OAuth 2.0 in depth
Upcoming SlideShare
Loading in...5
×
 

OAuth 2.0 in depth

on

  • 6,247 views

This presentation talks about Why OAuth 2.0 came into picture, What it is, How to use it ...

This presentation talks about Why OAuth 2.0 came into picture, What it is, How to use it
Shows practical example of OAuth 2.0 on Facebook and Google

It also talks about OpenID History, how it is different than OAuth. The next steps in OpenID that is OpenID Connect (in theory)

Statistics

Views

Total Views
6,247
Views on SlideShare
5,992
Embed Views
255

Actions

Likes
10
Downloads
244
Comments
0

5 Embeds 255

http://rohitghatol.com 238
http://localhost 10
http://www.linkedin.com 3
http://192.168.109.78 3
http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OAuth 2.0 in depth OAuth 2.0 in depth Presentation Transcript

  • OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipPassionate about TechNext
  • Why study about OAuth?
  • Do you care about these or Similar Sites?Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
  • Http Access Facebook Browser LinkedIn Foursquare Twitter Api AccessMashups
  • 7155 APIs listed onhttp://ProgrammableWeb.com
  • 390 APIs on http://ProgrammableWeb.com support OAuth
  • Security Closed ClosedAuthentication Authorization
  • OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?
  • OAuth In a Nut Shell Can I have your Credit Card?
  • OAuth Practical Example
  • Without OAuth
  • Without OAuth
  • Without OAuth
  • Lets Start Again
  • With OAuth
  • With OAuth
  • With OAuth
  • With OAuth
  • Lets get Technical
  • Why OAuth is required?• What are limitations with Passwords? – Trust – User not trusting – More Access than required – No Support for Granular permissions – Phishing – Helping Phishing activities – Lower Reliability to API interfaces – Unable to revoke access once provided
  • Why OAuth is required?• OAuth is required for Delegating Access – To Certain Party – For Certain Resource – For Limited Time – Which can be selectively be revoked
  • Understand OAuth Roles
  • Roles• Resource Owner – e.g Picasa User• Resource Server – e.g Picasa Hosting• Client – e.g Mashup built for Picasa• Authorization Server – e.g Google Auth Server
  • Resource Owner• An entity capable of granting access to a protected resource.• When the resource owner is a person, it is referred to as an end-user
  • Resource Server• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • Client• An application making protected resource requests on behalf of the resource owner and with its authorization.
  • Authorization Server• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  • Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
  • Pre Requisite for OAuth• Register Application with OAuth Provider – Facebook • https://developers.facebook.com/apps – Google • https://code.google.com/apis/console/b/0/?pli=1#access – Twitter • https://dev.twitter.com/apps/new – LinkedIn • https://www.linkedin.com/secure/developer?newapp=
  • Pre Requisite for OAuth• This will give you two essential things – client_id – client_secret – Redirect_uri
  • Tools used to try OAuth
  • Different ways to Do OAuth
  • Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  • Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
  • Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Resource AuthorizationClient Access Token Server Server Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token Protocol Flow
  • Live Example Facebook
  • Step 1 – Get Authorization Code
  • Understanding the URL• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri
  • State which we sent
  • Authorization Grant Code whichneeds to be exchanged for Access Token
  • Step 2 – Exchange to get Access Code
  • Important Note• This Step is to performed at the Server Side.• Why?• Because you need to use your Client ID and Client Secret along side the Authorization Code you just received to gain an Access Code• Access Code is required to gain access to protected resources
  • Understanding the URL• client_id – The ID of the Client App• client_secret– The Secret of the Client App• redirect_uri– The Registered redirect_uri• code– Authorization Grant Code
  • Step 3 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  • Facebook Protected Resource
  • Facebook Protected Resource
  • Live Example Google
  • Step 1 – Get Authorization Code
  • Understanding the URL• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri• response_type = “code” means authorization code• access_type = “offline” to get access to the “refresh_token”
  • State which we sent
  • Authorization Grant Code whichneeds to be exchanged for Access Token
  • Step 2 – Exchange to get Access Code
  • Step 3 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  • Google Protected Resource
  • What happens when access token expires?
  • Use Refresh_Token to Issue Access_Token
  • Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  • Authorization Request Resource Access Token OwnerClient Access Token Resource Protected Resource Server Protocol Flow
  • Live Example Facebook
  • Step 1 – Get Access Code
  • Step 1 – Get Access Code See you directly got the access code
  • Step 2 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  • Facebook Protected Resource
  • Facebook Protected Resource
  • Live Example Google
  • Step 1 – Get Access Code
  • Step 1 – Get Access Code
  • Step 1 – Get Access Code See you directly got the access code
  • Step 2 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  • Google Protected Resource
  • PostMan Import Scripts• Authorization-Grant – http://www.getpostman.com/collections/0c31cb5 910e6a60896f7• Implicit-Grant – http://www.getpostman.com/collections/308576 9daec37cc41c1a
  • Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  • Resource Owner Username/Pas sword Resource Owner Credentials & Client Credentials Access Token with Optional Refresh Token Authorization Server Client Access Token Resource Protected Resource Server Protocol Flow
  • Use Cases• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided• Example – Salesforce OAuth has provision for this
  • Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  • Client Credentials Access Token with Optional Refresh Token Authorization ServerClient Access Token Resource Protected Resource Server Protocol Flow
  • Use case• The Data accessed is not owned by Resource Owner, but by the Client• Say Skype showing statistics of uptime of its services
  • Use case• There is contract already set between the Client and the Authorization Server• E.g Google Apps Marketspace• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
  • OAuth from Mobile Device
  • Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  • Disclaimer• Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices• I have no claim on the following slides with reference stated in them• Thank you Brian Campbell for the excellent presentation
  • Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and sends user to 1 the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP redirection Browser and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > Browser <intent-filter> Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device Browser client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Cloud! Using an Access Token Token Authorization Endpoint Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  • Pros and Cons• Pros • Cons – User may be already – Complicated Custom URI logged in most cases schema – User will trust as he/she sees https and domain name
  • Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  • Pros and Cons• Pros • Cons – Easier to monitor pages – May not appeal since and extract neither https or domain authorization or access name is visible codes – WebView has separate cookie and history leading to client entering credentials each time
  • Open ID Story
  • Example of OpenID
  • What are you doing? Proving you ownhttp://rohitghatol.myopenid.com
  • Another Example
  • Wait!! It’s http://openid.rohitghatol.comyour own page, how does open id work then
  • Discover who is the Identity provider
  • Behind the SceneReference - http://openid.net/pres/protocolflow-1.1.png
  • Difference between OpenID and OAuthOpen ID OAuth• Know who is coming to your • Give rights to certain APIs site . .• Delegated Authentication • Delegated Authorization
  • Next Steps : OpenID Connect
  • Disclaimer• My Understanding on OpenID Connect is limited.• Me talking about OpenID Connect is an attempt to understand Why it is born and what is the purpose of it
  • OpenID Connect
  • OpenID Connect
  • OpenID Connect• Why it came into Picture? – Both OpenID and OAuth rely on redirection to allow client to grant permissions – Protocol Flow is similar – redirection & verification – Passing Permissions to Gain Authentication (Identity Information) is same as Passing Permission to Gain authority to some APIs
  • Let’s see a Dummy Flow
  • Step 1 – Get Access_Code and ID_Token
  • Build the OAuth URL for id_token & access_token (implicit grant flow)
  • Dummy Responsehttps://oauth2demo.appspot.com/oauthcallback# access_token=ya29.AHES6ZSzX& token_type=Bearer& expires_in=3600& id_token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY…
  • ID_Token• Is a Json Web Token• It can be decrypted to get details• Or• taken to the Check ID Endpoint to get the decryption done
  • Step 2 – Verify the Identity by going to Check ID End Point
  • Verify with Check ID End Point { "iss" : "https://accounts.example.com", "user_id" : "113487456102835830811", "aud" : "753560681145- 2ik2j3snsvbs80ijdi8.apps.googleusercontent.com", "exp" : 1311281970, “nounce”:12345677 }
  • What does the response mean?• “user_id”: Authenticated User• “aud”: client_id so we know its meant for it• “exp”: Expiry• “nounce”: what we sent to prevent replay attacks
  • Step 3 – Get User Info from UserInfo EndPoint
  • UserInfo EndPoint is a special resource accessed by providing access_token
  • Reference• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation