Your SlideShare is downloading. ×
Data Modelling and Identity Management with OAuth2
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Data Modelling and Identity Management with OAuth2

2,066
views

Published on

Speaker: Dave Syer …

Speaker: Dave Syer
The OAuth2 specification (wisely) leaves a lot of areas open to interpretation and implementation details, so there are a lot of opportunities to impose interpretations on the flows and the underlying data. This presentation starts with a basic guide to the main features of OAuth2 and then goes on to show, with examples, how they can be exploited to support business and application use cases. For instance, should you encode access decision data directly in the access token, or make the token completely opaque? Should you be signing requests? What naming convention should you use for OAuth2 scopes? How do you go about registering users and clients? There are some obvious patterns in existing OAuth2 implementations, and Spring Security OAuth provides plenty of hooks and extension points should you wish to copy one of those, or make your own rules.
Examples will use Spring and Spring Security to show how to take advantage of the inherent flexibility, both in the spec and in the libraries.

Published in: Technology

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,066
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Data Modelling for OAuth2 Dave Syer, 2013 Twitter: @david_syer Email: dsyer@gopivotal.com 10/09/13 18:11
  • 2. 2 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 3. 3 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Agenda Quick overview of OAuth2? Data Modelling for OAuth2 Spring OAuth Cloud Foundry UAA 10/09/13 18:11
  • 4. 4 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Quick Introduction to OAuth2 A Client application, often web application, acts on behalf of a User, but with the User's approval Authorization Server Resource Server Client application Common examples of Authorization Servers on the internet: Facebook - Graph API Google - Google APIs Cloud Foundry - Cloud Controller 10/09/13 18:11
  • 5. 5 of 45 http://localhost:4000/decks/oauth-model-s2gx.html OAuth2 Key Features Extremely simple for clients Access tokens carry information (beyond identity) Resource Servers are free to interpret tokens Example token contents: Client id Resource id (audience) User id Role assignments 10/09/13 18:11
  • 6. 6 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Obtaining a Client Token A client can act its own behalf (client_credentials grant): 10/09/13 18:11
  • 7. 7 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Web Application Client The Client wants to access a Resource on behalf of the User 10/09/13 18:11
  • 8. 8 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Obtaining a User Token A client can act on behalf of a user (e.g. authorization_code grant): 10/09/13 18:11
  • 9. 9 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Authorization Code Grant Summary 1. Authorization Server authenticates the User 2. Client starts the authorization flow and obtain User's approval 3. Authorization Server issues an authorization code (opaque one-time token) 4. Client exchanges the authorization code for an access token. 10/09/13 18:11
  • 10. 10 of 45 http://localhost:4000/decks/oauth-model-s2gx.html OAuth2 Bearer Tokens Bearer tokens are authentication tokens for client applications. Once you have one you can act on behalf of a user, accessing resources: $ curl -H "Authorization: Bearer <token>" resource.server.com/stuff The resource server treats the request as if it came from an authenticated user. 10/09/13 18:11
  • 11. 11 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Role of Client Application Register with Authorization Server (get a client_id and maybe a client_secret) Do not collect user credentials Obtain a token (opaque) from Authorization Server On its own behalf - client_credentials On behalf of a user Use it to access Resource Server 10/09/13 18:11
  • 12. 12 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Role of Resource Server 1. Extract token from request and decode it 2. Make access control decision Scope Audience User account information (id, roles etc.) Client information (id, roles etc.) 3. Send 403 (FORBIDDEN) if token not sufficient 10/09/13 18:11
  • 13. 13 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Role of the Authorization Server 1. Compute token content and grant tokens 2. Interface for users to confirm that they authorize the Client to act on their behalf 3. Authenticate users (/authorize) 4. Authenticate clients (/token) #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons). 10/09/13 18:11
  • 14. 14 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring Security OAuth2 Goal: implement Resource Server, Authorization Server, and Client Application with sensible defaults and plenty of customization choices. Provides features for implementing both consumers and providers of the OAuth protocols using standard Spring and Spring Security programming models and configuration idioms. 1.0 = Nov 2012 1.0.5 = Aug 2013 1.1.0 = soon 10/09/13 18:11
  • 15. 15 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring OAuth Responsibilities Authorization Server: AuthorizationEndpoint and TokenEndpoint Resource Server: OAuth2AuthenticationProcessingFilter Client: OAuth2RestTemplate, OAuth2ClientContextFilter 10/09/13 18:11
  • 16. 16 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring as Resource Server 10/09/13 18:11
  • 17. 17 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring as Authorization Server 10/09/13 18:11
  • 18. 18 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 19. 19 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring as Client Application 10/09/13 18:11
  • 20. 20 of 45 http://localhost:4000/decks/oauth-model-s2gx.html OAuth2 Data Modelling Token format Token contents Client registrations Computing permissions User approvals User authentication 10/09/13 18:11
  • 21. 21 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Token Format OAuth 2.0 tokens are opaque to clients (so might be simple keys to a backend store) But they carry important information to Resource Servers Example implementation (from Cloud Foundry UAA, JWT = signed, base64-encoded, JSON): { "client_id":"vmc", "exp":1346325625, "scope": ["cloud_controller.read","openid","password.write"], "aud":["openid","cloud_controller","password"], "user_name":"vcap_tester@vmware.com", "user_id":"52147673-9d60-4674-a6d9-225b94d7a64e", "email":"vcap_tester@vmware.com", "jti":"f724ae9a-7c6f-41f2-9c4a-526cea84e614" } 10/09/13 18:11
  • 22. 22 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Token Format Choices Resources decode through: 1. Shared storage -> opaque 2. Remote service (e.g. /check_token) -> opaque 3. Resources decode locally -> encoded + signed ( + possibly encrypted) #2 and #3 require key management infrastructure - resource server and authorization server need to agree on signing (and possibly encryption). Can be as simple as shared configuration file. 10/09/13 18:11
  • 23. 23 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Token Contents Audience Scope Expiry Client details Other... 10/09/13 18:11
  • 24. 24 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Token Audience Resource Servers should check if they are the intended recipient of a token. No specific mechanism in OAuth2 spec. In Spring OAuth every resource optionally has a "resource ID". It is copmared with the token in an authentication filter. For encoded tokens, e.g. JWT has a standard field aud for the audience of the token. 10/09/13 18:11
  • 25. 25 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Client Registration Data Client id Secret Redirect URIs Authorized grant types 10/09/13 18:11
  • 26. 26 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Client Registration Scopes Clients often act on their own behalf (client_credentials grant), and then the available scopes might be different. In Cloud Foundry we find it useful to distinguish between client scopes (for user tokens) and authorities (for client tokens). 10/09/13 18:11
  • 27. 27 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 28. 28 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Client Registration Data Minimum Client id Secret Redirect URIs Authorized grant types Desirable Authorities -> scope for client token Default scopes -> scope for user token Resource ids -> audience Owner of registration (e.g. a user) 10/09/13 18:11
  • 29. 29 of 45 http://localhost:4000/decks/oauth-model-s2gx.html More on Scopes Per the spec scopes are arbitrary strings. The Authorization Server and the Resource Servers agree on the content and meanings. Examples: Google: https://www.googleapis.com /auth/userinfo.profile Facebook: email, read_stream, write_stream UAA: cloud_controller.read, cloud_controller.write, scim.read, openid Authorization Server has to decide whether to grant a token to a given client and user based on the requested scope (if any). 10/09/13 18:11
