SlideShare a Scribd company logo

OAuth2 + API Security

1 of 43
Download to read offline
OAuth 2+ API Security
API and Managing API
• Private APIs , Public APIs(twitter, facebook)
• Even though these APIs are public there must be a access
control (e.g.: any one else can’t update your FB status on
behalf of you)
Securing APIs(before OAuth)
•Basic auth – Sending user credentials in http
authentication header
•Mutual Authentication - based on certificates,
server authenticate to client , client to server

Problem ..?
ONLY 2 Parties
What Happens if a 3rd party (client/app)
wants to call APIs on behalf of you
Need A Better method
Why we need a better method
• Third party applications can not save password as a salted
hash but in clear text as they will use user credentials later to
access resources.
• Resource owner can not limit the time of access or what
resources to access by clients to his resources.
Why we need a better method
• Resource owners cannot revoke access to an individual
third party. To revoke access resource owner has to change
password which will automatically revoke all other clients.
• Compromise of any third‐party application results in
compromise of the end-user's password and all of the data
protected by that password.
Ad

Recommended

More Related Content

What's hot

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 

What's hot (20)

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OAuth
OAuthOAuth
OAuth
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 

Similar to OAuth2 + API Security

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization frameworkJohn Temoty Roca
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0   The Path to Heaven from HellO Auth 2.0   The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 

Similar to OAuth2 + API Security (20)

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0   The Path to Heaven from HellO Auth 2.0   The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 

Recently uploaded

Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manualDomotica daVinci
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfThomas Poetter
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfSafe Software
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 

Recently uploaded (20)

Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 

OAuth2 + API Security

  • 1. OAuth 2+ API Security
  • 2. API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
  • 3. Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
  • 4. Need A Better method
  • 5. Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
  • 6. Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
  • 7. Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
  • 9. 4 Roles Resource Owner Client Resource Server Authorization Server
  • 10. Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
  • 11. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • 12. Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
  • 13. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • 14. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
  • 15. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
  • 16. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
  • 17. Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
  • 18. Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
  • 19. Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
  • 20. Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
  • 21. Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
  • 22. Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
  • 23. Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 24. Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
  • 25. Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  • 26. Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
  • 27. Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
  • 28. Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
  • 29. Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
  • 30. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
  • 31. Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
  • 32. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
  • 33. Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 34. Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
  • 35. Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
  • 36. Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
  • 37. Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
  • 38. Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
  • 39. Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
  • 40. Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
  • 41. When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
  • 42. Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
  • 43. References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena