Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication and authorization in res tful infrastructures

138 views

Published on

Authentication and authorization problem for RESTful infrastructures. From Basic Authentication to Open Authorization 2.0 (OAuth2)

Published in: Software
  • Be the first to comment

Authentication and authorization in res tful infrastructures

  1. 1. Authentication & Authorization RESTful infrastructures APIConf 2017 - Turin @_CloudConf_ - #apiconf2017
  2. 2. Walter Dal Mut github.com/wdalmut twitter.com/walterdalmut
  3. 3. corley.it
  4. 4. APIs immediately creates a new building block for any application
  5. 5. I want to add lesystem feature to my application? https://developers.google.com/drive/v3/web/about-sdk Manage Files and Folders Enable collaboration Detect changes and revisions Using Google Drive features
  6. 6. FileSystem as a Service $fileMetadata = new Google_Service_Drive_DriveFile([ 'name' => 'photo.jpg' ]); $file = $driveService->files->create($fileMetadata, [ 'data' => file_get_contents("/tmp/photo.jpg"), 'mimeType' => 'image/jpeg', 'uploadType' => 'multipart', 'fields' => 'id' ]);
  7. 7. Or think about AWS services: S3 lesystem Lambda code as a service: image cropping etc... ElasticTranscoder video encoding SQS distributed queues SNS distributed noti cations
  8. 8. Or think about Docker an API wraps completely the Docker Engine Code as a service Background tasks as a service Think how much Docker is di erent thanks to its own API system than other services that you cannot control programmatically
  9. 9. API to turn ON/OFF a light bulb Now a simple light bulb have a unique address in the world (URI) Continuous Integration - Turn ON on errors Crepuscular relay for home automation ... POST /light/1 {"high": true} POST /light/1 {"high": false} GET /light/1
  10. 10. So we can decouple our system to di erent and reusable parts (services)
  11. 11. So now we have a machine-to-machine system, how we can authenticate and authorize actions?
  12. 12. The most simple way to authenticate is: Basic Authentication Example: BASE64({username}:{password}) GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Content-Length: 2 Connection: close X-Records-Count: 0 X-Records-Page: 1 X-Records-Total: 0 []
  13. 13. If i change the password the basic token changes, or if a never change a password the token never change (expire)...
  14. 14. If you allows multiple passwords you have a token based authentication system Create a login endpoint [POST /v1/login] User send username and password A new password (randomly generated) is created This randomly generated password is an authentication token So the token is used as a validation mechanism We can integrate JWT to wrap the base token You can add: expire, refresh, revoke features to complete your auth system GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer 35deb6aab84648dc2423cb61d3fceaa6c869a7aa
  15. 15. Security over HTTPs
  16. 16. With this authentication scheme, can we handle the authorization? Yes, typically role based (ADMIN, USER, etc)
  17. 17. This authorization scheme works well with tiny application with a limited API access or reserved API With this scheme we grant authorizations over a given resource per user role and not with a ne grained method $this->denyUnlessAuthorized($user, $resource));
  18. 18. if i want to grant only limited authorizations to external applications? How to handle the privacy problem and grant only a limited set of privileges?
  19. 19. Third party applications? With the basic auth i have to pass my credential to that application! With token auth i cannot control the data access because external application use my current role! We join di erent APIs togheter right?
  20. 20. OAuth2 is related to Authorization and not Authentication User centered (focus on third party application data access) Scope based authorization Di erent token scheme generation Secured via HTTPs (like basic auth, token auth...) Mainly for distributed infrastructures SOA, microservices...
  21. 21. Distributed infrastructure
  22. 22. OAuth2 scheme allows clients (third party application) to access to the user information only after a user grant User (is you) Client (third-party) Resource (information owned by you) Authorization grant (that you give to the client)
  23. 23. OAuth2 You grant a limited set of privileges (scopes) to a resource (that you own) to an external application (the client)
  24. 24. With OAuth2, the token is linked with a list of scopes and who have that token can access to resources in a limited way, depening on the scope list.
  25. 25. Scopes: - GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1 }
  26. 26. Scopes: email GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com" }
  27. 27. Scopes: email pro le:read GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00" }
  28. 28. Scopes: email pro le:read invoice:read HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00", "invoiceInfo": { "id": 1, "fiscalName": "Corley SRL", "taxCode": "10669790015", "fiscalCode": "10669790015", "address": "P.za Statuto 10", "zipCode": "10122", "city": "Torino", "country": "Italy", "province": "TO" } }
  29. 29. 4 [5] ways to get an authorization token Authorization code Implicit (javascript clients) Password Client credentials Refresh token A token, access or refresh it doesn't matter, must expires in an amount of time and those tokens can also be revoked by the resource owner.
  30. 30. Authorization code exchange AngularJs is not able to keep the OAuth2 credential as a secret so the App Server (Third Party app) will keep it and exchange the authorization code with a token using also the client credentials
  31. 31. Authorization code exchange
  32. 32. Authorization code exchange
  33. 33. Authorization code exchange
  34. 34. Implicit ow Used by Javascript client that cannot use a backed server for client validation
  35. 35. Password ow Tipically used by privileged client to simplify the token generation
  36. 36. It is a privileged application in our network that allows user credentials sharing to simplify the user login procedure (with backend support) academy.corley.it (example of password ow)
  37. 37. Client credentials ow Tipically only for client related jobs (no user resources but client resources)
  38. 38. OAuth2 will generate 2 tokens: access_token and refresh_token. The refresh token is not used to access to resources but only to generate a new token without the whole generation handshake. access_token (expires in 1 hour) refresh_token (expires in 1 month)
  39. 39. Just few words...
  40. 40. Thanks for listening

×