Who      Are      You?         1                                CSI @mjidhage                                             ...
Detour                                                   2011-05-06         2         © Copyright Omegapoint AB 2011Saturd...
start                         REST                                                             SUM                        ...
REST         • wiki:a style of software architecture for distributed systems                     • Client–server, Stateles...
REST                                                Richardson Maturity Model                  • Level 0                  ...
What’s the problem?                                     “The client–server communication is                               ...
Authentication?               • Identification               • Authentication               • Authorization               ...
Authentication + REST        Basic Authentication                  send user+pass, base64 enc. in HTTP Header        Diges...
What to choose?                                                            2011-05-06         9         © Copyright Omegap...
Scope cut                                                 internal   external                                          web...
Authentication + REST        Basic Authentication                  send user+pass, base64 enc. in HTTP Header        Diges...
Basic Authentication        Benefits                                                          HTTP Header                  ...
Token based        Benefits               No user/pass disclosed               Granularity               Revocation        ...
2011-05-06         14         © Copyright Omegapoint AB 2011Saturday, September 22, 12                             14
What?                             A simple, open standard for secure API                                  authentication a...
When?                        — 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.          ...
When?                          •2007-12 Initial version OAuth 1.0 ready                            •mainly based on the Fl...
Who?                                                 2011-05-06         18         © Copyright Omegapoint AB 2011Saturday,...
Why?                                                 2011-05-06         19         © Copyright Omegapoint AB 2011Saturday,...
Lisa                                                 2011-05-06         20         © Copyright Omegapoint AB 2011Saturday,...
Information                                          Lisa                                                               20...
Lisa                                                 2011-05-06         22         © Copyright Omegapoint AB 2011Saturday,...
Lisa                                   Service Provider                                                      2011-05-06   ...
Lisa                                                 2011-05-06         24         © Copyright Omegapoint AB 2011Saturday,...
Lisa                                                 Consumer                                                            2...
Lisa                                                 2011-05-06         26         © Copyright Omegapoint AB 2011Saturday,...
Why?              : Hi Lisa, what’s your             username? fake              : Hmm, don’t know - could it be, lisa@hot...
How?                                          Authorization in 5 easy steps                                          1. In...
Step 1: Intent                   : Hi, ! I would like to order printouts of some of my                   on       , they a...
Step 2: Request Token     Hi                       ! This is      speaking! Can I have a Request Token?                   ...
Step 3: Authorize Request Token                      : Hi , could you please go to   to authorize                      the...
Step 3, Continued                     :                    , I would like to authorize 9iKot2y5UQTDlS2V                   ...
Step 3, Optional Notify                             : Hi , I just told      that you are allowed to access my             ...
Step 4: Exchange Token                                : Hi,    . Could I exchange this token: 9iKot2y5UQTDlS2V            ...
Step 5: Access Data                            : Hi   , I would like to fetch the private pictures owned by               ...
Take Away                   No information on the identity of Lisa is passed to Moo and Moo have                   no idea...
Reality & Creativity                      “OAuth is an open protocol to allow secure API authorization in a simple and    ...
Case 1                                          OAuth 1.0(a)                                                         2011-...
Authentication & Authorization                  REST API - OAuth signed or unauthenticated requests       query           ...
REST API        Tweets                                Saved searches        Timelines (set of tweets)             Places &...
OAuth API        POST oauth/request_token            Server gets a request token (oauth_callback)        GET oauth/authent...
OAuth                                                                                            authenticates     Want to...
Mobility      Native application      Secure way      Redirect to browser, authorize/authenticate (NB! Not an embedded UI ...
Mobility      HTML5 application      Redirect to auth-site      Redirect to app-site                                      ...
Case 2        Facebook Graph API - OAuth v2 draft 14 (January 2011)                                                       ...
OAuth                                          authenticate                                                         author...
Mobility        Native application        Standard is using the Facebook app                  if not logged in - log in (a...
Case 3        Home brew oauth-style authentication                                                   2011-05-06         48...
Anonymous TVM                                                          2011-05-06         49         © Copyright Omegapoin...
Identity TVM                                                         2011-05-06         50         © Copyright Omegapoint ...
Mobility        Native application - identity TVM                  Login towards TVM to collect token                  Use...
OAuth 2.0                                                        rev 31                                                   ...
OAuth 2.0                                                      2011-05-06         53         © Copyright Omegapoint AB 201...
RFC 5849        6 Flows         • User-Agent Flow – for clients running inside a user-agent (typically a web           bro...
Conclusion        Tokens are great!        Authentication is hard.        switch (scenario) {                             ...
Thank You                                                                    ?                                            ...
Upcoming SlideShare
Loading in...5
×

Who Are You 20120922

870

Published on

Best practices när det gäller inloggning (autentisering) från webapp-tiden är inte direkt applicerbara i den mobila världen. Kör du native-appar och RESTful webservices i backend så är inte en sessions-kaka lika självklar lösning längre.

Vi kommer titta på vilka möjligheter som finns och hur frågan adresseras på några större siter/tjänster runt omkring i världen.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
870
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Who Are You 20120922

  1. 1. Who Are You? 1 CSI @mjidhage 2011-05-06 © Copyright Omegapoint AB 2011Saturday, September 22, 12 1
  2. 2. Detour 2011-05-06 2 © Copyright Omegapoint AB 2011Saturday, September 22, 12 2
  3. 3. start REST SUM AUTH ? stop CASE OAUTH 2011-05-06 3 © Copyright Omegapoint AB 2011Saturday, September 22, 12 3
  4. 4. REST • wiki:a style of software architecture for distributed systems • Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform interface “Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web” 2011-05-06 4 © Copyright Omegapoint AB 2011Saturday, September 22, 12 4
  5. 5. REST Richardson Maturity Model • Level 0 SOAP, XML RPC, POX – Single URI • Level 1 URI Tunnelling – Many URIs, Single verb • Level 2 Many URIs, many verbs CRUD services (e.g. Amazon S3) • Level 3 Level 2 + Hypermedia – RESTful Service, HATEOAS 2011-05-06 5 © Copyright Omegapoint AB 2011Saturday, September 22, 12 5
  6. 6. What’s the problem? “The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.” 2011-05-06 6 © Copyright Omegapoint AB 2011Saturday, September 22, 12 6
  7. 7. Authentication? • Identification • Authentication • Authorization 2011-05-06 7 © Copyright Omegapoint AB 2011Saturday, September 22, 12 7
  8. 8. Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign content with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based classic form based login and a session id (cookie, URL, hidden) Token based OpenID, SAML, OAuth 2011-05-06 8 © Copyright Omegapoint AB 2011Saturday, September 22, 12 8
  9. 9. What to choose? 2011-05-06 9 © Copyright Omegapoint AB 2011Saturday, September 22, 12 9
  10. 10. Scope cut internal external web Client smartphone 2011-05-06 10 © Copyright Omegapoint AB 2011Saturday, September 22, 12 10
  11. 11. Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based form based login Token based OpenID, SAML, OAuth 2011-05-06 11 © Copyright Omegapoint AB 2011Saturday, September 22, 12 11
  12. 12. Basic Authentication Benefits HTTP Header Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= Simple Libraries available for every occasion Tested Problems Password sharing anti-pattern • Users get trained to give the password away The app or site store the password • Stolen device has user/pass locally stored - hacked site too No access granularity • it’s all or nothing Access revocation is a manual process • and universal A mistake in HTTPS leaks user/pass forever and ever • Stored in browser until tab or browser closed • Automatic submission of BA header if MitM? Changing password (which is sometimes neccessary...) revokes all access 2011-05-06 12 © Copyright Omegapoint AB 2011Saturday, September 22, 12 12
  13. 13. Token based Benefits No user/pass disclosed Granularity Revocation Separation of duties Problems Standards under development No complete solution stack OAuth delivers authorization OpenID or own solution for authentication 2011-05-06 13 © Copyright Omegapoint AB 2011Saturday, September 22, 12 13
  14. 14. 2011-05-06 14 © Copyright Omegapoint AB 2011Saturday, September 22, 12 14
  15. 15. What? A simple, open standard for secure API authentication authorization. Possible to share private information stored on one website with another websiteSaturday, September 22, 12 15
  16. 16. When? — 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. — 2007-04 A Google group started to write a draft protocol specification — 2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification t 2011-05-06 16 © Copyright Omegapoint AB 2011Saturday, September 22, 12 16
