Incorporating OAuth

1,279

Published on

How to incorporate OAuth 2 into a mobile application with an example of an Android app created with PhoneGap and JQuery Mobile

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,279
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Incorporating OAuth

  1. 1. Incorporating OAuthHow to integrate OAuth into your mobile appBy Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Crucial Security ConcernsCopyright © 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity
  4. 4. Identity is CentralCopyright © 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson
  5. 5. Neo-security Stack SCIM, SAML, OAuth, and JWT are the newstandards-based cloud security stack OAuth 2 is the new meta-protocol defining howtokens are handled These address old requirements, solves newproblems & are composedin useful waysCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& juniorOpenID Connect
  6. 6. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  7. 7. OAuth Mobile App FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  8. 8. Request AuthorizationCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Authenticate & AuthorizeCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Register Custom Scheme in App<activity android:name=".CallbackActivity“ …><intent-filter><data android:scheme="twobo" />…</intent-filter></activity>Copyright © 2013 Twobo Technologies AB. All rights reserved
  11. 11. Callback to Custom SchemeIn OAuth Server, configure to callback to schemethat was registeredCopyright © 2013 Twobo Technologies AB. All rights reserved
  12. 12. Exchange Code for TokenCopyright © 2013 Twobo Technologies AB. All rights reservedAC
  13. 13. Calling the Token Endpointvar data = {"client_id" : clientId,"client_secret" : clientSecret,"code" : code,"grant_type" : "authorization_code","response_type" : "token" };$.post(tokenEndpoint, data,processAccessToken, "json");Copyright © 2013 Twobo Technologies AB. All rights reservedAC AT, RT
  14. 14. Tokens are Often JWTs Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. Calling the APIProvide AT to API according to bearer token profile$.ajax({url: apiEndpoint,dataType: json,headers: {"Authorization":"Bearer "+accessToken},success: processResults });Copyright © 2013 Twobo Technologies AB. All rights reserved
  16. 16. API May Validate Tokendef validateToken(self, tokenEndpoint, clientId,clientSecret, accessToken):values = { "client_id" : clientId,"client_secret" : clientSecret,"grant_type" : “…","token" : accessToken, }request = urllib2.Request(tokenEndpoint,urllib.urlencode(values))return urllib2.urlopen(request)Copyright © 2013 Twobo Technologies AB. All rights reserved
  17. 17. • App should only presentAT to API• Never send RT to API• Use RT to get new AT ifAT expires• App can’t use AT todetermine anything aboutuserApp Consumes API DataCopyright © 2013 Twobo Technologies AB. All rights reserved
  18. 18. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consentscenarios Adds identity-based inputs/outputs to core OAuthmessages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  19. 19. What OAuth is and is not forCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  20. 20. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×