OAuth2 + API Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,047
On Slideshare
855
From Embeds
4,192
Number of Embeds
39

Actions

Shares
Downloads
80
Comments
0
Likes
8

Embeds 4,192

http://amilaparanawithana.blogspot.com 2,022
http://amilaparanawithana.blogspot.in 601
http://amilaparanawithana.blogspot.de 154
http://amilaparanawithana.blogspot.co.uk 120
http://amilaparanawithana.blogspot.fr 119
http://amilaparanawithana.blogspot.ca 108
http://amilaparanawithana.blogspot.tw 106
http://amilaparanawithana.blogspot.com.br 96
http://amilaparanawithana.blogspot.com.es 90
http://amilaparanawithana.blogspot.com.au 85
http://amilaparanawithana.blogspot.ru 81
http://amilaparanawithana.blogspot.nl 68
http://amilaparanawithana.blogspot.mx 61
http://amilaparanawithana.blogspot.it 51
http://amilaparanawithana.blogspot.se 43
http://amilaparanawithana.blogspot.com.ar 27
http://amilaparanawithana.blogspot.ch 26
http://amilaparanawithana.blogspot.co.il 25
http://amilaparanawithana.blogspot.cz 25
http://amilaparanawithana.blogspot.pt 24
http://amilaparanawithana.blogspot.fi 24
http://amilaparanawithana.blogspot.sg 23
http://amilaparanawithana.blogspot.ro 23
http://amilaparanawithana.blogspot.kr 22
http://amilaparanawithana.blogspot.jp 21
http://amilaparanawithana.blogspot.co.at 19
http://amilaparanawithana.blogspot.hk 16
http://amilaparanawithana.blogspot.gr 15
http://amilaparanawithana.blogspot.be 15
http://amilaparanawithana.blogspot.no 13
http://amilaparanawithana.blogspot.com.tr 12
http://amilaparanawithana.blogspot.dk 10
http://amilaparanawithana.blogspot.ie 10
http://amilaparanawithana.blogspot.sk 9
http://amilaparanawithana.blogspot.hu 8
http://amilaparanawithana.blogspot.ae 7
http://translate.googleusercontent.com 7
http://amilaparanawithana.blogspot.co.nz 5
https://www.google.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OAuth 2+ API Security
  • 2. API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
  • 3. Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
  • 4. Need A Better method
  • 5. Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
  • 6. Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
  • 7. Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
  • 8. OAuth 2.0
  • 9. 4 Roles Resource Owner Client Resource Server Authorization Server
  • 10. Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
  • 11. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • 12. Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
  • 13. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • 14. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
  • 15. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
  • 16. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
  • 17. Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
  • 18. Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
  • 19. Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
  • 20. Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
  • 21. Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
  • 22. Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
  • 23. Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 24. Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
  • 25. Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  • 26. Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
  • 27. Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
  • 28. Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
  • 29. Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
  • 30. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
  • 31. Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
  • 32. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
  • 33. Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 34. Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
  • 35. Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
  • 36. Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
  • 37. Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
  • 38. Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
  • 39. Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
  • 40. Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
  • 41. When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
  • 42. Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
  • 43. References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena