• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Incorporating OAuth: How to integrate OAuth into your mobile app
 

Incorporating OAuth: How to integrate OAuth into your mobile app

on

  • 1,106 views

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013

Statistics

Views

Total Views
1,106
Views on SlideShare
596
Embed Views
510

Actions

Likes
0
Downloads
8
Comments
0

3 Embeds 510

http://nordicapis.com 500
http://newsblur.com 9
http://localhost 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Incorporating OAuth: How to integrate OAuth into your mobile app Incorporating OAuth: How to integrate OAuth into your mobile app Presentation Transcript

    • Incorporating OAuthHow to integrate OAuth into your mobile appBy Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Crucial Security ConcernsCopyright © 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity
    • Identity is CentralCopyright © 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson
    • Neo-security Stack SCIM, SAML, OAuth, and JWT are the newstandards-based cloud security stack OAuth 2 is the new meta-protocol defining howtokens are handled These address old requirements, solves newproblems & are composedin useful waysCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& juniorOpenID Connect
    • OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
    • OAuth Mobile App FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Request AuthorizationCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Authenticate & AuthorizeCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Register Custom Scheme in App<activity android:name=".CallbackActivity“ …><intent-filter><data android:scheme="twobo" />…</intent-filter></activity>Copyright © 2013 Twobo Technologies AB. All rights reserved
    • Callback to Custom SchemeIn OAuth Server, configure to callback to schemethat was registeredCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Exchange Code for TokenCopyright © 2013 Twobo Technologies AB. All rights reservedAC
    • Calling the Token Endpointvar data = {"client_id" : clientId,"client_secret" : clientSecret,"code" : code,"grant_type" : "authorization_code","response_type" : "token" };$.post(tokenEndpoint, data,processAccessToken, "json");Copyright © 2013 Twobo Technologies AB. All rights reservedAC AT, RT
    • Tokens are Often JWTs Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Calling the APIProvide AT to API according to bearer token profile$.ajax({url: apiEndpoint,dataType: json,headers: {"Authorization":"Bearer "+accessToken},success: processResults });Copyright © 2013 Twobo Technologies AB. All rights reserved
    • API May Validate Tokendef validateToken(self, tokenEndpoint, clientId,clientSecret, accessToken):values = { "client_id" : clientId,"client_secret" : clientSecret,"grant_type" : “…","token" : accessToken, }request = urllib2.Request(tokenEndpoint,urllib.urlencode(values))return urllib2.urlopen(request)Copyright © 2013 Twobo Technologies AB. All rights reserved
    • • App should only presentAT to API• Never send RT to API• Use RT to get new AT ifAT expires• App can’t use AT todetermine anything aboutuserApp Consumes API DataCopyright © 2013 Twobo Technologies AB. All rights reserved
    • Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consentscenarios Adds identity-based inputs/outputs to core OAuthmessages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
    • What OAuth is and is not forCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
    • Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved