Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.

Published byCody Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application Security + OAuth2 NWEN 304: Advanced Network Applications."— Presentation transcript:

1 Web Application Security + OAuth2 NWEN 304: Advanced Network Applications

2 Today What is OAuth How it works How you use it

3 What is OAuth “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.” HTTP based authorisation Primarily designed for authorisation, but is often used for authentication as well You must use it for authentication in project 2 Credit: http://faculty.cs.uwlax.edu/~riley/CS455F13/Lectures/GradPresentations/OAuth%20Presentation.pdf

4 Delegate capabilities OAuth lets you delegate capabilities and privileges E.g. if you use add-on software - you want it to access your resources so it can be helpful to you - but you don’t want it to *be* you OAuth allows you to share your private resources (photos, videos, contact list, bank accounts) stored on one site with another site without having to hand out your username and password.

5 OAuth vs SAML SAMLSAML - a set of standards designed to share info - describe who a user is - describe user’s attributes - Give you a way to grant/deny access to something OAuthOAuth - More about delegating access to something. - You allow someone to “act” as you - Its most commonly used to grant access to api's that can do something on your behalf.

6 Why use OAuth (service and developer perspective) A third party provides authentication and authorisation => Developers can focus on building their applications rather than building an authentication system Usernames and passwords are not handled by the application => A service provider collects and processes authentication details => The application doesn’t have to worry about storing credentials (plain text problems etc.)

7 Why use OAuth (user perspective) Centralises management of user accounts => Don’t need to have 1000s of accounts => Fewer passwords to remember

8 Why use OAuth (user) User’s specify what permissions are granted to each application => You specify whether an app can access your email etc. => Fine-grain access control

9 Why use OAuth (user) Provides dynamic access control mechanism => You can control who has access to what => No need to delete accounts etc., you can just remove an application’s access

10 Why use OAuth (user) You can change passwords and not effect every account you have OAuth is completely transparent to the users => if done right, they may not even know it is there

11 History of OAuth OAuth 1.0 released in 2007 - Twitter developers realised that OpenID was not going to support delegated API access well - OAuth then adopted into IETF: RFC 5849 - 2009: OAuth 1.0a fixes a session fixation flaw - Can choose not to encrypt Susceptible to authentication failures if client and server don't agree on argument order/signatures etc. Primary focus is web browser Can provide difficulty authenticating non-browser apps Technically deprecated by OAuth 2 Credit: http://www.cs.otago.ac.nz/cosc412/lectures/L11-decentralised-auth.pdf

12 OAuth2.0 OAuth 2.0 is current evolution [RFC6749,6750] - Supported by Facebook, Twitter, Google, MS, etc … however a committee effort made it complex - Released in 2012 (… intended for 2010 release) - Must use encryption No signatures: No issue with argument ordering Potentially better for larger scale implementations – Authentication and authorization can be provided by different servers – More suitable for corporate authentication Some feel OAuth 2 is not a positive replacement for OAuth 1 – Not backward compatible with OAuth 1 – Leaves many details up to implementer: Can lead to incompatible, yet compliant, implementations

13 OAuth2.0 Roles There are four key roles (actors) when discussing OAuth flows: - Resource Owner (OR) - Client - Resource Server (RS) - Authorisation Server (AS)

14 OAuth2.0 Roles Cont. Resource Owner (RO): the end user (you) Grants access to some part of their account Not necessarily a user though… Client: software trying to access RO’s data Websites Apps and games Anything that says ‘sign in with Facebook’ etc. According to Facebook, 81 of the top 100 grossing iOS apps and 62 of the top 100 grossing Android apps use Login with Facebook

15 OAuth2.0 Roles Cont. Resource Server (RS): Where RO’s data is stored Authorisation Server (AS): Google/Twitter/Facebook etc. Authenticates RO Issues access tokens to client

16 How to use OAuth2.0 First, you must register your app (the client) with an authorisation server, e.g. google. Registration is a one time thing for the application – there is no mention of ROs etc. When registering your app you specify: - application name - logo etc. - website or host name - return URL (how focus is returned to the application after login)

17

18 How to use OAuth2.0 Registering gives you credentials: ClientID (public) Client Secret (private) ClientID identifies the application Clients are either public or confidential: confidential: clients can keep secrets (apps) public: client can’t (JS in a browser) The client secret is only useful to confidential apps

19 OAuth Authorisation Flow - Client wants access to a resource server. - Starts by presenting the resource owner (user) with a login screen to an AS (Facebook etc.) Detailed: https://www.digitalocean.com/community/tutorials/an- introduction-to-oauth-2

20 Oauth Authentication Flow

21 OAuth2.0 Grant Types OAuth provides several grant types. E.g.: - Authorisation Code (e.g. previous slide) - Implicit - RO Password Credentials -Client Credentials These are used in different use cases.

22 OAuth2.0 Grant Types Authorisation Code – for apps on a web server: The AS is an intermediary between the RO and the Client - RO never shares credential with Client - Client never shares credential with RO Implicit – for browser-based or mobile apps: Skips the auth code step - Token delivered to client - Good for javascript apps etc.

23 OAuth2.0 Grant Types RO Password Credentials – for getting RO’s credentials - Must trust the client a lot… - Makes sense for client apps developed by the resource server. E.g. the official facebook app. Client Credentials – used with Applications API access

24

25 Example Super simple! It is essentially copy-paste and tell it to ‘authenticate()’, then it sorts itself out. There is a lot of info online! An example with Passport: http://passportjs.org/ https://github.com/jaredhanson/passport- facebook

26 Passport Example Start by registering an application with facebook. This gives you an appID and app secret. You have to configure a redirect address. > npm install passport-facebook

27 Example var Strategy = require('passport-facebook').Strategy; … passport.use(new FacebookStrategy({ clientID: FACEBOOK_APP_ID, clientSecret: FACEBOOK_APP_SECRET, callbackURL: "http://localhost:3000/auth/facebook/callback" }, function(accessToken, refreshToken, profile, cb) { User.findOrCreate({ facebookId: profile.id }, function (err, user) { return cb(err, user); }); }));

28 Example Use passport.authenticate(), specifying the 'facebook' strategy, to authenticate requests. app.get('/auth/facebook', passport.authenticate('facebook')); app.get('/auth/facebook/callback', passport.authenticate('facebook', { failureRedirect: '/login' }), function(req, res) { // Successful authentication, redirect home. res.redirect('/'); });

29 Example: Other Requesting specific permissions (you define scopes): app.get('/auth/facebook', passport.authenticate('facebook', { authType: 'rerequest', scope: ['user_friends', 'manage_pages'] }));

Download ppt "Web Application Security + OAuth2 NWEN 304: Advanced Network Applications."

Similar presentations

FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
The Alfresco API Steven Glover Gethin James Peter Monks.

The Alfresco API Steven Glover Gethin James Peter Monks.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
By: Ansuya Chauhan.

By: Ansuya Chauhan.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Openid Connect https://store.theartofservice.com/the-openid-connect-toolkit.html.

Openid Connect
Instructions for Administrators Choose the Enrollment slide decks that match your environment, either for SaaS or On Premise. Edit the red text to match.

Instructions for Administrators Choose the Enrollment slide decks that match your environment, either for SaaS or On Premise. Edit the red text to match.
Module 11: Securing a Microsoft ASP.NET Web Application.

Module 11: Securing a Microsoft ASP.NET Web Application.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google