform for your application (e.g., web) and add the redirect URI. Enable ID tokens: Under Implicit grant and hybrid flows, check the ID tokens box. Alternatively, you can enable ID tokens by modifying the application manifest: Navigate to Identity > Applications > App registrations > Your application > Manifest. Set oauth2AllowIdTokenImplicitFlow to true. Fetch the OpenID Configuration Document OIDC providers like the Microsoft Identity Platform provide a configuration document at a publicly accessible endpoint. This document contains the provider's OIDC endpoints, supported claims, and other metadata. To find the OpenID configuration document for your application: Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Endpoints. Locate the OpenID Connect metadata document URI. You can also append /.well-known/openid-configuration to your app's authority URL to access this document. Send the Sign-in Request To authenticate a user and request an ID token: Direct the user's browser to the Microsoft Identity Platform's /authorize endpoint. Include the openid scope and id_token in the response_type parameter. Specify additional parameters like nonce and state for enhanced security. Example sign-in request: GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=00001111-aaaa-2222-bbbb-3333cccc4444 &response_type=id_token &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=form_post &scope=openid &state=12345 &nonce=678910 After the user authenticates and grants consent, the Microsoft Identity Platform returns an ID token to your app at the specified redirect URI. This token can be used to verify the user's identity and establish a session. Validate the ID Token It is essential to validate the ID token's signature and claims to ensure the authenticity and integrity of the token. This can be done using a token validation library, which simplifies the process and enhances security. By following these steps, organizations can leverage OIDC on the Microsoft Identity Platform to achieve secure, scalable, and user-friendly authentication for their applications. Conclusion OpenID Connect (OIDC) is a cornerstone of modern identity management, ensuring secure user authentication across various platforms and applications. By building on OAuth 2.0, OIDC provides a standardized approach to identity verification, essential for both developers and end-users. Its broad adoption underscores its critical role in enhancing security and user convenience in the digital landscape. The implementation of OIDC within cloud environments, such as AWS and Azure, highlights its importance in securing cloud-based resources and services. Through integration with IAM in AWS and the Microsoft Identity Platform, OIDC ensures that only authenticated users access critical resources, adhering to best security practices while facilitating user experiences. These integrations not only bolster security frameworks but also enhance organizational efficiency and productivity. What Is OpenID Connect (OIDC)? OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol, enabling clients to verify the identity of end-users based on the authentication performed by an authorization server. By providing a standardized way to authenticate users, OIDC facilitates secure access to various web services and applications. It integrates with OAuth 2.0, adding an identity layer by introducing ID tokens, which carry information about the authenticated user. OpenID Connect (OIDC) OIDC simplifies user authentication processes, reducing the need for applications to handle user credentials directly, thus minimizing security risks. It supports a range of applications, including web and mobile apps, and is widely adopted across the industry due to its flexibility. This standardization ensures interoperability among different platforms and systems, promoting a more secure and user-friendly authentication ecosystem. Refer to this in-depth blog post for more background on OIDC authentication. Importance of OIDC in Cloud Environments OIDC plays a crucial role in cloud environments by enhancing the security of cloud applications and services. Given the distributed nature of cloud systems, secure and reliable identity verification is essential. OIDC provides an effective framework for authenticating users across various services, reducing the risk of unauthorized access and data breaches. This is particularly important in multi-tenant cloud environments, where resources are shared among multiple users and organizations. In addition to security, OIDC improves user experience by enabling single sign-on (SSO) capabilities. Users can access multiple services within a cloud environment using a single set of credentials, reducing the need to remember multiple passwords. This not only enhances security but also boosts productivity and user satisfaction, making OIDC a valuable component of modern cloud security strategies. OIDC in AWS What Is AWS IAM? AWS Identity and Access Management (IAM) is a service that helps you securely control access to AWS resources. With IAM, you can manage users and their permissions in the AWS environment. IAM allows you to create and manage AWS users and groups and use permissions to allow and deny access to AWS resources. IAM is pivotal for enforcing security policies and managing access controls in AWS. By leveraging IAM, organizations ensure that only authorized personnel can access specific resources, thereby maintaining the integrity and security of their cloud infrastructure. It also supports collaboration by defining and assigning precise access levels to different parties involved. Create an OpenID Connect identity provider in IAM To create and manage an IAM OIDC identity provider in AWS, follow these steps: Register your application with the IdP Obtain the client ID (audience) for your application from your identity provider (IdP). This is a unique identifier for your app. Open the IAM console 2. Navigate to the IAM console at AWS Management Console. Add a new provider 3. In the navigation pane, select Identity providers, then choose Add provider. Configure the provider 4. For Configure provider, choose OpenID Connect. 5. Enter the Provider URL. Ensure the URL: 1. Is case-sensitive. 2. Begins with https://. 3. Does not contain a port number. 6. Enter the Audience value, which is the client ID obtained from the IdP. Additional client IDs can be added later if needed. Add tags (optional) 7. You can add key-value pairs to help identify and organize your IdPs. Tags can also control access to AWS resources. Verify and add the provider 8. Review the information provided. Choose Add provider to proceed. 9. IAM will attempt to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider. Manage certificates and thumbprints 10. If the OIDC IdP uses a certificate not signed by a trusted CA, AWS will use thumbprints set in the IdP's configuration for secure communication. Adjustments can be made in the Endpoint verification tab within the IAM console. Assign IAM roles 11. Create one or more IAM roles for the identity provider. These roles enable federated users authenticated by your IdP to request temporary security credentials for accessing AWS resources. 12. Ensure the roles are in the same account as the identity provider and define permissions based on your organization's needs. Register your application with the IdP Obtain the client ID (audience) for your application from your identity provider (IdP). This is a unique identifier for your app. Register your application with the IdP Register your application with the IdP Obtain the client ID (audience) for your application from your identity provider (IdP). This is a unique identifier for your app. Obtain the client ID (audience) for your application from your identity provider (IdP). This is a unique identifier for your app. Open the IAM console 2. Navigate to the IAM console at AWS Management Console. Open the IAM console 2. Navigate to the IAM console at AWS Management Console . Open the IAM console AWS Management Console Add a new provider 3. In the navigation pane, select Identity providers, then choose Add provider. Add a new provider 3. In the navigation pane, select Identity providers , then choose Add provider . Add a new provider Identity providers Add provider Configure the provider 4. For Configure provider, choose OpenID Connect. 5. Enter the Provider URL. Ensure the URL: 1. Is case-sensitive. 2. Begins with https://. 3. Does not contain a port number. 6. Enter the Audience value, which is the client ID obtained from the IdP. Additional client IDs can be added later if needed. Configure the provider 4. For Configure provider , choose OpenID Connect . 5. Enter the Provider URL . Ensure the URL: 1. Is case-sensitive. 2. Begins with https:// . 3. Does not contain a port number. 6. Enter the Audience value, which is the client ID obtained from the IdP. Additional client IDs can be added later if needed. Configure the provider Configure provider OpenID Connect Provider URL https:// Audience Add tags (optional) 7. You can add key-value pairs to help identify and organize your IdPs. Tags can also control access to AWS resources. Add tags (optional) 7. You can add key-value pairs to help identify and organize your IdPs. Tags can also control access to AWS resources. Add tags (optional) Verify and add the provider 8. Review the information provided. Choose Add provider to proceed. 9. IAM will attempt to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider. Verify and add the provider 8. Review the information provided. Choose Add provider to proceed. 9. IAM will attempt to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider. Verify and add the provider Add provider Manage certificates and thumbprints 10. If the OIDC IdP uses a certificate not signed by a trusted CA, AWS will use thumbprints set in the IdP's configuration for secure communication. Adjustments can be made in the Endpoint verification tab within the IAM console. Manage certificates and thumbprints 10. If the OIDC IdP uses a certificate not signed by a trusted CA, AWS will use thumbprints set in the IdP's configuration for secure communication. Adjustments can be made in the Endpoint verification tab within the IAM console. Manage certificates and thumbprints Endpoint verification Assign IAM roles 11. Create one or more IAM roles for the identity provider. These roles enable federated users authenticated by your IdP to request temporary security credentials for accessing AWS resources. 