Presentation is loading. Please wait.

Presentation is loading. Please wait.

- Exact Connect event 2015.

Published byRoss Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "- Exact Connect event 2015."ā€” Presentation transcript:

1 - Exact Connect event 2015

2 More clients with OAuth How OAuthilicious is your app?
Exact Connect event 2015 More clients with OAuth How OAuthiliciousĀ is your app? Jurjen Boss & Robin van Loon, April 23rd 2015, Delft Brief introduction. Time: 2 min.

3 INTRODUCTION Presenters
Master degree in Electrical Engineering 15+ years IT-experience; broad knowledge product development life cycles Started as Product Manager Connectivity team Now App Delivery Manager central Eco-system team Bachelor ICT and Certified Ethical Hacker Started in 2001 with Exact, background in industrial automation Started as software engineer Custom Solutions Now working fulltime on application security for Exact Online Jurjen Boss Robin van Loon | Exact Connect event 2015 | More clients with OAuth

4 INTRODUCTION App delivery management: relation to product delivery
APP CENTER API EXACT ONLINE DEV DOC BUILD REVIEW PLAN SOLUTION TEAM PRODUCT DELIVERY APP DELIVERY | Exact Connect event 2015 | More clients with OAuth

5 INTRODUCTION App delivery management: whatā€™s the plan?
Thought leadership Presentations, events, publications App Center - app delivery process Security - OAuth Try now Onboarding App delivery process Webinar International adoption Automate review steps Must-win apps Project management Consultancy Optimal integration Cloud apps App Center Quality App fact sheets Review apps Audit | Exact Connect event 2015 | More clients with OAuth

6 AGENDA Cloud security OAuth App Center Apps Introduction
Web Application Security Rate control Access by third party services OAuth History Why is it needed? What is it? How does it work? When is it required? App Center Apps Offer the ultimate try now UX Provisioning ā€“ Application - Deprovisioning | Exact Connect event 2015 | More clients with OAuth

7 CLOUD SECURITY Explain cloud security. Time: 10 min.
| Exact Connect event 2015 | More clients with OAuth Explain cloud security. Time: 10 min.

8 CLOUD SECURITY Introduction (1/2)
Development teams Customers\Partners Support\Marketing\Legal Operations\Infra\... Balancing act: Security Functionality Ease of use Security Functionality Ease of use | Exact Connect event 2015 | More clients with OAuth My focus is on the development teams: Enabling them to build secure software in the most efficient way Of course there are more parties and everyone of them has different priorities and might aim for a different value For Exact: Security is key > so how do you embed that in the organization?

9 CLOUD SECURITY Introduction (2/2)
The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost Training Requirem-ents Design Implemen-tation Verification Release Response Technology and Process Education Accountability | Exact Connect event 2015 | More clients with OAuth Early 2002 Microsoft came up with a way to efficiently build more secure software Costs to fix increase dramatically with each phase so tackle them as soon as possible Seven phases, each phase has itā€™s own action points Everything we do to improve our security level fits in one of these phases

10 CLOUD SECURITY Web Application Security (1/2)
Traditional approach: Protect your perimeter Obviously you still protect your infrastructure But you open up to the outside world via the application Attacks on application layer increase Not only your own application OWASP Top 10 Development team needs to be aware and capable Security is not complete when the OWASP Top 10 is covered | Exact Connect event 2015 | More clients with OAuth Protect your perimeter: Maybe it works for a local intranet but there are always inside threats Also on OS\Frameworks\Infra etc.: Last week: Vulnerability in HTTP.sys Could Allow Remote Code Execution ( ) Or via side channels: Attack Exact Online via a partner\supplier channel Open Web Application Security Project (OWASP)Ā  Top 10: Shows the top 10 Most Critical Web Application Security Risks

11 CLOUD SECURITY Web Application Security (2/2)
Train your developers Improve their skills Change their mindset Threat model your application\service A process to understand security threats to a system, determine risks from those threats, and establish appropriate mitigations Always verify: Automated source scans Automated penetrations test Security audits | Exact Connect event 2015 | More clients with OAuth For example the OWASP top 10 > improve skills Easy to loose focus when building functionality but how can you abuse it? Threat modelling helps setting the mindset, identifying threat and mitigate them in a structured way But no matter how good you are, thereā€™s always a chance something slips through so VERIFY

