SlideShare a Scribd company logo

Who Are You 20120922

Mattias Jidhage
Mattias Jidhage

Best practices när det gäller inloggning (autentisering) från webapp-tiden är inte direkt applicerbara i den mobila världen. Kör du native-appar och RESTful webservices i backend så är inte en sessions-kaka lika självklar lösning längre. Vi kommer titta på vilka möjligheter som finns och hur frågan adresseras på några större siter/tjänster runt omkring i världen.

Technology
1 of 56
Download to read offline
Who Are You? 1 CSI @mjidhage 2011-05-06 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 1
Detour 2011-05-06 2 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 2
start REST SUM AUTH ? stop CASE OAUTH 2011-05-06 3 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 3
REST • wiki:a style of software architecture for distributed systems • Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform interface “Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web” 2011-05-06 4 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 4
REST Richardson Maturity Model • Level 0 SOAP, XML RPC, POX – Single URI • Level 1 URI Tunnelling – Many URIs, Single verb • Level 2 Many URIs, many verbs CRUD services (e.g. Amazon S3) • Level 3 Level 2 + Hypermedia – RESTful Service, HATEOAS 2011-05-06 5 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 5
What’s the problem? “The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.” 2011-05-06 6 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 6
Authentication? • Identification • Authentication • Authorization 2011-05-06 7 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 7
Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign content with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based classic form based login and a session id (cookie, URL, hidden) Token based OpenID, SAML, OAuth 2011-05-06 8 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 8
What to choose? 2011-05-06 9 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 9
Scope cut internal external web Client smartphone 2011-05-06 10 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 10
Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based form based login Token based OpenID, SAML, OAuth 2011-05-06 11 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 11
Basic Authentication Benefits HTTP Header Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= Simple Libraries available for every occasion Tested Problems Password sharing anti-pattern • Users get trained to give the password away The app or site store the password • Stolen device has user/pass locally stored - hacked site too No access granularity • it’s all or nothing Access revocation is a manual process • and universal A mistake in HTTPS leaks user/pass forever and ever • Stored in browser until tab or browser closed • Automatic submission of BA header if MitM? Changing password (which is sometimes neccessary...) revokes all access 2011-05-06 12 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 12
Token based Benefits No user/pass disclosed Granularity Revocation Separation of duties Problems Standards under development No complete solution stack OAuth delivers authorization OpenID or own solution for authentication 2011-05-06 13 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 13
2011-05-06 14 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 14
What? A simple, open standard for secure API authentication authorization. Possible to share private information stored on one website with another website Saturday, September 22, 12 15
When? — 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. — 2007-04 A Google group started to write a draft protocol specification — 2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification t 2011-05-06 16 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 16
When? •2007-12 Initial version OAuth 1.0 ready •mainly based on the Flickr Auth API and Google AuthSub •2009-06 Revised version 1.0a due to a security flaw •http://oauth.net/core/1.0a •2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” •OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 •New protocol, not backward compatible with OAuth1 •Simplify and create a better user experience t •Less secure due to no digital signature? 2011-05-06 17 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 17
Who? 2011-05-06 18 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 18
Why? 2011-05-06 19 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 19
Lisa 2011-05-06 20 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 20
Information Lisa 2011-05-06 21 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 21
Lisa 2011-05-06 22 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 22
Lisa Service Provider 2011-05-06 23 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 23
Lisa 2011-05-06 24 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 24
Lisa Consumer 2011-05-06 25 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 25
Lisa 2011-05-06 26 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 26
Why? : Hi Lisa, what’s your username? fake : Hmm, don’t know - could it be, lisa@hotmail.com? fake : Ok, great! What’s your password? : h4pp1n3ss : Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find fake any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure. 2011-05-06 27 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 27
How? Authorization in 5 easy steps 1. Intent 2. Request Token 3. Authorize Request Token 4. Exchange Token 5. Access Data 2011-05-06 28 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 28
Step 1: Intent : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from 2011-05-06 29 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 29
Step 2: Request Token Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! 2011-05-06 30 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 30
Step 3: Authorize Request Token : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your . : Sure, just redirect my browser and I will be done in a second! 2011-05-06 31 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 31
Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed. 2011-05-06 32 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 32
Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you! 2011-05-06 33 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 33
Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you! 2011-05-06 34 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 34
Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else? 2011-05-06 35 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 35
Take Away No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. API independent there are lots of different implementations on both client and server side 2011-05-06 36 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 36
Reality & Creativity “OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” This is NOT the only way OAuth is used... 2011-05-06 37 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 37
Case 1 OAuth 1.0(a) 2011-05-06 38 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 38
Authentication & Authorization REST API - OAuth signed or unauthenticated requests query keyword Search API - unauthenticated requests Stream API - OAuth signed or HTTP Basic authenticated requests realtime firehose 2 basic methods 2011-05-06 39 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 39
REST API Tweets Saved searches Timelines (set of tweets) Places & Geo Direct Messages Trends Friends&Followers Block Users Spam Suggested Users OAuth Favorites Help Lists Legal Accounts Deprecated Notifications 2011-05-06 40 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 40
OAuth API POST oauth/request_token Server gets a request token (oauth_callback) GET oauth/authenticate Client redirect “Sign in with Twitter” (oauth_token) GET oauth/authorize Client redirect “3-legged authentication” (oauth_token) POST oauth/access_token Server gets an access token (oauth_verifier) 2011-05-06 41 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 41
OAuth authenticates Want to offer a "Sign in with Twitter" button on Sign in with Twitter your website... authorize Want to read or post Twitter data on behalf of 3-legged OAuth visitors to your website... no redirect URL Have a mobile, desktop, or embedded app which PIN-based OAuth can't access a browser... N/A Just want to access the API from your own dev.twitter.com account... authenticates NEED to use usernames/passwords AND have xAuth been approved for xAuth... API delegate Offer an API where clients send you data on OAuth Echo behalf of Twitter users... local iOS account Have an iOS5-based integration and need access Using Reverse Auth tokens for server-side integrations... 2011-05-06 42 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 42
Mobility Native application Secure way Redirect to browser, authorize/authenticate (NB! Not an embedded UI View!) Redirect back to app Possible without multitasking? Not so secure way xAuth works if there is trust between app and api (internal enterprise solution) Alternative? for 3rd party app that absolutely does not want to use external browser Use Twitter app? 2011-05-06 43 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 43
Mobility HTML5 application Redirect to auth-site Redirect to app-site 2011-05-06 44 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 44
Case 2 Facebook Graph API - OAuth v2 draft 14 (January 2011) 2011-05-06 45 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 45
OAuth authenticate authorize Authentication in native Android apps • Authentication in native iOS apps facebook app • Authentication within a Page Tab on www.facebook.com facebook spec • Authentication within a Canvas Page on apps.facebook.com • Authentication for Websites & Mobile Web apps using Javascript (client-side flow) • Authentication for Websites & Mobile Web apps using a Server (server-side flow) • Authentication for devices without access to a browser PIN 2011-05-06 46 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 46
Mobility Native application Standard is using the Facebook app if not logged in - log in (app) if logged in but not authorized - pop authorization question (app) If no Facebook app Redirect to web HTML5 application Redirect to auth-site Redirect to app-site Reflection 2011-05-06 47 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 47
Case 3 Home brew oauth-style authentication 2011-05-06 48 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 48
Anonymous TVM 2011-05-06 49 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 49
Identity TVM 2011-05-06 50 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 50
Mobility Native application - identity TVM Login towards TVM to collect token Use token towards API 2011-05-06 51 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 51
OAuth 2.0 rev 31 2011-05-06 52 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 52
OAuth 2.0 2011-05-06 53 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 53
RFC 5849 6 Flows • User-Agent Flow – for clients running inside a user-agent (typically a web browser). • Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0. • Device Flow – suitable for clients executing on limited devices, but where the end- user has separate access to a browser on another computer or device. • Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client. • Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario. • Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token. 2011-05-06 54 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 54
Conclusion Tokens are great! Authentication is hard. switch (scenario) { How2 case 3rd party native client consumes your enterprise API: enforce? Make sure the 3rd party uses an external browser for authentication; Alternative is to create own enterprise app on mobile device; case own app consumes service api to access resource owner’s stuff: Pop an external browser - because it’s the good thing todo; case you are the resource owner: Do not hand out your user & pass to untrusted parties; case your app consumes your api: see 3rd party options; add xauth, Indentity TVM, Username and Password flow; } In comparison - Web is easy! 2011-05-06 55 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 55
Thank You ? @mjidhage @weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?” @webtonull - JavaZone - ‘RESTful Security’ @rickardoberg - JFokus - ‘Road to REST’ @bebb00 - OPKoKo 2010 - ‘OAuth’ @jancalmered - OPKoKo 2010 - ‘OAuth’ 2011-05-06 56 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 56

Recommended

SPIE Optoelectronic Integrated Circuits 2011 HelioVolt Presentation
SPIE Optoelectronic Integrated Circuits 2011 HelioVolt PresentationSPIE Optoelectronic Integrated Circuits 2011 HelioVolt Presentation
SPIE Optoelectronic Integrated Circuits 2011 HelioVolt PresentationHelioVolt
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Mattias Jidhage
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Wolters Kluwer Belgium
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerablemrlanrat
 
Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Mattias Jidhage
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

Recommended

SPIE Optoelectronic Integrated Circuits 2011 HelioVolt Presentation
SPIE Optoelectronic Integrated Circuits 2011 HelioVolt PresentationSPIE Optoelectronic Integrated Circuits 2011 HelioVolt Presentation
SPIE Optoelectronic Integrated Circuits 2011 HelioVolt PresentationHelioVolt
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Mattias Jidhage
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Wolters Kluwer Belgium
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerablemrlanrat
 
Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Mattias Jidhage
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
PhoneGap build
PhoneGap buildPhoneGap build
PhoneGap buildhardeepshoker
 
JavaSE - The road forward
JavaSE - The road forwardJavaSE - The road forward
JavaSE - The road forwardeug3n_cojocaru
 
SharePoint Conference Recap - BI
SharePoint Conference Recap - BISharePoint Conference Recap - BI
SharePoint Conference Recap - BIKnowledge Management Associates, LLC
 
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecurityToufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecuritySOA Symposium
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsNovell
 
Microsoft License Mobility
Microsoft License MobilityMicrosoft License Mobility
Microsoft License MobilityNew Lease
 
Smalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsSmalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsESUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

More Related Content

Similar to Who Are You 20120922

JavaSE - The road forward
JavaSE - The road forwardJavaSE - The road forward
JavaSE - The road forwardeug3n_cojocaru
 
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecurityToufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecuritySOA Symposium
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsNovell
 
Microsoft License Mobility
Microsoft License MobilityMicrosoft License Mobility
Microsoft License MobilityNew Lease
 
Smalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsSmalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsESUG
 

Similar to Who Are You 20120922 (7)

PhoneGap build
PhoneGap buildPhoneGap build
PhoneGap build
 
JavaSE - The road forward
JavaSE - The road forwardJavaSE - The road forward
JavaSE - The road forward
 
SharePoint Conference Recap - BI
SharePoint Conference Recap - BISharePoint Conference Recap - BI
SharePoint Conference Recap - BI
 
Toufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A SecurityToufic Boubez The Future Of S O A Security
Toufic Boubez The Future Of S O A Security
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
 
Microsoft License Mobility
Microsoft License MobilityMicrosoft License Mobility
Microsoft License Mobility
 
Smalltalk in Enterprise Applications
Smalltalk in Enterprise ApplicationsSmalltalk in Enterprise Applications
Smalltalk in Enterprise Applications
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Who Are You 20120922