12. Ensure the roles are in the same account as the identity provider and define permissions based on your organization's needs. Assign IAM roles 11. Create one or more IAM roles for the identity provider. These roles enable federated users authenticated by your IdP to request temporary security credentials for accessing AWS resources. 12. Ensure the roles are in the same account as the identity provider and define permissions based on your organization's needs. Assign IAM roles By following these steps, you can establish a secure and reliable OIDC identity provider in AWS IAM, facilitating access to AWS resources for users authenticated through your external IdP. OIDC in Azure What Is Microsoft Identity Platform? The Microsoft Identity Platform is a cloud identity service for application developers. It enables users to sign in using their Microsoft identities or social accounts, and grants access to APIs, including Microsoft's own APIs like Microsoft Graph. The platform supports both single-tenant line-of-business (LOB) applications and multi-tenant software-as-a-service (SaaS) applications. It is built on several key components: Authentication service: This service is compliant with OAuth 2.0 and OpenID Connect standards, allowing authentication of various identity types such as work or school accounts provisioned through Microsoft Entra ID, personal Microsoft accounts (like Skype or Xbox), and social or local accounts via Azure AD B2C and Microsoft Entra External ID. Open-source libraries: Microsoft Authentication Library (MSAL) and other standards-compliant libraries are part of the platform. MSAL is recommended for its built-in support for Conditional Access, single sign-on (SSO) experiences, and token caching. It supports different authorization grants and token flows suitable for various application types and scenarios. Identity platform endpoint: The endpoint is OIDC certified and works with MSAL or any standards-compliant library, implementing human-readable scopes in line with industry standards. Application management portal: This portal, located in the Microsoft Entra admin center, offers a registration and configuration experience along with other application management capabilities. Application configuration API and PowerShell: These tools enable programmatic configuration of applications through the Microsoft Graph API and PowerShell, facilitating automation of DevOps tasks. Developer content: The platform provides technical documentation, including quickstarts, tutorials, how-to guides, API references, and code samples to aid developers in leveraging the platform effectively. Authentication service : This service is compliant with OAuth 2.0 and OpenID Connect standards, allowing authentication of various identity types such as work or school accounts provisioned through Microsoft Entra ID, personal Microsoft accounts (like Skype or Xbox), and social or local accounts via Azure AD B2C and Microsoft Entra External ID. Authentication service Open-source libraries : Microsoft Authentication Library (MSAL) and other standards-compliant libraries are part of the platform. MSAL is recommended for its built-in support for Conditional Access, single sign-on (SSO) experiences, and token caching. It supports different authorization grants and token flows suitable for various application types and scenarios. Open-source libraries Identity platform endpoint : The endpoint is OIDC certified and works with MSAL or any standards-compliant library, implementing human-readable scopes in line with industry standards. Identity platform endpoint Application management portal : This portal, located in the Microsoft Entra admin center, offers a registration and configuration experience along with other application management capabilities. Application management portal Application configuration API and PowerShell : These tools enable programmatic configuration of applications through the Microsoft Graph API and PowerShell, facilitating automation of DevOps tasks. Application configuration API and PowerShell Developer content : The platform provides technical documentation, including quickstarts, tutorials, how-to guides, API references, and code samples to aid developers in leveraging the platform effectively. Developer content OpenID Connect on the Microsoft Identity Platform OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. It enables single sign-on (SSO) between OAuth-enabled applications using a security token called an ID token. Protocol Flow: Sign-in The basic OIDC sign-in flow involves the client application requesting an ID token from the Microsoft Identity Platform. This token contains information (claims) about the authenticated user, enabling the client application to verify the user's identity. Enable ID Tokens ID tokens are not issued by default for applications registered with the Microsoft Identity Platform. To enable ID tokens, you can follow these steps: Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Authentication. Add a platform configuration: Select the platform for your application (e.g., web) and add the redirect URI. Enable ID tokens: Under Implicit grant and hybrid flows, check the ID tokens box. Sign in to the Microsoft Entra admin center. Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Authentication. Browse to Identity > Applications > App registrations > Your application > Authentication. Add a platform configuration: Select the platform for your application (e.g., web) and add the redirect URI. Add a platform configuration: Enable ID tokens: Under Implicit grant and hybrid flows, check the ID tokens box. Enable ID tokens: Alternatively, you can enable ID tokens by modifying the application manifest: Navigate to Identity > Applications > App registrations > Your application > Manifest. Set oauth2AllowIdTokenImplicitFlow to true. Navigate to Identity > Applications > App registrations > Your application > Manifest. Navigate to Identity > Applications > App registrations > Your application > Manifest. Set oauth2AllowIdTokenImplicitFlow to true. Set oauth2AllowIdTokenImplicitFlow to true. Fetch the OpenID Configuration Document OIDC providers like the Microsoft Identity Platform provide a configuration document at a publicly accessible endpoint. This document contains the provider's OIDC endpoints, supported claims, and other metadata. To find the OpenID configuration document for your application: Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Endpoints. Locate the OpenID Connect metadata document URI. Sign in to the Microsoft Entra admin center. Sign in to the Microsoft Entra admin center. Browse to Identity > Applications > App registrations > Your application > Endpoints. Browse to Identity > Applications > App registrations > Your application > Endpoints. Locate the OpenID Connect metadata document URI. Locate the OpenID Connect metadata document URI. You can also append /.well-known/openid-configuration to your app's authority URL to access this document. /.well-known/openid-configuration Send the Sign-in Request To authenticate a user and request an ID token: Direct the user's browser to the Microsoft Identity Platform's /authorize endpoint. Include the openid scope and id_token in the response_type parameter. Specify additional parameters like nonce and state for enhanced security. Direct the user's browser to the Microsoft Identity Platform's /authorize endpoint. Direct the user's browser to the Microsoft Identity Platform's /authorize endpoint. Include the openid scope and id_token in the response_type parameter. Include the openid scope and id_token in the response_type parameter. Specify additional parameters like nonce and state for enhanced security. Specify additional parameters like nonce and state for enhanced security. Example sign-in request: GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=00001111-aaaa-2222-bbbb-3333cccc4444 &response_type=id_token &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=form_post &scope=openid &state=12345 &nonce=678910 GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=00001111-aaaa-2222-bbbb-3333cccc4444 &response_type=id_token &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=form_post &scope=openid &state=12345 &nonce=678910 After the user authenticates and grants consent, the Microsoft Identity Platform returns an ID token to your app at the specified redirect URI. This token can be used to verify the user's identity and establish a session. Validate the ID Token It is essential to validate the ID token's signature and claims to ensure the authenticity and integrity of the token. This can be done using a token validation library, which simplifies the process and enhances security. By following these steps, organizations can leverage OIDC on the Microsoft Identity Platform to achieve secure, scalable, and user-friendly authentication for their applications. Conclusion OpenID Connect (OIDC) is a cornerstone of modern identity management, ensuring secure user authentication across various platforms and applications. By building on OAuth 2.0, OIDC provides a standardized approach to identity verification, essential for both developers and end-users. Its broad adoption underscores its critical role in enhancing security and user convenience in the digital landscape. The implementation of OIDC within cloud environments, such as AWS and Azure, highlights its importance in securing cloud-based resources and services. Through integration with IAM in AWS and the Microsoft Identity Platform, OIDC ensures that only authenticated users access critical resources, adhering to best security practices while facilitating user experiences. These integrations not only bolster security frameworks but also enhance organizational efficiency and productivity.