12 CLOUD SECURITY Rate control
Shared infrastructure that needs to be protected Define fair use How to act? | Exact Connect event 2015 | More clients with OAuth A lot of devices are accessing Exact Online and they should not affect the performance of the environment Each device has itā€™s own goals but what is fair use calls per second for one administration? What if you have 10\100\1000 administrations? What if you applications contains a bug and executes a lot of requests? Act: Warn, block? Block on IP? Shared data centers\proxies, you donā€™t want to block valid users Something weā€™ll continue to investigate in 2015 Image source:

13 CLOUD SECURITY Access by third party services
Traditionally credentials are used by third party services Who is using those credentials? What can you do with those credentials? Protect our users and offer a transparent way of working with third party services Offer partners a standardized way of connecting to Exact Online | Exact Connect event 2015 | More clients with OAuth As a cloud solution you want services to connect but how?

14 ā€˜OH-OAUTHā€™ Explain OAuth. Time: 18 min.
| Exact Connect event 2015 | More clients with OAuth Explain OAuth. Time: 18 min.

15 OAUTH History November 2006: December 2007 April 2010 October 2012
Research started to use OpenID with Twitter API to delegate authentication No open standard for API access delegation December 2007 OAuth Core 1.0 specification released April 2010 OAuth 1.0 Protocol published October 2012 OAuth 2.0 Framework published August 2013 OAuth 2.0 for Exact Online released (ready in April 2013) | Exact Connect event 2015 | More clients with OAuth Explain history. Time: 0,5 min.

16 OAUTH Why is it needed? Credential storage in 3rd party applications
Get access to all protected data for unlimited duration Access can only be revoked for all 3rd party applications by changing credentials Compromise 3rd party application results in compromise credentials and all its protected data Multiple or re-use of credentials | Exact Connect event 2015 | More clients with OAuth Explain disadvantages of traditional credential-based authentication / authorization. Time: 1 min.

17 OAUTH Introduction Open standard for authorization
Only keep track of one set of credentials for a popular provider Provides application secure delegated access to protected data Authenticate users via trusted provider like Google, Twitter, GitHub, etc. Optimize sign-up flows to onboard users faster | Exact Connect event 2015 | More clients with OAuth Explain most important advantages of OAuth. Time: 1 min.

18 OAUTH Definitions Protected resource Resource owner = USER
Data to be protected by OAuth Resource owner = USER User granting access to protected resource Resource server Server hosting protected resources accessible by access tokens Client = APP Application accessing protected resources based on resource owner authorization Authorization server Server issuing acccess tokens to client based on authenticated resource owner and its authorization Tokens Used instead of user credentials to access protected resources | Exact Connect event 2015 | More clients with OAuth Explain OAuth definitions. Time: 1 min.

19 OAUTH Process Explain process by live example. Time: 10 min.
| Exact Connect event 2015 | More clients with OAuth Explain process by live example. Time: 10 min. first OAuth registration needs to be authorization server ask 5 people for all roles: resource owner (user) ā€“ resource server ā€“ protected resource ā€“ client (app) ā€“ authorization server Story User wants to use app to do e.g. time registration App wants to access protected resources of user like e.g. date of birth App redirects user to authorization server Authorization server ask for authentication and access authorization Authorization server redirects user to app with authorization code App exchanges authorization code for access token / refresh token App requests protected resource data from resource server Resource server responds with protected resource data App exchanges refresh token for new access token

20 OAUTH Flow diagram | Exact Connect event 2015 | More clients with OAuth Only highlight this is available in our developer documentation. Time: 0,1 min.

21 OAUTH Authorization grant types
Authorization grant is a credential representing the user's authorization To access its protected resources Used by the app to obtain access token 4 grant types Authorization code Implicit simplified authorization code flow optimized for script-based browser apps app is issued access token directly no authorization code issued (app not authenticated) User credentials obtain access token based on credentials high degree of trust between app and user (privileged app) credentials used for single request to exchange for access token App credentials protected resources under control of app authorization previously arranged Security Functionality Ease of use 1 2 3 4 | Exact Connect event 2015 | More clients with OAuth Explain other OAuth grant types and which ones Exact Online support. Time: 1 min.

22 OAUTH Integration cases
CLOUD token management in app best OAuth implementation BACKEND OAuth service: UI token management link OAuth service with backend service customized OAuth implementation MOBILE token management in app embedded webview OR system webbrowser ON-PREMISE token management in app embedded webview OR system webbrowser | Exact Connect event 2015 | More clients with OAuth Explain (dis)advantges between different web clients. Time: 2 min. Cross-platform ā€“ Embedded WebViews + authorization screen in full screen + not too much context switching - uses different cookie store, so not logged in this view (credentials need to be re-entered) - standard browser prone not visible: no indicators for SSL and certificate validation Cross-platform ā€“ System web browser + user is usually already logged in, only authorize access - standard browser: some context switching - for user is doesnā€™t look like they are still inside your app - difficult to communicate access token / authorization code back to app

23 OAUTH How do we help? We offer client library
Currently only .NET Source code available on GitHub: Rewrite to the library you require? initiate a pull request commit new library Other client libraries (to be build): PHP, Python, JAVA, JavaScript, ā€¦ Google is your friend ;-) OAuth 2.0 Playground Lotā€™s of articles, videoā€™s, etc. Exact Online supports OAuth2.0 specification, grant types: authorization code Implicit API support specialists team webrequest via Exact Online partner account | Exact Connect event 2015 | More clients with OAuth Explain how we help in OAuth implementation. Time: 0,5 min.

24 OAUTH Migration Deprecated authentication services
Basic Form-based Standard authentication service OAuth Deadline: 1st of August 2015 Migration help Partner Customer .NET Client SDK | Exact Connect event 2015 | More clients with OAuth Highlight migration process, currently started. Time: 0,5 min.

25 REQUEST FLOWS Explain OAuth request flow (technical). Time: 2 min.
| Exact Connect event 2015 | More clients with OAuth Explain OAuth request flow (technical). Time: 2 min.

26 OAUTH Request flow ā€“ authorization request
Step 1: app re-directs the user Generate URL Re-direct the user over to this URL Auth request with redirect_uri ../api/oauth2/auth? client_id={b81cc4de-d e-bcb c52a}& redirect_uri= response_type=code URL | Exact Connect event 2015 | More clients with OAuth Explain authorization request. Time: 0,2 min.

27 OAUTH Request flow ā€“ authorization request
Step 2a: user authorizes access Authenticate user Authorize app access Step 2b: user is redirected back to the app Request made to redirect_uri with authorization code code=0-ec!IAAAAGXemi5fmLHLD5yHXEDXOPFh6Iaā€¦ URL | Exact Connect event 2015 | More clients with OAuth Explain authorization request. Time: 0,3 min.

28 OAUTH Request flow ā€“ token request
Step 3: app exchanges authorization code for access token Generate URL Token request with authorization code Response contains: access token (with expire time) refresh token POST ../api/oauth2/token HTTP/1.1 Host: start.exactonline.nl Content-Type: application/x-www-form-urlencoded code=0-ec!IAAAAGXemi5fmLHLD5yHXEDXOPFh6Iaā€¦& redirect_uri= grant_type=authorization_code& client_id={b81cc4de-d e-bcb c52a}& client_secret=n3G7KAhcv8OH HTTP REQUEST { "access_token":"AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGaā€¦", "token_type":ā€œBearer", "expires_in":600, "refresh_token":"Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ssā€¦" } HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

29 OAUTH Request flow ā€“ token request
Step 4: app exchanges refresh token for a new access token Token has expired After failure In advance (client library) POST ../api/oauth2/token HTTP/1.1 Host: start.exactonline.nl Content-Type: application/x-www-form-urlencoded refresh_token=Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ssā€¦& grant_type=refresh_token& client_id={b81cc4de-d e-bcb c52a}& client_secret=n3G7KAhcv8OH HTTP REQUEST { "access_token":"AAEAABIKSw2E5nHI8lhwdM4iEV4RPdxLgThZjā€¦", "token_type":ā€œBearer", "expires_in":600, "refresh_token":"__1P!IAAAACpjBagWscm76YIGMY3526T3dIKā€¦" } HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

30 OAUTH Request flow ā€“ API request
Call the API by using access tokens Use authorization header whenever possible very rarely logged in web server log very rarely logged in by proxy server rarely cached GET .. /api/v1/63829/crm/Accounts HTTP/1.1 Host: start.exactonline.nl Authorization: Bearer AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGaā€¦ HTTP REQUEST { "d": [ "__metadata": { "uri": " "type": "Exact.Web.Api.Models.Account" }, "ID": "7e3cab5a d-14a29c5a834b", "Name": "Senser Ltd." } ] HTTP RESPONSE | Exact Connect event 2015 | More clients with OAuth Explain token request. Time: 0,5 min.

31 APP CENTER APPS Explain Try Now wizards based on OAuth Time: 10 min.
| Exact Connect event 2015 | More clients with OAuth Explain Try Now wizards based on OAuth Time: 10 min.

32 APP CENTER APPS Offer the ultimate try now UX
Step #1 Step #2 Step #3 make it faster and easier to onboard users securely get a unique, stable user identifier (no address) personalize your site | Exact Connect event 2015 | More clients with OAuth

33 APP CENTER APPS Provisioning flow
explain functionality of app explain app proposition(s) explain trial period / pricing model | Exact Connect event 2015 | More clients with OAuth

34 APP CENTER APPS Provisioning flow
explain why connection needs to be setup create connection with Exact Online user authorizes access app access is similar to user access in Exact Online (roles & rights) | Exact Connect event 2015 | More clients with OAuth

35 APP CENTER APPS Provisioning flow
explain why an account will be created retrieve Exact Online account data ../api/v1/current/Me automatically setup app account use e.g. Exact Online UserID as identification key | Exact Connect event 2015 | More clients with OAuth

36 APP CENTER APPS Provisioning flow
explain why company needs to be selected explain why settings must be configured retrieve Exact Online master data select company configure settings (G/L Accounts, VAT, ā€¦) | Exact Connect event 2015 | More clients with OAuth

37 APP CENTER APPS Provisioning flow
explain app is connected trial period commercial model after trial confirmation mail which data to be synschronized synchronization times of data how to get support after ā€˜DONEā€™ continue to App Center or Partner App platform | Exact Connect event 2015 | More clients with OAuth

38 APP CENTER APPS Application flow
start app in Exact Online App Center * validate Exact Online User ID with App User ID ** start app directly as signed-in user ../api/v1/current/Me * app can also be started from other platforms ** configured during provisioning flow | Exact Connect event 2015 | More clients with OAuth

39 APP CENTER APPS Deprovisioning flow
connection with Exact Online user is directly deactivated * explain consequences contract termination restore connection with Exact Online user? * deactivation directly processed by Exact Online App Center | Exact Connect event 2015 | More clients with OAuth

40 APP CENTER APPS Deprovisioning flow
connection restored explain connection restored for Exact Online user after ā€˜DONEā€™ continue to App Center or Partner App platform | Exact Connect event 2015 | More clients with OAuth

41 APP CENTER APPS Deprovisioning flow
explain final invoice show contract termination invoice deactivate app account | Exact Connect event 2015 | More clients with OAuth

42 APP CENTER APPS Deprovisioning flow
explain app is disconnected, account deactivated ask for feedback: why stop using? after ā€˜DONEā€™ continue to App Center | Exact Connect event 2015 | More clients with OAuth

43 Thank you

44 Focus on whatā€™s next

Download ppt "- Exact Connect event 2015."

Similar presentations

Introducingā€¦ elementool Issue Tracking The Worldā€™s First Web-Based Issue Tracking Software.

Introducingā€¦ elementool Issue Tracking The Worldā€™s First Web-Based Issue Tracking Software.
OAuth 2.0 By ā€œPJā€ (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By ā€œPJā€ (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Contrail and Federated Identity Management

Contrail and Federated Identity Management
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Ā© 2014 Cognizant 4 th March 2015 MBaaS: Mobile Backend as a Service Pablo GutiĆ©rrez / Senior Mobility developer.

Ā© 2014 Cognizant 4 th March 2015 MBaaS: Mobile Backend as a Service Pablo GutiĆ©rrez / Senior Mobility developer.
The Alfresco API Steven Glover Gethin James Peter Monks.

The Alfresco API Steven Glover Gethin James Peter Monks.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Donā€™t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.

Donā€™t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8ā€“12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8ā€“12, 2013 | San Diego, California Building Secure Applications.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Google App Engine Google APIs OAuth Facebook Graph API

Google App Engine Google APIs OAuth Facebook Graph API
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

Similar presentations

Ads by Google