Your SlideShare is downloading. ×
0
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OAuth2 - The Swiss Army Framework

696

Published on

As Presented at OSCon 2014 …

As Presented at OSCon 2014

If your application doesn't have APIs, it was probably written during the Cold War, or maybe written in Cold Fusion. Every application has APIs, and APIs need authentication. See how OAuth2 is robust enough to satisfy the demands of the enterprise, while still serving the smallest of side projects.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
696
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 1 Brent Shaffer OAuth2: The Swiss Army Framework
  • 2. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 2 Who Is This Guy? Hint: Brent Shaffer
  • 3. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 3
  • 4. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 4 Maintainer of #1 Open Source PHP library for Server-Side OAuth
  • 5. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 5 I’m in a Band! The ladies love us! More Hazards More Heroes
  • 6. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 6
  • 7. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 19 Don’t require your users to authenticate with 3rd parties using passwords! The moral of the story
  • 8. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 20 Don’t require your users to authenticate with your APIs using passwords! …and to a lesser extent
  • 9. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 21 What is OAuth? ▪ Something to do with Facebook ▪ Twitter’s in the mix ▪ Maybe Google too? Github? ▪ Authorization and Authentication ▪ Tokens everywhere ▪ Two-legs, three-legs… crablegs?
  • 10. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 22 Overview
  • 11. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 23 “OAuth is a big set of rules that explain how two parties exchange tokens"
  • 12. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 24 Currency for Tokens
  • 13. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 25 Tokens Expire
  • 14. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 26 Bearer Token
  • 15. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 27 Applications (aka Clients)
  • 16. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 28 ▪ One user can have many apps ▪ Each app has its own set of credentials ▪ Each app represents a single program / application / script, etc ▪ A conceptual wrapper around your project Applications (aka Clients)
  • 17. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 29 User “Resource Owner” Client “3rd Party” Server “Resource and Authorization Provider” Three Roles
  • 18. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 30 USER 3RD PARTY SERVICE Three Legs
  • 19. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 31 Authorize Token Resource The user authorizes the client The server returns a token to the client Three Endpoints The server provides the resource
  • 20. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 32 Grant Types
  • 21. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 33 “A Grant Type is just a specific way to obtain (or be granted) an Access Token"
  • 22. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 34 “The multiple ways to get an access token, i.e. the Grant Types, are what make OAuth a Swiss Army Framework™”
  • 23. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 35 Brent Shaffer OAuth2: The Swiss Army Framework
  • 24. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 36 Difficulty: Easy
  • 25. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 37 Client Authorize Token Resource
  • 26. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 38
  • 27. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 39 Personal Access Token
  • 28. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 40 Personal Access Token
  • 29. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 41 ▪ Easier than dirt ▪ Good for calling your APIs on your behalf ▪ No encryption other than HTTPS ▪ No expiration ▪ Treat these like a password ▪ Extension of OAuth2.0 Spec Personal Access Tokens
  • 30. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 42 Personal Access Token $ curl https://api.github.com/users/bshaffer -u fd8e84b60c4bfd8e9277cb3b16f112859d60c45c: $ curl https://api.github.com/users/bshaffer?access_token=xyz GET /users/bshaffer HTTP/1.1! Host: api.github.com! Authorization: Basic czZCaGRSa3F0Mzp GET /users/bshaffer?access_token=xyz HTTP/1.1! Host: api.github.com $ curl https://api.github.com/users/bshaffer -H ‘Authorization: Bearer xyz GET /users/bshaffer HTTP/1.1! Authorization: Bearer xyz! Host: api.github.com
  • 31. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 43
  • 32. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 44 ▪ Slightly harder than dirt, but still very easy ▪ Good for calling YOUR apis ▪ Good for Server-to-Server calls ▪ Tokens expire ▪ Hardcoded credentials ▪ I couldn’t find this in the wild Client Credentials
