Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Authentication & Authorization
RESTful infrastructures
APIConf 2017 - Turin
@_CloudConf_ - #apiconf2017
Walter Dal Mut
github.com/wdalmut
twitter.com/walterdalmut
corley.it
APIs immediately creates a new building block for
any application
I want to add lesystem feature to my application?
https://developers.google.com/drive/v3/web/about-sdk
Manage Files and Fo...
FileSystem as a Service
$fileMetadata = new Google_Service_Drive_DriveFile([
'name' => 'photo.jpg'
]);
$file = $driveServi...
Or think about AWS services:
S3 lesystem
Lambda
code as a service: image cropping etc...
ElasticTranscoder video encoding
...
Or think about Docker
an API wraps completely the Docker Engine
Code as a service
Background tasks as a
service
Think how ...
API to turn ON/OFF a light bulb
Now a simple light bulb have a unique address in the world (URI)
Continuous Integration - ...
So we can decouple our system to di erent and
reusable parts (services)
So now we have a machine-to-machine system,
how we can authenticate and authorize actions?
The most simple way to authenticate is:
Basic Authentication
Example:
BASE64({username}:{password})
GET /user HTTP/1.1
Hos...
If i change the password the basic token changes,
or if a never change a password the token never
change (expire)...
If you allows multiple passwords you have a token
based authentication system
Create a login endpoint [POST /v1/login]
Use...
Security over HTTPs
With this authentication scheme, can we handle
the authorization?
Yes, typically role based (ADMIN, USER, etc)
This authorization scheme works well with tiny
application with a limited API access or reserved
API
With this scheme we g...
if i want to grant only limited authorizations to
external applications?
How to handle the privacy problem and grant only ...
Third party applications?
With the basic auth i have to pass my credential to that application!
With token auth i cannot c...
OAuth2 is related to Authorization and not Authentication
User centered (focus on third party application data access)
Sco...
Distributed infrastructure
OAuth2 scheme allows clients (third party
application) to access to the user information only
after a user grant
User (is ...
OAuth2
You grant a limited set of privileges (scopes) to
a resource (that you own) to an external
application (the client)
With OAuth2, the token is linked with a list of
scopes and who have that token can access to
resources in a limited way, d...
Scopes: -
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
HTTP/1.1 200 OK
C...
Scopes: email
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
HTTP/1.1 200 ...
Scopes: email pro le:read
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS...
Scopes: email pro le:read invoice:read
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF...
4 [5] ways to get an authorization token
Authorization code
Implicit (javascript
clients)
Password
Client credentials
Refr...
Authorization code exchange
AngularJs is not able to keep the OAuth2 credential as a secret so the App Server
(Third Party...
Authorization code exchange
Authorization code exchange
Authorization code exchange
Implicit ow
Used by Javascript client that cannot use a backed server for client validation
Password ow
Tipically used by privileged client to simplify the token generation
It is a privileged application in our network that allows user credentials sharing to
simplify the user login procedure (w...
Client credentials ow
Tipically only for client related jobs (no user resources but client resources)
OAuth2 will generate 2 tokens: access_token and
refresh_token.
The refresh token is not used to access to resources but on...
Just few words...
Thanks for listening
Authentication and authorization in res tful infrastructures
Upcoming SlideShare
Loading in …5
×

of

Authentication and authorization in res tful infrastructures Slide 1 Authentication and authorization in res tful infrastructures Slide 2 Authentication and authorization in res tful infrastructures Slide 3 Authentication and authorization in res tful infrastructures Slide 4 Authentication and authorization in res tful infrastructures Slide 5 Authentication and authorization in res tful infrastructures Slide 6 Authentication and authorization in res tful infrastructures Slide 7 Authentication and authorization in res tful infrastructures Slide 8 Authentication and authorization in res tful infrastructures Slide 9 Authentication and authorization in res tful infrastructures Slide 10 Authentication and authorization in res tful infrastructures Slide 11 Authentication and authorization in res tful infrastructures Slide 12 Authentication and authorization in res tful infrastructures Slide 13 Authentication and authorization in res tful infrastructures Slide 14 Authentication and authorization in res tful infrastructures Slide 15 Authentication and authorization in res tful infrastructures Slide 16 Authentication and authorization in res tful infrastructures Slide 17 Authentication and authorization in res tful infrastructures Slide 18 Authentication and authorization in res tful infrastructures Slide 19 Authentication and authorization in res tful infrastructures Slide 20 Authentication and authorization in res tful infrastructures Slide 21 Authentication and authorization in res tful infrastructures Slide 22 Authentication and authorization in res tful infrastructures Slide 23 Authentication and authorization in res tful infrastructures Slide 24 Authentication and authorization in res tful infrastructures Slide 25 Authentication and authorization in res tful infrastructures Slide 26 Authentication and authorization in res tful infrastructures Slide 27 Authentication and authorization in res tful infrastructures Slide 28 Authentication and authorization in res tful infrastructures Slide 29 Authentication and authorization in res tful infrastructures Slide 30 Authentication and authorization in res tful infrastructures Slide 31 Authentication and authorization in res tful infrastructures Slide 32 Authentication and authorization in res tful infrastructures Slide 33 Authentication and authorization in res tful infrastructures Slide 34 Authentication and authorization in res tful infrastructures Slide 35 Authentication and authorization in res tful infrastructures Slide 36 Authentication and authorization in res tful infrastructures Slide 37 Authentication and authorization in res tful infrastructures Slide 38 Authentication and authorization in res tful infrastructures Slide 39 Authentication and authorization in res tful infrastructures Slide 40 Authentication and authorization in res tful infrastructures Slide 41
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

