0
OAuth 2+ API Security
API and Managing API
• Private APIs , Public APIs(twitter, facebook)
• Even though these APIs are public there must be a a...
Securing APIs(before OAuth)
•Basic auth – Sending user credentials in http
authentication header
•Mutual Authentication - ...
Need A Better method
Why we need a better method
• Third party applications can not save password as a salted
hash but in clear text as they wi...
Why we need a better method
• Resource owners cannot revoke access to an individual
third party. To revoke access resource...
Pre OAuth Era
•Google oauth
•Flicker oauth
•Yahoo BB-oauth
OAuth 2.0
4 Roles

Resource Owner

Client

Resource Server

Authorization Server
Resource Owner
• An entity capable of granting access to a protected
resource
• When the resource owner is a person, it is...
Resource Server
The server hosting the protected resources, capable of
accepting and responding to protected resource requ...
Client
An application making protected resource requests on behalf
of the resource owner and with its authorization
2 type...
Authorization Server
The server issuing access tokens to the client after
successfully authenticating the resource owner a...
OAuth 2
(A) Authorization Request

(B) Authorization Grant

Resource owner

(C) Authorization Grant
(D) Access Token
Autho...
OAuth 2
(A) Give me the key of your car
(B) It’s with key holder, I will give you a
chit, show this to key holder and ask ...
OAuth 2
(A) Authorization Request
(B) Authorization Grant

Resource owner
Client Credentials

Implicit
(C) Authorization G...
Authorization Code
Scope
Resource owner
(A) Client Identifier & redirect URL

(B)
User Agent

(B) User Authenticates

(C) ...
Scope
• Scope indicates what resource client wants access and
which actions he wants to perform on that.

• The value of t...
Authorization Code
Resource owner
(A) Client Identifier & redirect URL

(B)
User Agent

(B) User Authenticates

(C) Author...
Authorization Code
Scope
Resource
Basic Auth owner
(B)
User Agent

Client_ID/Client_secret
(A) Client Identifier & redirec...
Authorization Code - Benefits
• Because the resource owner only authenticates with the
authorization server, the resource ...
Authorization Code
Authorization Grant Request
•response_type:REQUIRED.Value MUST be set to "code".
• client_id: REQUIRED....
Authorization Code
Authorization Grant Request
https://oauth2server.com/auth?response_type=code&
client_id=CLIENT_ID&redir...
Authorization Code
Authorization Grant Response
• code :REQUIRED. The authorization code generated by the
authorization se...
Authorization Code
Access Token Request
• grant_type :REQUIRED. Value MUST be set to "authorization_code"
• code : REQUIRE...
Authorization Code
Access Token Response
•access_token : REQUIRED.The access token issued by the
authorization server.
•to...
Access Token
• Credentials used to access protected resources
• A string representing an authorization issued to the clien...
Authorization Code
Access Token Response
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia"
}
Implicit
The implicit grant is a simplified authorization
code flow optimized for clients implemented in a
browse using a ...
Implicit
Scope
Resource owner
(A) Client Identifier & redirect URL

(B)
User Agent

(A)

(C)

(B) User Authenticates
(C) R...
Implicit
•The authorization server does not authenticate the client.
• Improve the responsiveness and efficiency of some c...
Implicit
Scope
Resource owner
(A) Client Identifier & redirect URL

(B)
User Agent

(A)

(C)

(B) User Authenticates
(C) R...
Implicit
Authorization Grant Request
• response_type: REQUIRED.Value MUST be set to ”token".
• client_id : REQUIRED. The c...
Implicit
Access Token Response
• access_token : REQUIRED.The access token issued by the
authorization server.
• token_type...
Client Credentials
Client credentials are used as an authorization grant
when the client is also the resource owner.
or
is...
Client Credentials

(A) Client Authentication

(B) Access Token

Client

Authorization Server
Client Credentials
Confidential Client Type

(A) Client Authentication

(B) Access Token

Client

Authorization Server
Access Token request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".
• scope: OPTIONAL. The scope of t...
Access Token Response
•access_token : REQUIRED. The access token issued by the
authorization server.
•token_type : REQUIRE...
Resource owner password
credentials
Resource owner
(A) Resource owner password credentials

(B) Resource owner password cr...
When to use
•In mobile applications
▫Will exchange your user name password to a access
token and only store this access to...
Resource owner password
credentials
Token Request
POST https://api.oauth2server.com/token granttype=password
username=USER...
References
•OAuth 2.0 Authorization Framework, specification
•OAuth 2 implified , Aron Parecki
•Oauth 2.0 with pet care ho...
Upcoming SlideShare
Loading in...5
×

OAuth2 + API Security

6,282

Published on

Published in: Technology
1 Comment
9 Likes
Statistics
Notes
No Downloads
Views
Total Views
6,282
On Slideshare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
155
Comments
1
Likes
9
Embeds 0
No embeds

No notes for slide

Transcript of "OAuth2 + API Security"

  1. 1. OAuth 2+ API Security
  2. 2. API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
  3. 3. Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
  4. 4. Need A Better method
  5. 5. Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
  6. 6. Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
  7. 7. Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
  8. 8. OAuth 2.0
  9. 9. 4 Roles Resource Owner Client Resource Server Authorization Server
  10. 10. Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
  11. 11. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  12. 12. Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
  13. 13. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  14. 14. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
  15. 15. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
  16. 16. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
  17. 17. Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
  18. 18. Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
  19. 19. Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
  20. 20. Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
  21. 21. Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
  22. 22. Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
  23. 23. Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
  24. 24. Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
  25. 25. Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  26. 26. Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
  27. 27. Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
  28. 28. Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
  29. 29. Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
  30. 30. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
  31. 31. Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
  32. 32. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
  33. 33. Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
  34. 34. Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
  35. 35. Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
  36. 36. Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
  37. 37. Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
  38. 38. Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
  39. 39. Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
  40. 40. Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
  41. 41. When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
  42. 42. Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
  43. 43. References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×