  • 33. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 45 Client Credentials $ curl https://api.example.com/token -d ‘grant_type=client_credentials’ -d ‘client_id=avatarfanclub’ -d ‘client_secret=df40b2’ POST /token HTTP/1.1! Host: api.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=client_credentials! &client_id=avatarfanclub! &client_secret=df40b2 $ curl https://api.example.com/token -u ‘avatarfanclub:df40b2’ POST /token HTTP/1.1! Host: server.example.com! Authorization: Basic czZCaGRSa3F0Mzp! Content-Type: application/x-www-form-urlencoded! ! grant_type=client_credentials
  • 34. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 46 Client Token Client Credentials Authorize Resource POST /token HTTP/1.1! Host: api.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=client_credentials! &client_id=avatarfanclub! &client_secret=df40b2 Client Credentials
  • 35. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 47 Client Token Client Credentials Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! "access_token":"2YotnFZFEjr1zCsicMWpAA",! "token_type":"bearer",! "expires_in":3600! }
  • 36. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 48 Client Resource Client Credentials Authorize Token GET /resource/1 HTTP/1.1! Host: example.com! Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
  • 37. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 49 Client Resource Client Credentials Authorize Token HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "resource":"foo",! "value":"bar",! "success":true! }
  • 38. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 50
  • 39. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 51
  • 40. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 52 ▪ Equally difficult to dirt ▪ Good for trusted applications with login forms ▪ Good for testing ▪ Tokens expire ▪ Not good for server-to-server calls, as this would require hardcoded credentials Resource Owner Password Credentials
  • 41. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 53 Resource Owner Password Credentials $ curl https://api.github.com/login/oauth/token -d ‘grant_type=password’ -d ‘username=bshaffer’ -d ‘password=iheartavatar’ -d ‘client_id=avatarfanclub’ POST /login/oauth/token HTTP/1.1! Host: api.github.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=password! &username=bshaffer! &password=iheartavatar! &client_id=avatarfanclub
  • 42. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 54 Client Resource Owner Username / Password Token Authorization Code Authorize Resource POST /login/oauth/token HTTP/1.1! Host: api.github.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=password! &username=bshaffer! &password=iheartavatar! &client_id=avatarfanclub
  • 43. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 55 Client Token Resource Owner Password Credentials Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! "access_token":"2YotnFZFEjr1zCsicMWpAA",! "token_type":"bearer",! "expires_in":3600! }
  • 44. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 56
  • 45. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 57 Difficulty: Intermediate
  • 46. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 58
  • 47. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 59
  • 48. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 60 ▪ Why OAuth Exists ▪ For obtaining authorization to access a user’s information ▪ For when client credentials are secure (Web Applications) Authorization Code
  • 49. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 61 Authorization Code
  • 50. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 62 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Protected Resource Authorize Token Resource Authorization Code
  • 51. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 63 Client Authorize Authorization Code GET /authorize! ?response_type=code! &client_id=s6BhdRkqt3! HTTP/1.1! Host: server.example.com!
  • 52. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 64 Client Authorize Authorization Code TokenHTTP/1.1 302 Found! Location: http://example.com/cb! ?code=SplxlOBeZQQYbYS6WxSbIA Resource
  • 53. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 65 Client Token Authorization Code Resource POST /token HTTP/1.1! Host: server.example.com! Authorization: Basic czZCaGRSa3F0Mzp! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code! &code=SplxlOBeZQQYbYS6WxSbIA Authorize
  • 54. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 66 Client Token Resource Owner Password Credentials Authorize HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! "access_token":"2YotnFZFEjr1zCsicMWpAA",! "token_type":"bearer",! "expires_in":3600! } Resource
  • 55. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 67
  • 56. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 68
  • 57. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 69 ▪ For native apps (Desktop, Mobile, Javascript in a browser) ▪ Your client’s credentials cannot be sent due to the public nature of the application ▪ We still want users to authorize our applications (3-legged) ▪ We want to prevent attackers from intercepting the request Implicit / Device Grant
  • 58. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 70 Implicit / Device Grant
  • 59. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 71 PublicClient Authorize Token Resource Implicit / Device Grant Access Token!