  • 1. Who Are You? 1 CSI @mjidhage 2011-05-06 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 1
  • 2. Detour 2011-05-06 2 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 2
  • 3. start REST SUM AUTH ? stop CASE OAUTH 2011-05-06 3 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 3
  • 4. REST • wiki:a style of software architecture for distributed systems • Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform interface “Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web” 2011-05-06 4 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 4
  • 5. REST Richardson Maturity Model • Level 0 SOAP, XML RPC, POX – Single URI • Level 1 URI Tunnelling – Many URIs, Single verb • Level 2 Many URIs, many verbs CRUD services (e.g. Amazon S3) • Level 3 Level 2 + Hypermedia – RESTful Service, HATEOAS 2011-05-06 5 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 5
  • 6. What’s the problem? “The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.” 2011-05-06 6 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 6
  • 7. Authentication? • Identification • Authentication • Authorization 2011-05-06 7 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 7
  • 8. Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign content with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based classic form based login and a session id (cookie, URL, hidden) Token based OpenID, SAML, OAuth 2011-05-06 8 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 8
  • 9. What to choose? 2011-05-06 9 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 9
  • 10. Scope cut internal external web Client smartphone 2011-05-06 10 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 10
  • 11. Authentication + REST Basic Authentication send user+pass, base64 enc. in HTTP Header Digest Authentication hashed user+pass+other stuff in HTTP Header Client Certificates sign with the client private key NTLM/SPNEGO didn’t bother - no news since 2005 Session based form based login Token based OpenID, SAML, OAuth 2011-05-06 11 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 11
  • 12. Basic Authentication Benefits HTTP Header Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= Simple Libraries available for every occasion Tested Problems Password sharing anti-pattern • Users get trained to give the password away The app or site store the password • Stolen device has user/pass locally stored - hacked site too No access granularity • it’s all or nothing Access revocation is a manual process • and universal A mistake in HTTPS leaks user/pass forever and ever • Stored in browser until tab or browser closed • Automatic submission of BA header if MitM? Changing password (which is sometimes neccessary...) revokes all access 2011-05-06 12 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 12
  • 13. Token based Benefits No user/pass disclosed Granularity Revocation Separation of duties Problems Standards under development No complete solution stack OAuth delivers authorization OpenID or own solution for authentication 2011-05-06 13 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 13
  • 14. 2011-05-06 14 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 14
  • 15. What? A simple, open standard for secure API authentication authorization. Possible to share private information stored on one website with another website Saturday, September 22, 12 15
  • 16. When? — 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. — 2007-04 A Google group started to write a draft protocol specification — 2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification t 2011-05-06 16 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 16
  • 17. When? •2007-12 Initial version OAuth 1.0 ready •mainly based on the Flickr Auth API and Google AuthSub •2009-06 Revised version 1.0a due to a security flaw •http://oauth.net/core/1.0a •2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” •OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 •New protocol, not backward compatible with OAuth1 •Simplify and create a better user experience t •Less secure due to no digital signature? 2011-05-06 17 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 17
  • 18. Who? 2011-05-06 18 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 18
  • 19. Why? 2011-05-06 19 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 19
  • 20. Lisa 2011-05-06 20 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 20
  • 21. Information Lisa 2011-05-06 21 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 21
  • 22. Lisa 2011-05-06 22 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 22
  • 23. Lisa Service Provider 2011-05-06 23 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 23
  • 24. Lisa 2011-05-06 24 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 24
  • 25. Lisa Consumer 2011-05-06 25 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 25
  • 26. Lisa 2011-05-06 26 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 26
  • 27. Why? : Hi Lisa, what’s your username? fake : Hmm, don’t know - could it be, lisa@hotmail.com? fake : Ok, great! What’s your password? : h4pp1n3ss : Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find fake any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure. 2011-05-06 27 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 27
  • 28. How? Authorization in 5 easy steps 1. Intent 2. Request Token 3. Authorize Request Token 4. Exchange Token 5. Access Data 2011-05-06 28 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 28
  • 29. Step 1: Intent : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from 2011-05-06 29 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 29
  • 30. Step 2: Request Token Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! 2011-05-06 30 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 30
  • 31. Step 3: Authorize Request Token : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your . : Sure, just redirect my browser and I will be done in a second! 2011-05-06 31 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 31
  • 32. Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed. 2011-05-06 32 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 32
  • 33. Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you! 2011-05-06 33 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 33
  • 34. Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you! 2011-05-06 34 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 34
  • 35. Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else? 2011-05-06 35 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 35
  • 36. Take Away No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. API independent there are lots of different implementations on both client and server side 2011-05-06 36 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 36
  • 37. Reality & Creativity “OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” This is NOT the only way OAuth is used... 2011-05-06 37 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 37
  • 38. Case 1 OAuth 1.0(a) 2011-05-06 38 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 38
  • 39. Authentication & Authorization REST API - OAuth signed or unauthenticated requests query keyword Search API - unauthenticated requests Stream API - OAuth signed or HTTP Basic authenticated requests realtime firehose 2 basic methods 2011-05-06 39 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 39
  • 40. REST API Tweets Saved searches Timelines (set of tweets) Places & Geo Direct Messages Trends Friends&Followers Block Users Spam Suggested Users OAuth Favorites Help Lists Legal Accounts Deprecated Notifications 2011-05-06 40 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 40
  • 41. OAuth API POST oauth/request_token Server gets a request token (oauth_callback) GET oauth/authenticate Client redirect “Sign in with Twitter” (oauth_token) GET oauth/authorize Client redirect “3-legged authentication” (oauth_token) POST oauth/access_token Server gets an access token (oauth_verifier) 2011-05-06 41 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 41
  • 42. OAuth authenticates Want to offer a "Sign in with Twitter" button on Sign in with Twitter your website... authorize Want to read or post Twitter data on behalf of 3-legged OAuth visitors to your website... no redirect URL Have a mobile, desktop, or embedded app which PIN-based OAuth can't access a browser... N/A Just want to access the API from your own dev.twitter.com account... authenticates NEED to use usernames/passwords AND have xAuth been approved for xAuth... API delegate Offer an API where clients send you data on OAuth Echo behalf of Twitter users... local iOS account Have an iOS5-based integration and need access Using Reverse Auth tokens for server-side integrations... 2011-05-06 42 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 42
  • 43. Mobility Native application Secure way Redirect to browser, authorize/authenticate (NB! Not an embedded UI View!) Redirect back to app Possible without multitasking? Not so secure way xAuth works if there is trust between app and api (internal enterprise solution) Alternative? for 3rd party app that absolutely does not want to use external browser Use Twitter app? 2011-05-06 43 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 43
  • 44. Mobility HTML5 application Redirect to auth-site Redirect to app-site 2011-05-06 44 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 44
  • 45. Case 2 Facebook Graph API - OAuth v2 draft 14 (January 2011) 2011-05-06 45 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 45
  • 46. OAuth authenticate authorize Authentication in native Android apps • Authentication in native iOS apps facebook app • Authentication within a Page Tab on www.facebook.com facebook spec • Authentication within a Canvas Page on apps.facebook.com • Authentication for Websites & Mobile Web apps using Javascript (client-side flow) • Authentication for Websites & Mobile Web apps using a Server (server-side flow) • Authentication for devices without access to a browser PIN 2011-05-06 46 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 46
  • 47. Mobility Native application Standard is using the Facebook app if not logged in - log in (app) if logged in but not authorized - pop authorization question (app) If no Facebook app Redirect to web HTML5 application Redirect to auth-site Redirect to app-site Reflection 2011-05-06 47 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 47
  • 48. Case 3 Home brew oauth-style authentication 2011-05-06 48 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 48
  • 49. Anonymous TVM 2011-05-06 49 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 49
  • 50. Identity TVM 2011-05-06 50 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 50
  • 51. Mobility Native application - identity TVM Login towards TVM to collect token Use token towards API 2011-05-06 51 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 51
  • 52. OAuth 2.0 rev 31 2011-05-06 52 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 52
  • 53. OAuth 2.0 2011-05-06 53 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 53
  • 54. RFC 5849 6 Flows • User-Agent Flow – for clients running inside a user-agent (typically a web browser). • Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0. • Device Flow – suitable for clients executing on limited devices, but where the end- user has separate access to a browser on another computer or device. • Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client. • Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario. • Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token. 2011-05-06 54 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 54
  • 55. Conclusion Tokens are great! Authentication is hard. switch (scenario) { How2 case 3rd party native client consumes your enterprise API: enforce? Make sure the 3rd party uses an external browser for authentication; Alternative is to create own enterprise app on mobile device; case own app consumes service api to access resource owner’s stuff: Pop an external browser - because it’s the good thing todo; case you are the resource owner: Do not hand out your user & pass to untrusted parties; case your app consumes your api: see 3rd party options; add xauth, Indentity TVM, Username and Password flow; } In comparison - Web is easy! 2011-05-06 55 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 55
  • 56. Thank You ? @mjidhage @weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?” @webtonull - JavaZone - ‘RESTful Security’ @rickardoberg - JFokus - ‘Road to REST’ @bebb00 - OPKoKo 2010 - ‘OAuth’ @jancalmered - OPKoKo 2010 - ‘OAuth’ 2011-05-06 56 © Copyright Omegapoint AB 2011 Saturday, September 22, 12 56