  • 30. 30 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Simple Example of Computed Scopes Client requests scope=read,write Auth server compares client authorities=read Grants token with narrower scope Uses Spring Security concept of "authorities" attached to a client Not implemented out of the box in Spring OAuth 1.0 (might be in 1.1) 10/09/13 18:11
  • 31. 31 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Cloud Foundry Scope Computation Client Token If client requests no explicit scope: set to default value per client Restrict to intersection with default scopes (per client) User Token If client requests no explicit scope: set to default value per client Restrict to intersection with default scopes (per client) Further restrict to intersection with user groups (same as scope names) 10/09/13 18:11
  • 32. 32 of 45 http://localhost:4000/decks/oauth-model-s2gx.html UAA Scopes UAA scopes are actually Groups in the User accounts GET /Groups, Get /Users/{id} { "id": "73ba999e-fc34-49eb-ac26-dc8be52c1d82", "meta": {...}, "userName": "marissa", "groups": [ ... { "value": "23a71835-c7ce-43ac-b511-c84d3ae8e788", "display": "uaa.user", "membershipType": "DIRECT" } ], } 10/09/13 18:11
  • 33. 33 of 45 http://localhost:4000/decks/oauth-model-s2gx.html User Approvals An access token represents a user approval: 10/09/13 18:11
  • 34. 34 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 35. 35 of 45 http://localhost:4000/decks/oauth-model-s2gx.html User Approvals as Token An access token represents a user approval: 10/09/13 18:11
  • 36. 36 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 37. 37 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Formal Model for User Approvals It can be an advantage to store individual approvals independently (e.g. for explicit revokes of individual scopes): 10/09/13 18:11
  • 38. 38 of 45 http://localhost:4000/decks/oauth-model-s2gx.html 10/09/13 18:11
  • 39. 39 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Authentication and the Authorization Server Authentication (checking user credentials) is orthogonal to authorization (granting tokens) They don't have to be handled in the same component of a large system Authentication is often deferred to existing systems (SSO) Authorization Server has to be able to authenticate the OAuth endpoints (/authorize and /token) It does not have to collect credentials (except for grant_type=password) 10/09/13 18:11
  • 40. 40 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Cloud Foundry UAA Authorization Server 10/09/13 18:11
  • 41. 41 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Consumer Side User Authentication Using OAuth2 for authentication (and SSO) Authorization Server (typically) provides /userinfo endpoint. Client exchanges a bearer token for some information about the user. Examples: Github: https://api.github.com/user Facebook: https://graph.facebook.com/me Cloud Foundry: https://uaa.run.pivotal.io/userinfo Beware: no standard data format for user info. 10/09/13 18:11
  • 42. 42 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Spring OAuth Strategies TokenEnhancer - modify token contents UserApprovalHandler - decide if authorization request has been approved AuthorizationRequestManager (OAuth2RequestFactory and OAuth2RequestValidator in 1.1) TokenStore - backend store for opaque tokens ApprovalStore - new in 1.1 Higher level: AuthorizationServerTokenServices - create and refresh tokens ResourceServerTokenServices - decode token ConsumerTokenServices - manage token grants and revokes 10/09/13 18:11
  • 43. 43 of 45 http://localhost:4000/decks/oauth-model-s2gx.html UAA Strategies Implementations of UserApprovalHandler, *TokenServices, AuthorizationRequestManager UaaUserDatabase ScimUserProvisioning, ScimGroupProvisioning Custom approvals layer (will be superseded by 1.1) Autologin (login-server) 10/09/13 18:11
  • 44. 44 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Other Token Types OpenID connect. Simple view: add id_token to access token. MAC Tokens. Simple view: sign token with hash of request. Not to be confused with: grant types (e.g. exchange SAML assertion for token), authentication channels (e.g. LDAP authentication for users) 10/09/13 18:11
  • 45. 45 of 45 http://localhost:4000/decks/oauth-model-s2gx.html Links http://projects.spring.io/spring-security-oauth Documentation http://github.com/springsource/spring-security-oauth Spring OAuth on Github http://github.com/cloudfoundry/uaa UAA on Github (see docs/ folder) http://blog.cloudfoundry.org http://spring.io/blog http://dsyer.com/presos/decks/oauth-model-s2gx.html Twitter: @david_syer Email: dsyer@gopivotal.com 10/09/13 18:11