  • 60. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 72 ▪ A native call is made containing the access token directly from the authorization request ▪ Javascript ▪ Uses a registered Redirect URI ! ▪ Validated against Origins URL ! ▪ iOS Applications ▪ Issues a call to your app using a registered Bundle ID ▪ Android Applications ▪ Issues a call to your app using a registered Package Name Implicit / Device Grant https://mysite.com/myapp#access_token=xyz function onAuthorizeCallback(authResult) {..}
  • 61. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 73
  • 62. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 74 Login With OAuth
  • 63. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 75 ▪ It’s a Trick!! ▪ This is just Authorization Code in disguise! ▪ The application uses your profile data from the other service to create a local account ▪ The two accounts, your local account and the OAuth-provided account, are matched up every time you log in Login With OAuth
  • 64. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 76 Client Token Login with OAuth Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! "access_token":"2YotnFZFEjr1zCsicMWpAA",! "token_type":"bearer",! “expires_in":3600! }
  • 65. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 77 Client Resource Client Credentials Authorize Token GET /profile HTTP/1.1! Host: api.example.com! Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
  • 66. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 78 Client Resource Login With OAuth Authorize Token HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! “user_id":"f560f23b24feff2g",! “first_name”:"Ash",! “nickname”:”Poke-Master”,! “favorite_pokemon”: “magikarp”! }
  • 67. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 79 ▪ This is not SSO ▪ Very nice way to trick your users into creating an account on your website (clients) ▪ Very nice way to maintain a single canonical user base (server) ▪ While being nefarious, it’s also convenient for your users ▪ Stay tuned for OpenID Connect (advanced) Login With OAuth
  • 68. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 80
  • 69. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 81 ▪ Usually comes back with an access token ▪ When your access token expires, you get another one ▪ Allows the user to not have to reauthorize ▪ Refresh Tokens can expire, or not Refresh Tokens
  • 70. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 82 Client Token Refresh Token Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! "access_token":"2YotnFZFEjr1zCsicMWpAA",! "token_type":"bearer",! "expires_in":3600,! “refresh_token”: “tGzv3JOkF0XG5Qx2TlKWIA“! }
  • 71. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 83 Client Token Refresh Token Authorize Resource POST /token HTTP/1.1! Host: server.example.com! Authorization: Basic czZCaGRSa3F0Mzp! Content-Type: application/x-www-form-urlencoded! ! grant_type=refresh_token! &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA Refresh Token
  • 72. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 84
  • 73. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 85 Difficulty: Expert
  • 74. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 86
  • 75. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 87 ▪ Json Web Token ▪ For Service Accounts (2-legged) ▪ Enterprise-style ▪ Uses Public/Private Keys rather than Client Credentials ▪ Signs a request and receives an access token upon validation JWT Bearer
  • 76. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 88 JWT Bearer
  • 77. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. // Create the payload $payload = json_encode(array( ‘iss’ => ‘myclient’, ‘sub’ => ‘myuser’, ‘aud’ => ‘api.example.com’ // ... )); 89 JWT Bearer // Create the header $header = base64_encode(json_encode(array( ‘algo’ => ‘RS256’, ‘typ’ => ‘jwt’ ))); eyJpc3MiOiJteWNsaWVudCIsInN1YiI6Im15d XNlciIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbS J9 eyJhbGdvIjoiUlNBMjU2IiwidHlwIjoiand0I n0=
  • 78. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 90 JWT Bearer $ curl https://api.example.com/token -d ‘grant_type=jwt_bearer’ -d ‘assertion=$JWT’ // sign that with a public key openssl_sign($input, $signature, $key, ‘RS256’); return sprintf(‘%s.%s’, $input, $signature); eyJhbGdvIjoiUlNBMjU2IiwidHlwIjoiand0I n0.eyJpc3MiOiJteWNsaWVudCIsInN1YiI6Im 15dXNlciIsImF1ZCI6ImFwaS5leGFtcGxlLmN vbSJ9.ZW50IiwicJKV3 // Patch em together $input = sprintf(‘%s.%s’, $header, $payload); eyJhbGdvIjoiUlNBMjU2IiwidHlwIjoiand0I n0.eyJpc3MiOiJteWNsaWVudCIsInN1YiI6Im 15dXNlciIsImF1ZCI6ImFwaS5leGFtcGxlLmN vbSJ9 YOU GET A TOKEN
  • 79. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 91 ▪ Layered Security ▪ No credentials are ever sent over the wire ▪ Similar to OAuth 1.0 JWT Bearer
  • 80. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 92
  • 81. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 93 ▪ Allows for Decentralized API Validation ▪ Authorization Server issues tokens signed using "key db” and a certificate authority ▪ Resource Server validates access tokens according to "Trust Model" ▪ Metadata for token exists in the token itself ▪ Very scalable JWT as Access Tokens
  • 82. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 94 Client Token JWT Access Token Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! “access_token”:”eyJhbGdvIjoiUlNBMjU2IiwidH lwIjoiand0In0.eyJpc3MiOiJteWNsaWVudCIsInN1Yi I6Im15dXNlciIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbS J9.ZW50IiwicJKV3",! "token_type":"bearer",! "expires_in":3600! }
  • 83. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 95
  • 84. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 96 ▪ An effort to standardize the “Login with OAuth” flow ▪ Answers the question “What is the identity of the person using this browser/device?” ▪ Standardizes the exchanging of user profile data ▪ Uses JWT to send profile data with the access token to save additional round trip request OpenID Connect
  • 85. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 97 Client Authorize OpenID Connect GET /authorize! ?response_type=token! &client_id=s6BhdRkqt3&state=xyz! &redirect_uri=https://example.com/cb! &scope=openid,email,profile! HTTP/1.1! Host: server.example.com!
  • 86. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 98 Client Token OpenID Connect Authorize Resource HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! Cache-Control: no-store! Pragma: no-cache! {! “access_token”:”xyz”,! “id_token”:”eyJhbGdvIjoiUlNBMjU2IiwidH lwIjoiand0In0.eyJpc3MiOiJteWNsaWVudCIsInN1Yi I6Im15dXNlciIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbS J9.ZW50IiwicJKV3",! "token_type":"bearer",! "expires_in":3600! }
  • 87. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 99 OpenID Connect // Decode the ID Token Payload $id_token = $response[‘id_token’]; list($header, $payload, $signature) = explode($id_token); $userData = base64_decode($payload); {! "iss":"accounts.google.com",! “email_verified":"true",! "email":"jsmith@example.com",! "sub":"10769150350006150715113082367",! "azp":"xyz.apps.googleusercontent.com",! // ...! }
  • 88. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 100 ! Scope Type Description sub string Subject - Identifier for the End-User at the Issuer. name string End-User's full name in displayable form including all name parts, possibly including titles and suffixes given_name string Given name(s) or first name(s) of the End-User. family_name string Surname(s) or last name(s) of the End-User. middle_name string Middle name(s) of the End-User. nickname string Casual name of the End-User preferred_username string Shorthand name by which the End-User wishes to be referred to at the RP profile string URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. picture string URL of the End-User's profile picture. This URL MUST refer to an image file website string URL of the End-User's Web page or blog. email string End-User's preferred e-mail address. email_verified boolean True if the End-User's e-mail address has been verified; otherwise false. gender string End-User's gender. Values defined by this specification are female and male. birthdate string End-User's birthday, represented as an ISO 8601:2004 [ISO8601-2004] YYYY-MM-DD format. zoneinfo string String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. locale string End-User's locale phone_number string End-User's preferred telephone number. phone_number_verified boolean True if the End-User's phone number has been verified; otherwise false. address JSON object End-User's preferred postal address. updated_at number Time the End-User's information was last updated. OpenID Connect
  • 89. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 101 Review Difficulty # of Legs Description Personal Access Token Easy Two Dead simple way to receive an access token Client Credentials Easy Two Uses client credentials (which are implicitly associated with a user or organization) to retrieve an access token Resource Owner Password Credentials Easy Two/Three Uses a user’s credentials to retrieve an access token Authorization Code Intermediate Three Allows authentication of third parties without requiring their passwords Implicit / Device Grant Intermediate Three Authorization Code, but for native apps, where credentials are public Login with OAuth Intermediate Three Uses Authorization Code to tie the authorized account to a local one Refresh Tokens Intermediate Three Used to get a new access tokens upon expiration without prompting the user JWT Bearer Expert Two Uses an Encrypted Payload to establish trust between server and client JWT Access Tokens Expert Two/Three Uses Encrypted Payload to establish trust amongst servers OpenID Connect Expert Three A standardization for retrieving user data who have Logged in with OAuth
  • 90. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 102 Resources ▪ OAuth Screencast: https://knpuniversity.com/screencast/oauth ▪ PHP Server-Side Library: https://github.com/bshaffer/oauth2-server-php ▪ OAuth 2.0 Spec - http://tools.ietf.org/html/rfc6749 ▪ JWT Spec - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20 ▪ More Great Slides - http://www.slideshare.net/rnewton/oauth-in-the-real-world-featuring-webshell
  • 91. © 2014 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

×