- Exact Connect event 2015

More clients with OAuth How OAuthilicious is your app? Exact Connect event 2015 More clients with OAuth How OAuthilicious is your app? Jurjen Boss & Robin van Loon, April 23rd 2015, Delft Brief introduction. Time: 2 min.

INTRODUCTION Presenters Master degree in Electrical Engineering 15+ years IT-experience; broad knowledge product development life cycles Started as Product Manager Connectivity team Now App Delivery Manager central Eco-system team Bachelor ICT and Certified Ethical Hacker Started in 2001 with Exact, background in industrial automation Started as software engineer Custom Solutions Now working fulltime on application security for Exact Online Jurjen Boss Robin van Loon | Exact Connect event 2015 | More clients with OAuth

INTRODUCTION App delivery management: relation to product delivery APP CENTER API EXACT ONLINE DEV DOC BUILD REVIEW PLAN SOLUTION TEAM PRODUCT DELIVERY APP DELIVERY | Exact Connect event 2015 | More clients with OAuth

INTRODUCTION App delivery management: what’s the plan? Thought leadership Presentations, events, publications App Center - app delivery process Security - OAuth Try now Onboarding App delivery process Webinar International adoption Automate review steps Must-win apps Project management Consultancy Optimal integration Cloud apps App Center Quality App fact sheets Review apps Audit | Exact Connect event 2015 | More clients with OAuth

AGENDA Cloud security OAuth App Center Apps Introduction Web Application Security Rate control Access by third party services OAuth History Why is it needed? What is it? How does it work? When is it required? App Center Apps Offer the ultimate try now UX Provisioning – Application - Deprovisioning | Exact Connect event 2015 | More clients with OAuth

CLOUD SECURITY Explain cloud security. Time: 10 min. | Exact Connect event 2015 | More clients with OAuth Explain cloud security. Time: 10 min.

CLOUD SECURITY Introduction (1/2) Development teams Customers\Partners Support\Marketing\Legal Operations\Infra\... Balancing act: Security Functionality Ease of use Security Functionality Ease of use | Exact Connect event 2015 | More clients with OAuth My focus is on the development teams: Enabling them to build secure software in the most efficient way Of course there are more parties and everyone of them has different priorities and might aim for a different value For Exact: Security is key > so how do you embed that in the organization?

CLOUD SECURITY Introduction (2/2) The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost Training Requirem-ents Design Implemen-tation Verification Release Response Technology and Process Education Accountability | Exact Connect event 2015 | More clients with OAuth Early 2002 Microsoft came up with a way to efficiently build more secure software Costs to fix increase dramatically with each phase so tackle them as soon as possible Seven phases, each phase has it’s own action points Everything we do to improve our security level fits in one of these phases

CLOUD SECURITY Web Application Security (1/2) Traditional approach: Protect your perimeter Obviously you still protect your infrastructure But you open up to the outside world via the application Attacks on application layer increase Not only your own application OWASP Top 10 https://owasp.org Development team needs to be aware and capable Security is not complete when the OWASP Top 10 is covered | Exact Connect event 2015 | More clients with OAuth Protect your perimeter: Maybe it works for a local intranet but there are always inside threats Also on OS\Frameworks\Infra etc.: Last week: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) Or via side channels: Attack Exact Online via a partner\supplier channel Open Web Application Security Project (OWASP)  Top 10: https://www.owasp.org/index.php/Top_10_2013-Top_10 Shows the top 10 Most Critical Web Application Security Risks

CLOUD SECURITY Web Application Security (2/2) Train your developers Improve their skills Change their mindset Threat model your application\service A process to understand security threats to a system, determine risks from those threats, and establish appropriate mitigations Always verify: Automated source scans Automated penetrations test Security audits | Exact Connect event 2015 | More clients with OAuth For example the OWASP top 10 > improve skills Easy to loose focus when building functionality but how can you abuse it? Threat modelling helps setting the mindset, identifying threat and mitigate them in a structured way But no matter how good you are, there’s always a chance something slips through so VERIFY

CLOUD SECURITY Rate control Shared infrastructure that needs to be protected Define fair use How to act? | Exact Connect event 2015 | More clients with OAuth A lot of devices are accessing Exact Online and they should not affect the performance of the environment Each device has it’s own goals but what is fair use. 1000 calls per second for one administration? What if you have 10\100\1000 administrations? What if you applications contains a bug and executes a lot of requests? Act: Warn, block? Block on IP? Shared data centers\proxies, you don’t want to block valid users Something we’ll continue to investigate in 2015 Image source: http://1.bp.blogspot.com/-jbQzSi-7L98/T8b9s_yaaBI/AAAAAAAAACw/5houiMX5IBI/s1600/CloudServices2.jpg

CLOUD SECURITY Access by third party services Traditionally credentials are used by third party services Who is using those credentials? What can you do with those credentials? Protect our users and offer a transparent way of working with third party services Offer partners a standardized way of connecting to Exact Online | Exact Connect event 2015 | More clients with OAuth As a cloud solution you want services to connect but how?

‘OH-OAUTH’ Explain OAuth. Time: 18 min. | Exact Connect event 2015 | More clients with OAuth Explain OAuth. Time: 18 min.

OAUTH History November 2006: December 2007 April 2010 October 2012 Research started to use OpenID with Twitter API to delegate authentication No open standard for API access delegation December 2007 OAuth Core 1.0 specification released April 2010 OAuth 1.0 Protocol published October 2012 OAuth 2.0 Framework published August 2013 OAuth 2.0 for Exact Online released (ready in April 2013) | Exact Connect event 2015 | More clients with OAuth Explain history. Time: 0,5 min.

OAUTH Why is it needed? Credential storage in 3rd party applications Get access to all protected data for unlimited duration Access can only be revoked for all 3rd party applications by changing credentials Compromise 3rd party application results in compromise credentials and all its protected data Multiple or re-use of credentials | Exact Connect event 2015 | More clients with OAuth Explain disadvantages of traditional credential-based authentication / authorization. Time: 1 min.

OAUTH Introduction Open standard for authorization Only keep track of one set of credentials for a popular provider Provides application secure delegated access to protected data Authenticate users via trusted provider like Google, Twitter, GitHub, etc. Optimize sign-up flows to onboard users faster | Exact Connect event 2015 | More clients with OAuth Explain most important advantages of OAuth. Time: 1 min.

OAUTH Definitions Protected resource Resource owner = USER Data to be protected by OAuth Resource owner = USER User granting access to protected resource Resource server Server hosting protected resources accessible by access tokens Client = APP Application accessing protected resources based on resource owner authorization Authorization server Server issuing acccess tokens to client based on authenticated resource owner and its authorization Tokens Used instead of user credentials to access protected resources | Exact Connect event 2015 | More clients with OAuth Explain OAuth definitions. Time: 1 min.

OAUTH Process Explain process by live example. Time: 10 min. | Exact Connect event 2015 | More clients with OAuth Explain process by live example. Time: 10 min. first OAuth registration needs to be created @ authorization server ask 5 people for all roles: resource owner (user) – resource server – protected resource – client (app) – authorization server Story User wants to use app to do e.g. time registration App wants to access protected resources of user like e.g. date of birth App redirects user to authorization server Authorization server ask for authentication and access authorization Authorization server redirects user to app with authorization code App exchanges authorization code for access token / refresh token App requests protected resource data from resource server Resource server responds with protected resource data App exchanges refresh token for new access token

OAUTH Flow diagram | Exact Connect event 2015 | More clients with OAuth Only highlight this is available in our developer documentation. Time: 0,1 min.

OAUTH Authorization grant types Authorization grant is a credential representing the user's authorization To access its protected resources Used by the app to obtain access token 4 grant types Authorization code Implicit simplified authorization code flow optimized for script-based browser apps app is issued access token directly no authorization code issued (app not authenticated) User credentials obtain access token based on credentials high degree of trust between app and user (privileged app) credentials used for single request to exchange for access token App credentials protected resources under control of app authorization previously arranged Security Functionality Ease of use 1 2 3 4 | Exact Connect event 2015 | More clients with OAuth Explain other OAuth grant types and which ones Exact Online support. Time: 1 min.

OAUTH Integration cases CLOUD token management in app best OAuth implementation BACKEND OAuth service: UI token management link OAuth service with backend service customized OAuth implementation MOBILE token management in app embedded webview OR system webbrowser ON-PREMISE token management in app embedded webview OR system webbrowser | Exact Connect event 2015 | More clients with OAuth Explain (dis)advantges between different web clients. Time: 2 min. Cross-platform – Embedded WebViews + authorization screen in full screen + not too much context switching - uses different cookie store, so not logged in this view (credentials need to be re-entered) - standard browser prone not visible: no indicators for SSL and certificate validation Cross-platform – System web browser + user is usually already logged in, only authorize access - standard browser: some context switching - for user is doesn’t look like they are still inside your app - difficult to communicate access token / authorization code back to app

OAUTH How do we help? We offer client library Currently only .NET Source code available on GitHub: https://github.com/exactonline/ClientSDK Rewrite to the library you require? initiate a pull request commit new library Other client libraries (to be build): PHP, Python, JAVA, JavaScript, … Google is your friend ;-) OAuth 2.0 Playground Lot’s of articles, video’s, etc. Exact Online supports OAuth2.0 specification, grant types: authorization code Implicit API support specialists team webrequest via Exact Online partner account | Exact Connect event 2015 | More clients with OAuth Explain how we help in OAuth implementation. Time: 0,5 min.

OAUTH Migration Deprecated authentication services Basic Form-based Standard authentication service OAuth Deadline: 1st of August 2015 Migration help Partner https://developers.exactonline.com/#migration_oauth.html Customer https://developers.exactonline.com/#migration_Oauth_Authentication.html .NET Client SDK https://github.com/exactonline/ClientSDK | Exact Connect event 2015 | More clients with OAuth Highlight migration process, currently started. Time: 0,5 min.

REQUEST FLOWS Explain OAuth request flow (technical). Time: 2 min. | Exact Connect event 2015 | More clients with OAuth Explain OAuth request flow (technical). Time: 2 min.

OAUTH Request flow – authorization request Step 1: app re-directs the user Generate URL Re-direct the user over to this URL Auth request with redirect_uri ../api/oauth2/auth? client_id={b81cc4de-d192-400e-bcb4-09254394c52a}& redirect_uri=https://www.mycompany.com/myapplication& response_type=code URL | Exact Connect event 2015 | More clients with OAuth Explain authorization request. Time: 0,2 min.

OAUTH Request flow – authorization request Step 2a: user authorizes access Authenticate user Authorize app access Step 2b: user is redirected back to the app Request made to redirect_uri with authorization code https://www.mycompany.com/myapplication? code=0-ec!IAAAAGXemi5fmLHLD5yHXEDXOPFh6Ia… URL | Exact Connect event 2015 | More clients with OAuth Explain authorization request. Time: 0,3 min.

OAUTH Request flow – token request Step 3: app exchanges authorization code for access token Generate URL Token request with authorization code Response contains: access token (with expire time) refresh token POST ../api/oauth2/token HTTP/1.1 Host: start.exactonline.nl Content-Type: application/x-www-form-urlencoded code=0-ec!IAAAAGXemi5fmLHLD5yHXEDXOPFh6Ia…& redirect_uri=https://www.mycompany.com/myapplication& grant_type=authorization_code& client_id={b81cc4de-d192-400e-bcb4-09254394c52a}& client_secret=n3G7KAhcv8OH HTTP REQUEST { "access_token":"AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGa…", "token_type":“Bearer", "expires_in":600, "refresh_token":"Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ss…" } HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

OAUTH Request flow – token request Step 4: app exchanges refresh token for a new access token Token has expired After failure In advance (client library) POST ../api/oauth2/token HTTP/1.1 Host: start.exactonline.nl Content-Type: application/x-www-form-urlencoded refresh_token=Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ss…& grant_type=refresh_token& client_id={b81cc4de-d192-400e-bcb4-09254394c52a}& client_secret=n3G7KAhcv8OH HTTP REQUEST { "access_token":"AAEAABIKSw2E5nHI8lhwdM4iEV4RPdxLgThZj…", "token_type":“Bearer", "expires_in":600, "refresh_token":"__1P!IAAAACpjBagWscm76YIGMY3526T3dIK…" } HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

OAUTH Request flow – API request Call the API by using access tokens Use authorization header whenever possible very rarely logged in web server log very rarely logged in by proxy server rarely cached GET .. /api/v1/63829/crm/Accounts HTTP/1.1 Host: start.exactonline.nl Authorization: Bearer AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGa… HTTP REQUEST { "d": [ "__metadata": { "uri": "https://start.exactonline.nl/api/v1/15490/crm/Accounts(guid'7e3cab5a-3130-4001-956d-14a29c5a834b')", "type": "Exact.Web.Api.Models.Account" }, "ID": "7e3cab5a-3130-4001-956d-14a29c5a834b", "Name": "Senser Ltd." } ] HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

APP CENTER APPS Explain Try Now wizards based on OAuth Time: 10 min. | Exact Connect event 2015 | More clients with OAuth Explain Try Now wizards based on OAuth Time: 10 min.

APP CENTER APPS Offer the ultimate try now UX Step #1 Step #2 Step #3 make it faster and easier to onboard users securely get a unique, stable user identifier (no emailaddress) personalize your site | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Provisioning flow explain functionality of app explain app proposition(s) explain trial period / pricing model | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Provisioning flow explain why connection needs to be setup create connection with Exact Online user authorizes access app access is similar to user access in Exact Online (roles & rights) | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Provisioning flow explain why an account will be created retrieve Exact Online account data ../api/v1/current/Me automatically setup app account use e.g. Exact Online UserID as identification key | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Provisioning flow explain why company needs to be selected explain why settings must be configured retrieve Exact Online master data select company configure settings (G/L Accounts, VAT, …) | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Provisioning flow explain app is connected trial period commercial model after trial confirmation mail which data to be synschronized synchronization times of data how to get support after ‘DONE’ continue to App Center or Partner App platform | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Application flow start app in Exact Online App Center * validate Exact Online User ID with App User ID ** start app directly as signed-in user ../api/v1/current/Me * app can also be started from other platforms ** configured during provisioning flow | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Deprovisioning flow connection with Exact Online user is directly deactivated * explain consequences contract termination restore connection with Exact Online user? * deactivation directly processed by Exact Online App Center | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Deprovisioning flow connection restored explain connection restored for Exact Online user after ‘DONE’ continue to App Center or Partner App platform | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Deprovisioning flow explain final invoice show contract termination invoice deactivate app account | Exact Connect event 2015 | More clients with OAuth

APP CENTER APPS Deprovisioning flow explain app is disconnected, account deactivated ask for feedback: why stop using? after ‘DONE’ continue to App Center | Exact Connect event 2015 | More clients with OAuth

Thank you

Focus on what’s next