OAuth 2.0 in depth

16,512 views
16,370 views

Published on

This presentation talks about Why OAuth 2.0 came into picture, What it is, How to use it
Shows practical example of OAuth 2.0 on Facebook and Google

It also talks about OpenID History, how it is different than OAuth. The next steps in OpenID that is OpenID Connect (in theory)

Published in: Technology, Business
0 Comments
24 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
16,512
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
598
Comments
0
Likes
24
Embeds 0
No embeds

No notes for slide

OAuth 2.0 in depth

  1. 1. OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipPassionate about TechNext
  2. 2. Why study about OAuth?
  3. 3. Do you care about these or Similar Sites?Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
  4. 4. Http Access Facebook Browser LinkedIn Foursquare Twitter Api AccessMashups
  5. 5. 7155 APIs listed onhttp://ProgrammableWeb.com
  6. 6. 390 APIs on http://ProgrammableWeb.com support OAuth
  7. 7. Security Closed ClosedAuthentication Authorization
  8. 8. OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?
  9. 9. OAuth In a Nut Shell Can I have your Credit Card?
  10. 10. OAuth Practical Example
  11. 11. Without OAuth
  12. 12. Without OAuth
  13. 13. Without OAuth
  14. 14. Lets Start Again
  15. 15. With OAuth
  16. 16. With OAuth
  17. 17. With OAuth
  18. 18. With OAuth
  19. 19. Lets get Technical
  20. 20. Why OAuth is required?• What are limitations with Passwords? – Trust – User not trusting – More Access than required – No Support for Granular permissions – Phishing – Helping Phishing activities – Lower Reliability to API interfaces – Unable to revoke access once provided
  21. 21. Why OAuth is required?• OAuth is required for Delegating Access – To Certain Party – For Certain Resource – For Limited Time – Which can be selectively be revoked
  22. 22. Understand OAuth Roles
  23. 23. Roles• Resource Owner – e.g Picasa User• Resource Server – e.g Picasa Hosting• Client – e.g Mashup built for Picasa• Authorization Server – e.g Google Auth Server
  24. 24. Resource Owner• An entity capable of granting access to a protected resource.• When the resource owner is a person, it is referred to as an end-user
  25. 25. Resource Server• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  26. 26. Client• An application making protected resource requests on behalf of the resource owner and with its authorization.
  27. 27. Authorization Server• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  28. 28. Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
  29. 29. Pre Requisite for OAuth• Register Application with OAuth Provider – Facebook • https://developers.facebook.com/apps – Google • https://code.google.com/apis/console/b/0/?pli=1#access – Twitter • https://dev.twitter.com/apps/new – LinkedIn • https://www.linkedin.com/secure/developer?newapp=
  30. 30. Pre Requisite for OAuth• This will give you two essential things – client_id – client_secret – Redirect_uri
  31. 31. Tools used to try OAuth
  32. 32. Different ways to Do OAuth
  33. 33. Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  34. 34. Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
  35. 35. Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Resource AuthorizationClient Access Token Server Server Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token Protocol Flow
  36. 36. Live Example Facebook
  37. 37. Step 1 – Get Authorization Code
  38. 38. Understanding the URL• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri
  39. 39. State which we sent
  40. 40. Authorization Grant Code whichneeds to be exchanged for Access Token
  41. 41. Step 2 – Exchange to get Access Code
  42. 42. Important Note• This Step is to performed at the Server Side.• Why?• Because you need to use your Client ID and Client Secret along side the Authorization Code you just received to gain an Access Code• Access Code is required to gain access to protected resources
  43. 43. Understanding the URL• client_id – The ID of the Client App• client_secret– The Secret of the Client App• redirect_uri– The Registered redirect_uri• code– Authorization Grant Code
  44. 44. Step 3 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  45. 45. Facebook Protected Resource
  46. 46. Facebook Protected Resource
  47. 47. Live Example Google
  48. 48. Step 1 – Get Authorization Code
  49. 49. Understanding the URL• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri• response_type = “code” means authorization code• access_type = “offline” to get access to the “refresh_token”
  50. 50. State which we sent
  51. 51. Authorization Grant Code whichneeds to be exchanged for Access Token
  52. 52. Step 2 – Exchange to get Access Code
  53. 53. Step 3 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  54. 54. Google Protected Resource
  55. 55. What happens when access token expires?
  56. 56. Use Refresh_Token to Issue Access_Token
  57. 57. Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  58. 58. Authorization Request Resource Access Token OwnerClient Access Token Resource Protected Resource Server Protocol Flow
  59. 59. Live Example Facebook
  60. 60. Step 1 – Get Access Code
  61. 61. Step 1 – Get Access Code See you directly got the access code
  62. 62. Step 2 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  63. 63. Facebook Protected Resource
  64. 64. Facebook Protected Resource
  65. 65. Live Example Google
  66. 66. Step 1 – Get Access Code
  67. 67. Step 1 – Get Access Code
  68. 68. Step 1 – Get Access Code See you directly got the access code
  69. 69. Step 2 – Access Protected ResourcePass the Access Code to access protectedresource1. Recommend – HTTP Headers – So this is not cached by proxies2. Also position as a Query Parameter
  70. 70. Google Protected Resource
  71. 71. PostMan Import Scripts• Authorization-Grant – http://www.getpostman.com/collections/0c31cb5 910e6a60896f7• Implicit-Grant – http://www.getpostman.com/collections/308576 9daec37cc41c1a
  72. 72. Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  73. 73. Resource Owner Username/Pas sword Resource Owner Credentials & Client Credentials Access Token with Optional Refresh Token Authorization Server Client Access Token Resource Protected Resource Server Protocol Flow
  74. 74. Use Cases• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided• Example – Salesforce OAuth has provision for this
  75. 75. Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  76. 76. Client Credentials Access Token with Optional Refresh Token Authorization ServerClient Access Token Resource Protected Resource Server Protocol Flow
  77. 77. Use case• The Data accessed is not owned by Resource Owner, but by the Client• Say Skype showing statistics of uptime of its services
  78. 78. Use case• There is contract already set between the Client and the Authorization Server• E.g Google Apps Marketspace• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
  79. 79. OAuth from Mobile Device
  80. 80. Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  81. 81. Disclaimer• Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices• I have no claim on the following slides with reference stated in them• Thank you Brian Campbell for the excellent presentation
  82. 82. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and sends user to 1 the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  83. 83. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  84. 84. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  85. 85. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP redirection Browser and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  86. 86. Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > Browser <intent-filter> Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  87. 87. Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  88. 88. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device Browser client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  89. 89. Cloud! Using an Access Token Token Authorization Endpoint Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  90. 90. Pros and Cons• Pros • Cons – User may be already – Complicated Custom URI logged in most cases schema – User will trust as he/she sees https and domain name
  91. 91. Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  92. 92. Pros and Cons• Pros • Cons – Easier to monitor pages – May not appeal since and extract neither https or domain authorization or access name is visible codes – WebView has separate cookie and history leading to client entering credentials each time
  93. 93. Open ID Story
  94. 94. Example of OpenID
  95. 95. What are you doing? Proving you ownhttp://rohitghatol.myopenid.com
  96. 96. Another Example
  97. 97. Wait!! It’s http://openid.rohitghatol.comyour own page, how does open id work then
  98. 98. Discover who is the Identity provider
  99. 99. Behind the SceneReference - http://openid.net/pres/protocolflow-1.1.png
  100. 100. Difference between OpenID and OAuthOpen ID OAuth• Know who is coming to your • Give rights to certain APIs site . .• Delegated Authentication • Delegated Authorization
  101. 101. Next Steps : OpenID Connect
  102. 102. Disclaimer• My Understanding on OpenID Connect is limited.• Me talking about OpenID Connect is an attempt to understand Why it is born and what is the purpose of it
  103. 103. OpenID Connect
  104. 104. OpenID Connect
  105. 105. OpenID Connect• Why it came into Picture? – Both OpenID and OAuth rely on redirection to allow client to grant permissions – Protocol Flow is similar – redirection & verification – Passing Permissions to Gain Authentication (Identity Information) is same as Passing Permission to Gain authority to some APIs
  106. 106. Let’s see a Dummy Flow
  107. 107. Step 1 – Get Access_Code and ID_Token
  108. 108. Build the OAuth URL for id_token & access_token (implicit grant flow)
  109. 109. Dummy Responsehttps://oauth2demo.appspot.com/oauthcallback# access_token=ya29.AHES6ZSzX& token_type=Bearer& expires_in=3600& id_token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY…
  110. 110. ID_Token• Is a Json Web Token• It can be decrypted to get details• Or• taken to the Check ID Endpoint to get the decryption done
  111. 111. Step 2 – Verify the Identity by going to Check ID End Point
  112. 112. Verify with Check ID End Point { "iss" : "https://accounts.example.com", "user_id" : "113487456102835830811", "aud" : "753560681145- 2ik2j3snsvbs80ijdi8.apps.googleusercontent.com", "exp" : 1311281970, “nounce”:12345677 }
  113. 113. What does the response mean?• “user_id”: Authenticated User• “aud”: client_id so we know its meant for it• “exp”: Expiry• “nounce”: what we sent to prevent replay attacks
  114. 114. Step 3 – Get User Info from UserInfo EndPoint
  115. 115. UserInfo EndPoint is a special resource accessed by providing access_token
  116. 116. Reference• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation

×