  17. 17. When? •2007-12 Initial version OAuth 1.0 ready •mainly based on the Flickr Auth API and Google AuthSub •2009-06 Revised version 1.0a due to a security flaw •http://oauth.net/core/1.0a •2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” •OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 •New protocol, not backward compatible with OAuth1 •Simplify and create a better user experience t •Less secure due to no digital signature? 2011-05-06 17 © Copyright Omegapoint AB 2011Saturday, September 22, 12 17
  18. 18. Who? 2011-05-06 18 © Copyright Omegapoint AB 2011Saturday, September 22, 12 18
  19. 19. Why? 2011-05-06 19 © Copyright Omegapoint AB 2011Saturday, September 22, 12 19
  20. 20. Lisa 2011-05-06 20 © Copyright Omegapoint AB 2011Saturday, September 22, 12 20
  21. 21. Information Lisa 2011-05-06 21 © Copyright Omegapoint AB 2011Saturday, September 22, 12 21
  22. 22. Lisa 2011-05-06 22 © Copyright Omegapoint AB 2011Saturday, September 22, 12 22
  23. 23. Lisa Service Provider 2011-05-06 23 © Copyright Omegapoint AB 2011Saturday, September 22, 12 23
  24. 24. Lisa 2011-05-06 24 © Copyright Omegapoint AB 2011Saturday, September 22, 12 24
  25. 25. Lisa Consumer 2011-05-06 25 © Copyright Omegapoint AB 2011Saturday, September 22, 12 25
  26. 26. Lisa 2011-05-06 26 © Copyright Omegapoint AB 2011Saturday, September 22, 12 26
  27. 27. Why? : Hi Lisa, what’s your username? fake : Hmm, don’t know - could it be, lisa@hotmail.com? fake : Ok, great! What’s your password? : h4pp1n3ss : Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find fake any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure. 2011-05-06 27 © Copyright Omegapoint AB 2011Saturday, September 22, 12 27
  28. 28. How? Authorization in 5 easy steps 1. Intent 2. Request Token 3. Authorize Request Token 4. Exchange Token 5. Access Data 2011-05-06 28 © Copyright Omegapoint AB 2011Saturday, September 22, 12 28
  29. 29. Step 1: Intent : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from 2011-05-06 29 © Copyright Omegapoint AB 2011Saturday, September 22, 12 29
  30. 30. Step 2: Request Token Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! 2011-05-06 30 © Copyright Omegapoint AB 2011Saturday, September 22, 12 30
  31. 31. Step 3: Authorize Request Token : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your . : Sure, just redirect my browser and I will be done in a second! 2011-05-06 31 © Copyright Omegapoint AB 2011Saturday, September 22, 12 31
  32. 32. Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed. 2011-05-06 32 © Copyright Omegapoint AB 2011Saturday, September 22, 12 32
  33. 33. Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you! 2011-05-06 33 © Copyright Omegapoint AB 2011Saturday, September 22, 12 33
  34. 34. Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you! 2011-05-06 34 © Copyright Omegapoint AB 2011Saturday, September 22, 12 34
  35. 35. Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else? 2011-05-06 35 © Copyright Omegapoint AB 2011Saturday, September 22, 12 35
  36. 36. Take Away No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. API independent there are lots of different implementations on both client and server side 2011-05-06 36 © Copyright Omegapoint AB 2011Saturday, September 22, 12 36
  37. 37. Reality & Creativity “OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” This is NOT the only way OAuth is used... 2011-05-06 37 © Copyright Omegapoint AB 2011Saturday, September 22, 12 37
  38. 38. Case 1 OAuth 1.0(a) 2011-05-06 38 © Copyright Omegapoint AB 2011Saturday, September 22, 12 38
  39. 39. Authentication & Authorization REST API - OAuth signed or unauthenticated requests query keyword Search API - unauthenticated requests Stream API - OAuth signed or HTTP Basic authenticated requests realtime firehose 2 basic methods 2011-05-06 39 © Copyright Omegapoint AB 2011Saturday, September 22, 12 39
  40. 40. REST API Tweets Saved searches Timelines (set of tweets) Places & Geo Direct Messages Trends Friends&Followers Block Users Spam Suggested Users OAuth Favorites Help Lists Legal Accounts Deprecated Notifications 2011-05-06 40 © Copyright Omegapoint AB 2011Saturday, September 22, 12 40
  41. 41. OAuth API POST oauth/request_token Server gets a request token (oauth_callback) GET oauth/authenticate Client redirect “Sign in with Twitter” (oauth_token) GET oauth/authorize Client redirect “3-legged authentication” (oauth_token) POST oauth/access_token Server gets an access token (oauth_verifier) 2011-05-06 41 © Copyright Omegapoint AB 2011Saturday, September 22, 12 41
  42. 42. OAuth authenticates Want to offer a "Sign in with Twitter" button on Sign in with Twitter your website... authorize Want to read or post Twitter data on behalf of 3-legged OAuth visitors to your website... no redirect URL Have a mobile, desktop, or embedded app which PIN-based OAuth cant access a browser... N/A Just want to access the API from your own dev.twitter.com account... authenticates NEED to use usernames/passwords AND have xAuth been approved for xAuth... API delegate Offer an API where clients send you data on OAuth Echo behalf of Twitter users... local iOS account Have an iOS5-based integration and need access Using Reverse Auth tokens for server-side integrations... 2011-05-06 42 © Copyright Omegapoint AB 2011Saturday, September 22, 12 42
  43. 43. Mobility Native application Secure way Redirect to browser, authorize/authenticate (NB! Not an embedded UI View!) Redirect back to app Possible without multitasking? Not so secure way xAuth works if there is trust between app and api (internal enterprise solution) Alternative? for 3rd party app that absolutely does not want to use external browser Use Twitter app? 2011-05-06 43 © Copyright Omegapoint AB 2011Saturday, September 22, 12 43
  44. 44. Mobility HTML5 application Redirect to auth-site Redirect to app-site 2011-05-06 44 © Copyright Omegapoint AB 2011Saturday, September 22, 12 44
  45. 45. Case 2 Facebook Graph API - OAuth v2 draft 14 (January 2011) 2011-05-06 45 © Copyright Omegapoint AB 2011Saturday, September 22, 12 45
  46. 46. OAuth authenticate authorize Authentication in native Android apps • Authentication in native iOS apps facebook app • Authentication within a Page Tab on www.facebook.com facebook spec • Authentication within a Canvas Page on apps.facebook.com • Authentication for Websites & Mobile Web apps using Javascript (client-side flow) • Authentication for Websites & Mobile Web apps using a Server (server-side flow) • Authentication for devices without access to a browser PIN 2011-05-06 46 © Copyright Omegapoint AB 2011Saturday, September 22, 12 46
  47. 47. Mobility Native application Standard is using the Facebook app if not logged in - log in (app) if logged in but not authorized - pop authorization question (app) If no Facebook app Redirect to web HTML5 application Redirect to auth-site Redirect to app-site Reflection 2011-05-06 47 © Copyright Omegapoint AB 2011Saturday, September 22, 12 47
  48. 48. Case 3 Home brew oauth-style authentication 2011-05-06 48 © Copyright Omegapoint AB 2011Saturday, September 22, 12 48
  49. 49. Anonymous TVM 2011-05-06 49 © Copyright Omegapoint AB 2011Saturday, September 22, 12 49
  50. 50. Identity TVM 2011-05-06 50 © Copyright Omegapoint AB 2011Saturday, September 22, 12 50
  51. 51. Mobility Native application - identity TVM Login towards TVM to collect token Use token towards API 2011-05-06 51 © Copyright Omegapoint AB 2011Saturday, September 22, 12 51
  52. 52. OAuth 2.0 rev 31 2011-05-06 52 © Copyright Omegapoint AB 2011Saturday, September 22, 12 52
  53. 53. OAuth 2.0 2011-05-06 53 © Copyright Omegapoint AB 2011Saturday, September 22, 12 53
  54. 54. RFC 5849 6 Flows • User-Agent Flow – for clients running inside a user-agent (typically a web browser). • Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0. • Device Flow – suitable for clients executing on limited devices, but where the end- user has separate access to a browser on another computer or device. • Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client. • Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario. • Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token. 2011-05-06 54 © Copyright Omegapoint AB 2011Saturday, September 22, 12 54
  55. 55. Conclusion Tokens are great! Authentication is hard. switch (scenario) { How2 case 3rd party native client consumes your enterprise API: enforce? Make sure the 3rd party uses an external browser for authentication; Alternative is to create own enterprise app on mobile device; case own app consumes service api to access resource owner’s stuff: Pop an external browser - because it’s the good thing todo; case you are the resource owner: Do not hand out your user & pass to untrusted parties; case your app consumes your api: see 3rd party options; add xauth, Indentity TVM, Username and Password flow; } In comparison - Web is easy! 2011-05-06 55 © Copyright Omegapoint AB 2011Saturday, September 22, 12 55
  56. 56. Thank You ? @mjidhage @weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?” @webtonull - JavaZone - ‘RESTful Security’ @rickardoberg - JFokus - ‘Road to REST’ @bebb00 - OPKoKo 2010 - ‘OAuth’ @jancalmered - OPKoKo 2010 - ‘OAuth’ 2011-05-06 56 © Copyright Omegapoint AB 2011Saturday, September 22, 12 56
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×