1. OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext

2. Why study about OAuth?

3. Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.pnghttp://rainbowseo.com/wp-content/uploads/2012/06/smm.png Do you care about these or Similar Sites?

4. Browser Mashups Facebook LinkedIn Foursquare Twitter Http Access Api Access

5. 7155 APIs listed on http://ProgrammableWeb.com http://ProgrammableWeb.com

6. 390 APIs on http://ProgrammableWeb.com support OAuthhttp://ProgrammableWeb.com

7. Security Closed Open AuthenticationAuthorization

8. OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?

9. OAuth In a Nut Shell Can I have your Credit Card?

10. OAuth Practical Example Disclaimer before you read ahead: All product names and people names used in the following slides are not entirely accurate. They are only placeholders to explain the concept. None of that information should assumed to be correct or incorrect.

11. Without OAuth

14. Lets Start Again

15. With OAuth

16. URL changed to http://picasa.com

17. With OAuth URL is http://picasa.com URL is http://picasa.com

18. With OAuth URL changed to http://picasa.com with code parameter URL changed to http://picasa.com with code parameter

19. With OAuth

20. OAuth 2.0 Flow in Depth

21. Scenario BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa

22. Roles BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa Resource Server Authorization Server Client

23. Roles BOB Picasa Print-Fast Owns Wants to integrate with Google Services e.g Picasa Resource Server Authorization Server Client David Resource Owner

24. Client Registration BOB Picasa Print-Fast Owns Client Registers with Authorization Server Resource Server Authorization Server Client Client_Id=print-fast Client_Secret=xxx Redirect_Url = http://print-fast.com

25. OAuth Flows/Grant Types Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant

26. Step 1 – Get Authorization Grant

27. Authorization RequestAuthorization Grant URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=code

28. Authorization Grant Authorization Grant Code = ase34

29. Client Resource Owner Authorization Server Resource Server Authorization Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Authorization Grant Protocol Flow David Print-Fast code = ase34

30. Step 2 – Exchange for Access Token

31. Print-Fast Authorization Server Client code = ase34 Code = ase34 Client_Id=print-fast Client_Secret=xxx access_token = x3e4

32. Client Resource Owner Authorization Server Resource Server Protocol Flow David Print-Fast Authorization Grant code = ase34 Client_Id=print-fast Client_Secret=xxx Access Token access_token= x3e4

33. Step 3 – Access Protected Resources

34. Print-Fast Authorization Server Client code = ase34 Code = ase34 Client_Id=print-fast Client_Secret=xxx access_token = x3e4 Picasa http://picasa.com/..../usr133/photos [“http://…/DSC34.jpg”, “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]

35. Client Resource Owner Authorization Server Resource Server Protocol Flow David Print-Fast Access Token Protected Resource access_token = x3e4 [“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”] Picasa

36. Complete Flow at Once

37. Client Resource Owner Authorization Server Resource Server Authorization Request Authorization Grant Access Token Protected Resource Protocol Flow

38. With Refresh Token

39. Client Authorization Server Resource Server Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Protocol Flow Access Token Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token

40. Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant OAuth Flows/Grant Types

41. Step 1 – Get Access Token

42. Implicit Grant RequestImplicit Grant URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=token

43. Implicit Grant Access token = x3e4

44. Client Resource Owner Authorization Server Resource Server Implicit Grant Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Access Token Protocol Flow David Print-Fast access_token= x3e4 Picasa

45. Step 2 – Access Protected Resources

46. access_token = x3e4 Picasa http://picasa.com/..../usr133/photos [“http://…/DSC34.jpg”, “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]

47. Client Resource Owner Resource Server Protocol Flow Meant for Pure Browser based Applications Access Token Protected Resource access_token = x3e4 [“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”] David Picasa

48. Complete Flow at Once

49. Client Resource Owner Resource Server Authorization Request Access Token Protected Resource Protocol Flow

50. Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant OAuth Flows/Grant Types

51. Client Authorization Server Resource Server Username/Pas sword Access Token with Optional Refresh Token Access Token Protected Resource Protocol Flow Resource Owner Resource Owner Credentials & Client Credentials Davi d Picasa Picasa – Desktop Client

52. Use Cases Strong Trust between Resource Owner and Client e.g Operating System or Privileged App Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided Example – Salesforce OAuth has provision for this

53. Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant Client Credentials Grant Grant Types

54. Client Authorization Server Resource Server Access Token with Optional Refresh Token Access Token Protected Resource Protocol Flow Client Credentials

55. Use case The Data accessed is not owned by Resource Owner, but by the Client Say Skype showing statistics of uptime of its services

56. Use case There is contract already set between the Client and the Authorization Server E.g Google Apps Marketspace An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.

57. OAuth from Mobile Device

58. Popular Approaches Using User Agent (Stock Browser) Using Embedded WebView

60. Disclaimer Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices I have no claim on the following slides with reference stated in them Thank you Brian Campbell for the excellent presentation

61. Request Authorization  When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint Device Native App Browser 1 Cloud! 1 Authorization Endpoint Token Endpoint Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @ "https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status" ; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]]; NSString* launchUrl = @ "https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status" ; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]]; https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type =code&scope=update_status Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

62. Authenticate and Approve  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. Device Native App Browser Cloud! 2 Authorization Endpoint Token Endpoint Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

63. Approve Device Native App Browser Cloud! 2 Authorization Endpoint Token Endpoint  User approves the requested access Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

64. Handle Callback Server returns control to the app via HTTP redirection and includes an authorization code HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA Device Native App Browser Cloud! 3 Authorization Endpoint Token Endpoint Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

65. Handle Callback (cont’d) Registering a custom URI scheme String authzCode = getIntent().getData().getQueryParameter("code"); Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 3 In AndroidManifest.xml file: Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

66. - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"];... - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"];... Handle Callback (cont’d) Registering a custom URI scheme Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 3 In app info plist file: Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

67. POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Trade Code for Token(s) Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 4 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” } HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” } Token Endpoint Request Token Endpoint Response Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

68. POST /api/update-status HTTP/1.1 Host: rs.example.com Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. POST /api/update-status HTTP/1.1 Host: rs.example.com Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. Using an Access Token Device Native App Browser Cloud! Authorization Endpoint Token Endpoint 5 NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken); DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-deviceshttp://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me- oauth-20-and-mobile-devices

69. Pros and Cons Pros – User may be already logged in most cases – User will trust as he/she sees https and domain name Cons – Complicated Custom URI schema

70. Popular Approaches Using User Agent (Stock Browser) Using Embedded WebView

72. Pros and Cons Pros – Easier to monitor pages and extract authorization or access codes Cons – May not appeal since neither https or domain name is visible – WebView has separate cookie and history leading to client entering credentials each time

73. Reference Book – Getting Started with OAuth 2.0Getting Started with OAuth 2.0 Facebook Documentation Google Documentation Brian David Campbell’s Presentation