Your SlideShare is downloading. ×

Incorporating OAuth

1,204
views

Published on

How to incorporate OAuth 2 into a mobile application with an example of an Android app created with PhoneGap and JQuery Mobile

How to incorporate OAuth 2 into a mobile application with an example of an Android app created with PhoneGap and JQuery Mobile

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,204
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Incorporating OAuthHow to integrate OAuth into your mobile appBy Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 3. Crucial Security ConcernsCopyright © 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity
  • 4. Identity is CentralCopyright © 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson
  • 5. Neo-security Stack SCIM, SAML, OAuth, and JWT are the newstandards-based cloud security stack OAuth 2 is the new meta-protocol defining howtokens are handled These address old requirements, solves newproblems & are composedin useful waysCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& juniorOpenID Connect
  • 6. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  • 7. OAuth Mobile App FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 8. Request AuthorizationCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Authenticate & AuthorizeCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Register Custom Scheme in App<activity android:name=".CallbackActivity“ …><intent-filter><data android:scheme="twobo" />…</intent-filter></activity>Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 11. Callback to Custom SchemeIn OAuth Server, configure to callback to schemethat was registeredCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 12. Exchange Code for TokenCopyright © 2013 Twobo Technologies AB. All rights reservedAC
  • 13. Calling the Token Endpointvar data = {"client_id" : clientId,"client_secret" : clientSecret,"code" : code,"grant_type" : "authorization_code","response_type" : "token" };$.post(tokenEndpoint, data,processAccessToken, "json");Copyright © 2013 Twobo Technologies AB. All rights reservedAC AT, RT
  • 14. Tokens are Often JWTs Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. Calling the APIProvide AT to API according to bearer token profile$.ajax({url: apiEndpoint,dataType: json,headers: {"Authorization":"Bearer "+accessToken},success: processResults });Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 16. API May Validate Tokendef validateToken(self, tokenEndpoint, clientId,clientSecret, accessToken):values = { "client_id" : clientId,"client_secret" : clientSecret,"grant_type" : “…","token" : accessToken, }request = urllib2.Request(tokenEndpoint,urllib.urlencode(values))return urllib2.urlopen(request)Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 17. • App should only presentAT to API• Never send RT to API• Use RT to get new AT ifAT expires• App can’t use AT todetermine anything aboutuserApp Consumes API DataCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consentscenarios Adds identity-based inputs/outputs to core OAuthmessages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 19. What OAuth is and is not forCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  • 20. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×