Cqcon

1,470 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,470
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
16
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Cqcon

  1. 1. OAuth Server functionality in AEM Embrace Federation and unleash your REST APIs! 
 Antonio Sanso Software Engineer Adobe Research Switzerland
  2. 2. Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
  3. 3. Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth protocol implementation in Java) {  Committer and PMC member for Apache Sling {  Google Security hall of fame, Facebook security whitehat
  4. 4. Agenda { OAuth introduction { “OAuth dance” { Implementing OAuth { AEM and OAuth
  5. 5. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
  6. 6. OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
  7. 7. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9366526 684
  8. 8. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go
  9. 9. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go
  10. 10. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go
  11. 11. How difficult is to implement OAuth ? OAuth client OAuth server
  12. 12. Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8 a5e4c2a9ace6b9366526684
  13. 13. Scalable OAuth server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
  14. 14. JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcy I6ImFzYW5zbyIsInN 1YiI6ImFzYW5zbyIsI mV4cCI6MTQwMzY wMTU1OSwiaWF0Ijo xNDAzNjAxNTU5fQ. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"} {"aud":"connect2014","iss":"asanso","sub":"asanso","exp": 1403601559,"iat":1403601559} HMAC Header Claims Signature
  15. 15. JSON Web Token
  16. 16. AEM: register an OAuth client http://<hostname>:<port>/libs/granite/oauth/content/newclient.html
  17. 17. AEM: edit an OAuth client • http://localhost:4502/libs/granite/oauth/content/ client.html/home/users/a/admin/oauth/ 3hp3gjumv1t51tdt8qnql3cb0u-ewt3wkjn
  18. 18. AEM: registered OAuth clients http://<hostname>:<port>/libs/granite/oauth/content/clients.html
  19. 19. AEM: OAuth consent screen
  20. 20. AEM: OAuth Endpoint { Authorization Endpoint - http://<hostname>:<port>/oauth/authorize { Token Endpoint -  http://<hostname>:<port>/oauth/token
  21. 21. AEM: OAuth APIs - Profile API
  22. 22. AEM: OAuth APIs - Profile API http://<hostname>:<port>/oauth/authorize? response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&scope=profile
  23. 23. AEM: Profile API usage - Authentication
  24. 24. AEM: OAuth APIs - Extended Assume you have an API with an endpoint /content/assets OR You want to expose your content under /content/assets
  25. 25. AEM: OAuth APIs - Extended http://<hostname>:<port>/oauth/authorize? response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&scope=/content/assets
  26. 26. References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { Apache Oltu - http://oltu.apache.org/ { http://intothesymmetry.blogspot.ch/

×