SlideShare a Scribd company logo

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Download as PPTX, PDF
Brian Campbell
Brian Campbell

This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.

Technology
1 of 26
Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
If All Goes well, HTTP/1.1 200 OK
And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind

Recommended

웹 Front-End 실무 이야기
웹 Front-End 실무 이야기웹 Front-End 실무 이야기
웹 Front-End 실무 이야기JinKwon Lee
 
심성환 개발자 포트폴리오
심성환 개발자 포트폴리오심성환 개발자 포트폴리오
심성환 개발자 포트폴리오Seonghwan Shim
 
Introducing firebase
Introducing firebaseIntroducing firebase
Introducing firebaseFarouk Touzi
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
프론트엔드 개발자를 위한 Layer Model
프론트엔드 개발자를 위한 Layer Model프론트엔드 개발자를 위한 Layer Model
프론트엔드 개발자를 위한 Layer ModelHan Lee
 
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTOiFunFactory Inc.
 
웹을 지탱하는 기술
웹을 지탱하는 기술웹을 지탱하는 기술
웹을 지탱하는 기술JungHyuk Kwon
 
[215]네이버콘텐츠통계서비스소개 김기영
[215]네이버콘텐츠통계서비스소개 김기영[215]네이버콘텐츠통계서비스소개 김기영
[215]네이버콘텐츠통계서비스소개 김기영NAVER D2
 

Recommended

웹 Front-End 실무 이야기
웹 Front-End 실무 이야기웹 Front-End 실무 이야기
웹 Front-End 실무 이야기JinKwon Lee
 
심성환 개발자 포트폴리오
심성환 개발자 포트폴리오심성환 개발자 포트폴리오
심성환 개발자 포트폴리오Seonghwan Shim
 
Introducing firebase
Introducing firebaseIntroducing firebase
Introducing firebaseFarouk Touzi
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
프론트엔드 개발자를 위한 Layer Model
프론트엔드 개발자를 위한 Layer Model프론트엔드 개발자를 위한 Layer Model
프론트엔드 개발자를 위한 Layer ModelHan Lee
 
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTO
[MGDC] 리눅스 게임 서버 성능 분석하기 - 아이펀팩토리 김진욱 CTOiFunFactory Inc.
 
웹을 지탱하는 기술
웹을 지탱하는 기술웹을 지탱하는 기술
웹을 지탱하는 기술JungHyuk Kwon
 
[215]네이버콘텐츠통계서비스소개 김기영
[215]네이버콘텐츠통계서비스소개 김기영[215]네이버콘텐츠통계서비스소개 김기영
[215]네이버콘텐츠통계서비스소개 김기영NAVER D2
 
Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정Arawn Park
 
Python 테스트 시작하기
Python 테스트 시작하기Python 테스트 시작하기
Python 테스트 시작하기Hosung Lee
 
Letswift19-clean-architecture
Letswift19-clean-architectureLetswift19-clean-architecture
Letswift19-clean-architectureJung Kim
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
What is new in Firebase?
What is new in Firebase?What is new in Firebase?
What is new in Firebase?Sinan Yılmaz
 
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다Taehyun Kim
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안SangJin Kang
 
Introduction to Firebase from Google
Introduction to Firebase from GoogleIntroduction to Firebase from Google
Introduction to Firebase from GoogleManikantan Krishnamurthy
 
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017Amazon Web Services Korea
 
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint [D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint NAVER D2
 
스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략if kakao
 
포트폴리오 오경원
포트폴리오 오경원포트폴리오 오경원
포트폴리오 오경원Sio Oh
 
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례NAVER LABS
 
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례NAVER D2
 
4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴Terry Cho
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오Lee ByeongCheol
 
AWS Data Collection & Storage
AWS Data Collection & StorageAWS Data Collection & Storage
AWS Data Collection & StorageAmazon Web Services
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 

More Related Content

What's hot

Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정Arawn Park
 
Python 테스트 시작하기
Python 테스트 시작하기Python 테스트 시작하기
Python 테스트 시작하기Hosung Lee
 
Letswift19-clean-architecture
Letswift19-clean-architectureLetswift19-clean-architecture
Letswift19-clean-architectureJung Kim
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
What is new in Firebase?
What is new in Firebase?What is new in Firebase?
What is new in Firebase?Sinan Yılmaz
 
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다Taehyun Kim
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안SangJin Kang
 
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017Amazon Web Services Korea
 
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint [D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint NAVER D2
 
스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략if kakao
 
포트폴리오 오경원
포트폴리오 오경원포트폴리오 오경원
포트폴리오 오경원Sio Oh
 
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례NAVER LABS
 
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례NAVER D2
 
4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴Terry Cho
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오Lee ByeongCheol
 

What's hot (20)

Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes Ingress
 
이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정이벤트 기반 분산 시스템을 향한 여정
이벤트 기반 분산 시스템을 향한 여정
 
Python 테스트 시작하기
Python 테스트 시작하기Python 테스트 시작하기
Python 테스트 시작하기
 
Letswift19-clean-architecture
Letswift19-clean-architectureLetswift19-clean-architecture
Letswift19-clean-architecture
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 
What is new in Firebase?
What is new in Firebase?What is new in Firebase?
What is new in Firebase?
 
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
NDC 2016 김태현 - 글로벌 동시 퀵 서버패치 이렇게 구축 했다
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안HTTP/2와 웹 성능 최적화 방안
HTTP/2와 웹 성능 최적화 방안
 
Introduction to Firebase from Google
Introduction to Firebase from GoogleIntroduction to Firebase from Google
Introduction to Firebase from Google
 
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
Amazon SNS로 지속적 관리가 가능한 대용량 푸쉬 시스템 구축 여정 - AWS Summit Seoul 2017
 
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint [D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
 
스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략
 
포트폴리오 오경원
포트폴리오 오경원포트폴리오 오경원
포트폴리오 오경원
 
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
Docker + Kubernetes를 이용한 빌드 서버 가상화 사례
 
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
[2B3]ARCUS차별기능,사용이슈,그리고카카오적용사례
 
4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오이병철의 개발자 포트폴리오
이병철의 개발자 포트폴리오
 
AWS Data Collection & Storage
AWS Data Collection & StorageAWS Data Collection & Storage
AWS Data Collection & Storage
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me? (20)

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Api security
Api security Api security
Api security
 

More from Brian Campbell

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (17)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

  • 1. Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
  • 2. Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
  • 3. Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
  • 4. Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
  • 5. Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
  • 6. Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
  • 7. Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
  • 8. Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
  • 9. Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
  • 10. Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
  • 11. OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
  • 12. Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
  • 13. Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
  • 14. Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
  • 15. Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
  • 16. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
  • 17. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
  • 18. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
  • 19. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
  • 20. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
  • 21. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
  • 22. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
  • 23. Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
  • 24. If All Goes well, HTTP/1.1 200 OK
  • 25. And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
  • 26. Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind