0
Secure Web Services    with OAuth    ~ Matthias Käppler ~      February 23rd, 2010        
Outline1)   Who Am I2)   Motivation3)   Introduction to OAuth4)   How OAuth works5)   OAuth on Android with Signpost      ...
Europes leading local review site               17M uniques       Im the Android guy at Qype.com!                
The mobile Web               What was WAP again?                      Nevermind.With todays hardware and infrastructure, m...
Mobile HTTP Clients                  Secure channel?Data integrity?      Client                        Web serviceAuthenti...
HTTPS          Secure Socket Layer + HTTPSecures the whole communication channelUses certificates and public key encryptio...
Right tool for the job?     Does all my data need encryption?Do users know, care about, or trust digital certificates? Im ...
What is OAuth?                          OAuth.net”An open protocol to allow secure API authorization in a simple and stand...
Motivation    Web users typically have their data spread    across various, often interweaved websites              e.g. F...
MotivationNow imagine you would do that with        your credit card!             
Where OAuth sets inWithout OAuth, users have to share their credentials    with potentially untrustworthy applications.   ...
Implications    OAuth does not require the user to trust            the client application.                      instead:O...
ImplicationsOAuth does not automatically grant clients permission by e.g. issueing certificates.                      inst...
How OAuth works       Ever heard of...       They use OAuth!          
How OAuth works   Alice wants to read her latest mentions on her          Android phone using SecTweet.                   ...
OAuth Access DelegationSecTweet does not yet have Alices permission to    access Twitter mentions on her behalf. However, ...
OAuth Access DelegationThis is done by doing the OAuth dance.             3-way handshake              
Step 1: The request token              GET twitter.com/oauth/request_tokenSecTweet                           request token...
Step 2: Token blessing                   open web browser / web viewSecTweet              call back with token + verificat...
Step 2: Token blessing        
Step 3: Token exchange            GET twitter.com/oauth/access_tokenSecTweet                        access tokenIf Alice a...
Message signingOnce an access token has been retrieved, SecTweetcan use it to access Alices resources on Twitter.com      ...
Message Signing  There is no need to store Alicesusername or password on the device.              
Message SigningAn OAuth signature is a unique fingerprint, typicallycomputed using keyed cryptographic hash functions.  Th...
ExampleGET /statuses/mentions.xml HTTP/1.1Host: twitter.comAuthorization: OAuth oauth_version=1.0,oauth_consumer_key=v5Dev...
Observations so farOAuth is not just about machines. It actually    involves the user as an authority.  OAuth protects the...
Observations so farOAuth operates on the same OSI layer as HTTP     and integrates seamlessly with it. OAuth does not obfu...
On the flip-sideOAuth requires a fair amount of set-up work,e.g. for keeping track of nonces and tokens.   OAuth affects t...
On the flip-side OAuth does not guarantee data privacy. It must be   used in conjunction with existing protocols to       ...
OAuth on Android        What we need is a library which is:               Written in Java.Integrates with Apache Commons H...
That would be SignpostSignpost is an extensible, HTTP layer independent,  client-side OAuth library for the Java platform....
Using SignpostHave an Activity that can receive callbacks:<activity android:name=".activities.OAuthActivity">  <intent-fil...
Using SignpostImplement OAuthActivity to have a SignpostOAuthConsumer and OAuthProvider:public class OAuthActivity {    pr...
Using SignpostStep 1: Retrieving the request tokenpublic class OAuthActivity {    private void step1() {        String url...
Step 2: Token blessing        
Using SignpostStep 3: Retrieving the access tokenpublic class OAuthActivity {    // website called back with:    // mycall...
Using SignpostSigning messages sent with HttpClient:public class AnyActivity {    private HttpClient httpClient = new Defa...
Outlook: WRAP The Web Resource Authorization Protocol is an OAuth   variant, aiming to simplify and extend OAuth 1.0aDrops...
More information               oauth.net      hueniverse.com/oauth            
More information    code.google.com/p/oauth-signpost               
Get involved          $ git clonegit://github.com/kaeppler/signpost.git              
Thank you       
Upcoming SlideShare
Loading in...5
×

Secure Webservices

2,238

Published on

Talk I did on the M2D2 on the OAuth protocol and the Signpost OAuth library

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,238
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Secure Webservices"

  1. 1. Secure Web Services with OAuth ~ Matthias Käppler ~ February 23rd, 2010   
  2. 2. Outline1) Who Am I2) Motivation3) Introduction to OAuth4) How OAuth works5) OAuth on Android with Signpost    
  3. 3. Europes leading local review site 17M uniques Im the Android guy at Qype.com!   
  4. 4. The mobile Web What was WAP again? Nevermind.With todays hardware and infrastructure, mobileapplications have become full blown Web clients.    
  5. 5. Mobile HTTP Clients Secure channel?Data integrity? Client Web serviceAuthentication? Authorized access?    
  6. 6. HTTPS Secure Socket Layer + HTTPSecures the whole communication channelUses certificates and public key encryption Very secure! But...    
  7. 7. Right tool for the job? Does all my data need encryption?Do users know, care about, or trust digital certificates? Im still giving away my password! What about authorization, and who actually decides that?    
  8. 8. What is OAuth? OAuth.net”An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” Wikipedia.org”OAuth is an open protocol that allows users to share their private resources [...] stored on one site with another site without having to hand out their username and password.”    
  9. 9. Motivation Web users typically have their data spread across various, often interweaved websites e.g. Flickr, Twitter, Vimeo, ...Each time users want to access their data, they must give away their username and password    
  10. 10. MotivationNow imagine you would do that with your credit card!    
  11. 11. Where OAuth sets inWithout OAuth, users have to share their credentials with potentially untrustworthy applications. a.k.a. the ”password anti-pattern”OAuth solves this by letting the user grant revokable access rights over a limited period of time.    
  12. 12. Implications OAuth does not require the user to trust the client application. instead:OAuth is about trust into the service being used.    
  13. 13. ImplicationsOAuth does not automatically grant clients permission by e.g. issueing certificates. instead: OAuth is about access right delegation from user to client.    
  14. 14. How OAuth works Ever heard of... They use OAuth!   
  15. 15. How OAuth works Alice wants to read her latest mentions on her Android phone using SecTweet. Or in OAuth lingo:Consumer SecTweet requires user Alices permission to access theprotected resource http://twitter.com/statuses/mentions from the service provider Twitter.    
  16. 16. OAuth Access DelegationSecTweet does not yet have Alices permission to access Twitter mentions on her behalf. However, Alice can pass authorization over to SecTweet by means of an access token. As long as this token is valid, SecTweet is allowed to access Alices resources.    
  17. 17. OAuth Access DelegationThis is done by doing the OAuth dance. 3-way handshake    
  18. 18. Step 1: The request token GET twitter.com/oauth/request_tokenSecTweet request token SecTweet contacts twitter.com, asking for a request token. This token must be ”blessed” by Alice.    
  19. 19. Step 2: Token blessing open web browser / web viewSecTweet call back with token + verification codeSecTweet opens Twitters authorization website in a browser (or Web view). Alice is asked to either grant or deny SecTweet access to her Twitter data.    
  20. 20. Step 2: Token blessing   
  21. 21. Step 3: Token exchange GET twitter.com/oauth/access_tokenSecTweet access tokenIf Alice agrees, SecTweet will then exchange the blessed request token for an access token.    
  22. 22. Message signingOnce an access token has been retrieved, SecTweetcan use it to access Alices resources on Twitter.com by signing all requests with it. HTTP message Signature    
  23. 23. Message Signing There is no need to store Alicesusername or password on the device.    
  24. 24. Message SigningAn OAuth signature is a unique fingerprint, typicallycomputed using keyed cryptographic hash functions. Thus, both integrity and authenticity of a signed message can be verified by the receiver. Signatures are protected from eavesdropping and replay attacks by using timestamps and nonces.    
  25. 25. ExampleGET /statuses/mentions.xml HTTP/1.1Host: twitter.comAuthorization: OAuth oauth_version=1.0,oauth_consumer_key=v5Dev9QtVuzkhssYoH,oauth_token=pbZXhbz2p5w8h6y,oauth_timestamp=1265563431,oauth_nonce=73980654659,oauth_signature=pvISiky7dm9FD45mfZkP0S50yu0=,oauth_signature_method=HMAC-SHA1    
  26. 26. Observations so farOAuth is not just about machines. It actually involves the user as an authority. OAuth protects the users credentials by simply not sending them!OAuth checks the integrity, authenticity and authorization of Web service calls.    
  27. 27. Observations so farOAuth operates on the same OSI layer as HTTP and integrates seamlessly with it. OAuth does not obfuscate message payload, making it easy to debug.OAuth itself is a fairly non-technical protocol. It emerged from real world requirements and use cases.    
  28. 28. On the flip-sideOAuth requires a fair amount of set-up work,e.g. for keeping track of nonces and tokens. OAuth affects the user signup journey.Balancing UX here can be a two-edged sword.    
  29. 29. On the flip-side OAuth does not guarantee data privacy. It must be used in conjunction with existing protocols to achieve that (e.g. SSL).The OAuth standard is unclear and difficult to read at times, resulting in compatibility issues. Hammer time!    
  30. 30. OAuth on Android What we need is a library which is: Written in Java.Integrates with Apache Commons HTTP. Is lightweight and easy to integrate.   
  31. 31. That would be SignpostSignpost is an extensible, HTTP layer independent, client-side OAuth library for the Java platform. It works on Android!    
  32. 32. Using SignpostHave an Activity that can receive callbacks:<activity android:name=".activities.OAuthActivity"> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="mycallback"/> </intent-filter></activity>    
  33. 33. Using SignpostImplement OAuthActivity to have a SignpostOAuthConsumer and OAuthProvider:public class OAuthActivity { private OAuthConsumer consumer = new CommonsHttpOAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET); private OAuthProvider provider = new CommonsHttpOAuthProvider( http://example.com/oauth/request_token, http://example.com/oauth/access_token, http://www.example.com/oauth/authorize); . . .}    
  34. 34. Using SignpostStep 1: Retrieving the request tokenpublic class OAuthActivity { private void step1() { String url = provider.retrieveRequestToken(consumer, mycallback:///); storeTokenToPreferences(consumer.getToken()); storeTokenSecretToPreferences(consumer.getTokenSecret()); startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse(url)); }}    
  35. 35. Step 2: Token blessing   
  36. 36. Using SignpostStep 3: Retrieving the access tokenpublic class OAuthActivity { // website called back with: // mycallback:///?oauth_token=xxx&oauth_verifier=12345 private void step3(callbackUrl) { String oauthVerifier = callbackUrl.getQueryParameter(OAuth.OAUTH_VERIFIER); String token = readTokenFromPreferences(); String secret = readSecretFromPreferences(); provider.retrieveAccessToken(consumer, oauthVerifier); storeTokenToPreferences(consumer.getToken()); storeTokenSecretToPreferences(consumer.getTokenSecret()); }}    
  37. 37. Using SignpostSigning messages sent with HttpClient:public class AnyActivity { private HttpClient httpClient = new DefaultHttpClient(); private void sendSignedRequest() { HttpRequest request = new HttpGet(http://example.com/protected.xml); consumer.sign(request); HttpResponse response = httpClient.execute(request); // . . . }}    
  38. 38. Outlook: WRAP The Web Resource Authorization Protocol is an OAuth variant, aiming to simplify and extend OAuth 1.0aDrops signatures in favor of SSL secured connections and short lived access-tokens Defines additional ways to retrieve tokens    
  39. 39. More information oauth.net hueniverse.com/oauth   
  40. 40. More information code.google.com/p/oauth-signpost   
  41. 41. Get involved $ git clonegit://github.com/kaeppler/signpost.git    
  42. 42. Thank you   
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×