OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

Slides:



Advertisements
Similar presentations
FI-WARE Testbed Access Control temporary solution.
Advertisements

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Prabath Siriwardena | Johann Nallathamby.
Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
- Exact Connect event 2015.
Conditional access DirectAccess & automatic VPN Desktop Virtualization.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Fraser Technical Solutions, LLC
Blogs & feeds Jim des Rivieres Oct. 16, Grappling with question of how to present Jazz/OSLC data resources “Pure” data resources are presentation-
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Google Cloud Messaging for Android (GCM) is a free service that helps developers send data from servers to their Android.
HTRC API Overview Yiming Sun. HTRC Architecture Data API Portal access Direct programmatic access (by programs running on HTRC machines) Security (OAuth2)
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.
Building Twitter App Rohit Ghatol. About Me Rohit Ghatol 2.Project 3.Certified Scrum Master 4.Author “Beginning.
Module 11: Securing a Microsoft ASP.NET Web Application.
Integrating and Troubleshooting Citrix Access Gateway.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
DataFlow Diagram – Level 0
Enabling Cloud Native Security with Multi-Tenant UAA
Securing Angular Apps Brian Noyes
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.
Secure Mobile Development with NetIQ Access Manager
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Today’s Applications Web API Browser Native app Web API Web API
© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
THE API AN INTRODUCTION TO THE MINISTRYPLATFORM APPLICATION PROGRAMMING INTERFACE STEPHEN WAREHAM.
Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
Web application Open Platform Interface
Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.
Ask the Experts – Building Login-Based Sites in AEM
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Consuming OAuth Services in Alfresco Share
API (Application Program Interface)
Hannes Tschofenig, Derek Atkins
WMarket For Developers API && Authorization.
Node.js Express Web Applications
OAuth2 WG User Authentication for Clients
Migrating SharePoint Add-ins from Azure ACS to Azure AD
Data Virtualization Tutorial… OAuth Example using Google Sheets
Node.js Express Web Services
WEB-API & MVC5 - Identity & Security
Social Networks Integration in Android
Addressing the Beast: Single Sign-On II
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
WStore Programmer Guide
OAuth2, OpenID Connect, and Science Gateways
Azure AD Line Of Business Application Integration
IOS SDK v1.0 with NAM 4.2.
Agenda OAuth Concepts Programming OAuth.
SharePoint Online Authentication Patterns
Office 365 Development.
Token-based Authentication
D Guidance 26-Jun: Would like to see a refresh of this title slide
Presentation transcript:

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext

Why study about OAuth?

Reference - Do you care about these or Similar Sites?

Browser Mashups Facebook LinkedIn Foursquare Twitter Http Access Api Access

7155 APIs listed on

390 APIs on support OAuthhttp://ProgrammableWeb.com

Security Closed Open AuthenticationAuthorization

OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?

OAuth In a Nut Shell Can I have your Credit Card?

OAuth Practical Example Disclaimer before you read ahead: All product names and people names used in the following slides are not entirely accurate. They are only placeholders to explain the concept. None of that information should assumed to be correct or incorrect.

Without OAuth

Lets Start Again

With OAuth

URL changed to

With OAuth URL is URL is

With OAuth URL changed to with code parameter URL changed to with code parameter

With OAuth

OAuth 2.0 Flow in Depth

Scenario BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa

Roles BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa Resource Server Authorization Server Client

Roles BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa Resource Server Authorization Server Client David Resource Owner

Client Registration BOB Picasa Print-Fast Owns Client Registers with Authorization Server Resource Server Authorization Server Client Client_Id=print-fast Client_Secret=xxx Redirect_Url =

OAuth Flows/Grant Types Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant

Step 1 – Get Authorization Grant

Authorization RequestAuthorization Grant URL used is &scope=profile, ,photos &redirect_uri=

Authorization Grant Authorization Grant Code = ase34

Client Resource Owner Authorization Server Resource Server Authorization Request Client_Id=print-fast Redirect_url = Scope=profile, ,photos Authorization Grant Protocol Flow David Print-Fast code = ase34

Step 2 – Exchange for Access Token

Print-Fast Authorization Server Client code = ase34 Code = ase34 Client_Id=print-fast Client_Secret=xxx access_token = x3e4

Client Resource Owner Authorization Server Resource Server Protocol Flow David Print-Fast Authorization Grant code = ase34 Client_Id=print-fast Client_Secret=xxx Access Token access_token= x3e4

Step 3 – Access Protected Resources

Print-Fast Authorization Server Client code = ase34 Code = ase34 Client_Id=print-fast Client_Secret=xxx access_token = x3e4 Picasa [“ “ “ “ ]

Client Resource Owner Authorization Server Resource Server Protocol Flow David Print-Fast Access Token Protected Resource access_token = x3e4 [“ “ Picasa

Complete Flow at Once

Client Resource Owner Authorization Server Resource Server Authorization Request Authorization Grant Access Token Protected Resource Protocol Flow

With Refresh Token

Client Authorization Server Resource Server Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Protocol Flow Access Token Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token

Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant OAuth Flows/Grant Types

Step 1 – Get Access Token

Implicit Grant RequestImplicit Grant URL used is &scope=profile, ,photos &redirect_uri=

Implicit Grant Access token = x3e4

Client Resource Owner Authorization Server Resource Server Implicit Grant Request Client_Id=print-fast Redirect_url = Scope=profile, ,photos Access Token Protocol Flow David Print-Fast access_token= x3e4 Picasa

Step 2 – Access Protected Resources

access_token = x3e4 Picasa [“ “ “ “ ]

Client Resource Owner Resource Server Protocol Flow Meant for Pure Browser based Applications Access Token Protected Resource access_token = x3e4 [“ “ David Picasa

Complete Flow at Once

Client Resource Owner Resource Server Authorization Request Access Token Protected Resource Protocol Flow

Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant OAuth Flows/Grant Types

Client Authorization Server Resource Server Username/Pas sword Access Token with Optional Refresh Token Access Token Protected Resource Protocol Flow Resource Owner Resource Owner Credentials & Client Credentials Davi d Picasa Picasa – Desktop Client

Use Cases Strong Trust between Resource Owner and Client e.g Operating System or Privileged App Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided Example – Salesforce OAuth has provision for this

Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant Grant Types

Client Authorization Server Resource Server Access Token with Optional Refresh Token Access Token Protected Resource Protocol Flow Client Credentials

Use case The Data accessed is not owned by Resource Owner, but by the Client Say Skype showing statistics of uptime of its services

Use case There is contract already set between the Client and the Authorization Server E.g Google Apps Marketspace An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.

OAuth from Mobile Device

Popular Approaches Using User Agent (Stock Browser) Using Embedded WebView

Disclaimer Following slides are extracted from ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices I have no claim on the following slides with reference stated in them Thank you Brian Campbell for the excellent presentation

Request Authorization  When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint Device Native App Browser 1 Cloud! 1 Authorization Endpoint Token Endpoint Uri authzUrl = Uri.parse(" atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); Uri authzUrl = Uri.parse(" atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl " ; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]]; NSString* launchUrl " ; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]]; =code&scope=update_status Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

Authenticate and Approve  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. Device Native App Browser Cloud! 2 Authorization Endpoint Token Endpoint Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

Approve Device Native App Browser Cloud! 2 Authorization Endpoint Token Endpoint  User approves the requested access Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

Handle Callback Server returns control to the app via HTTP redirection and includes an authorization code HTTP/ Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA HTTP/ Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA Device Native App Browser Cloud! 3 Authorization Endpoint Token Endpoint Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

Handle Callback (cont’d) Registering a custom URI scheme String authzCode = getIntent().getData().getQueryParameter("code"); Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 3 In AndroidManifest.xml file: Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString { NSArray *elts = [param if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString { NSArray *elts = [param if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms Handle Callback (cont’d) Registering a custom URI scheme Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 3 In app info plist file: Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Trade Code for Token(s) Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 4 HTTP/ OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” } HTTP/ OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” } Token Endpoint Request Token Endpoint Response Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

POST /api/update-status HTTP/1.1 Host: rs.example.com Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. POST /api/update-status HTTP/1.1 Host: rs.example.com Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. Using an Access Token Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 5 NSString *authzHeader = [NSString accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL [request setValue:authzHeader NSString *authzHeader = [NSString accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL [request setValue:authzHeader DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost(" post.setHeader("Authorization", "Bearer " + accessToken); DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost(" post.setHeader("Authorization", "Bearer " + accessToken);  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Reference - oauth-20-and-mobile-deviceshttp:// oauth-20-and-mobile-devices

Pros and Cons Pros – User may be already logged in most cases – User will trust as he/she sees https and domain name Cons – Complicated Custom URI schema

Popular Approaches Using User Agent (Stock Browser) Using Embedded WebView

Pros and Cons Pros – Easier to monitor pages and extract authorization or access codes Cons – May not appeal since neither https or domain name is visible – WebView has separate cookie and history leading to client entering credentials each time

Reference Book – Getting Started with OAuth 2.0Getting Started with OAuth 2.0 Facebook Documentation Google Documentation Brian David Campbell’s Presentation