Authentication and authorization in res tful infrastructures

Download to read offline

Authentication and authorization problem for RESTful infrastructures. From Basic Authentication to Open Authorization 2.0 (OAuth2)

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Authentication and authorization in res tful infrastructures

  1. 1. Authentication & Authorization RESTful infrastructures APIConf 2017 - Turin @_CloudConf_ - #apiconf2017
  2. 2. Walter Dal Mut github.com/wdalmut twitter.com/walterdalmut
  3. 3. corley.it
  4. 4. APIs immediately creates a new building block for any application
  5. 5. I want to add lesystem feature to my application? https://developers.google.com/drive/v3/web/about-sdk Manage Files and Folders Enable collaboration Detect changes and revisions Using Google Drive features
  6. 6. FileSystem as a Service $fileMetadata = new Google_Service_Drive_DriveFile([ 'name' => 'photo.jpg' ]); $file = $driveService->files->create($fileMetadata, [ 'data' => file_get_contents("/tmp/photo.jpg"), 'mimeType' => 'image/jpeg', 'uploadType' => 'multipart', 'fields' => 'id' ]);
  7. 7. Or think about AWS services: S3 lesystem Lambda code as a service: image cropping etc... ElasticTranscoder video encoding SQS distributed queues SNS distributed noti cations
  8. 8. Or think about Docker an API wraps completely the Docker Engine Code as a service Background tasks as a service Think how much Docker is di erent thanks to its own API system than other services that you cannot control programmatically
  9. 9. API to turn ON/OFF a light bulb Now a simple light bulb have a unique address in the world (URI) Continuous Integration - Turn ON on errors Crepuscular relay for home automation ... POST /light/1 {"high": true} POST /light/1 {"high": false} GET /light/1
  10. 10. So we can decouple our system to di erent and reusable parts (services)
  11. 11. So now we have a machine-to-machine system, how we can authenticate and authorize actions?
  12. 12. The most simple way to authenticate is: Basic Authentication Example: BASE64({username}:{password}) GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Content-Length: 2 Connection: close X-Records-Count: 0 X-Records-Page: 1 X-Records-Total: 0 []
  13. 13. If i change the password the basic token changes, or if a never change a password the token never change (expire)...
  14. 14. If you allows multiple passwords you have a token based authentication system Create a login endpoint [POST /v1/login] User send username and password A new password (randomly generated) is created This randomly generated password is an authentication token So the token is used as a validation mechanism We can integrate JWT to wrap the base token You can add: expire, refresh, revoke features to complete your auth system GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer 35deb6aab84648dc2423cb61d3fceaa6c869a7aa
  15. 15. Security over HTTPs
  16. 16. With this authentication scheme, can we handle the authorization? Yes, typically role based (ADMIN, USER, etc)
  17. 17. This authorization scheme works well with tiny application with a limited API access or reserved API With this scheme we grant authorizations over a given resource per user role and not with a ne grained method $this->denyUnlessAuthorized($user, $resource));
  18. 18. if i want to grant only limited authorizations to external applications? How to handle the privacy problem and grant only a limited set of privileges?
  19. 19. Third party applications? With the basic auth i have to pass my credential to that application! With token auth i cannot control the data access because external application use my current role! We join di erent APIs togheter right?
  20. 20. OAuth2 is related to Authorization and not Authentication User centered (focus on third party application data access) Scope based authorization Di erent token scheme generation Secured via HTTPs (like basic auth, token auth...) Mainly for distributed infrastructures SOA, microservices...
  21. 21. Distributed infrastructure
  22. 22. OAuth2 scheme allows clients (third party application) to access to the user information only after a user grant User (is you) Client (third-party) Resource (information owned by you) Authorization grant (that you give to the client)
  23. 23. OAuth2 You grant a limited set of privileges (scopes) to a resource (that you own) to an external application (the client)
  24. 24. With OAuth2, the token is linked with a list of scopes and who have that token can access to resources in a limited way, depening on the scope list.
  25. 25. Scopes: - GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1 }
  26. 26. Scopes: email GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com" }
  27. 27. Scopes: email pro le:read GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00" }
  28. 28. Scopes: email pro le:read invoice:read HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00", "invoiceInfo": { "id": 1, "fiscalName": "Corley SRL", "taxCode": "10669790015", "fiscalCode": "10669790015", "address": "P.za Statuto 10", "zipCode": "10122", "city": "Torino", "country": "Italy", "province": "TO" } }
  29. 29. 4 [5] ways to get an authorization token Authorization code Implicit (javascript clients) Password Client credentials Refresh token A token, access or refresh it doesn't matter, must expires in an amount of time and those tokens can also be revoked by the resource owner.
  30. 30. Authorization code exchange AngularJs is not able to keep the OAuth2 credential as a secret so the App Server (Third Party app) will keep it and exchange the authorization code with a token using also the client credentials
  31. 31. Authorization code exchange
  32. 32. Authorization code exchange
  33. 33. Authorization code exchange
  34. 34. Implicit ow Used by Javascript client that cannot use a backed server for client validation
  35. 35. Password ow Tipically used by privileged client to simplify the token generation
  36. 36. It is a privileged application in our network that allows user credentials sharing to simplify the user login procedure (with backend support) academy.corley.it (example of password ow)
  37. 37. Client credentials ow Tipically only for client related jobs (no user resources but client resources)
  38. 38. OAuth2 will generate 2 tokens: access_token and refresh_token. The refresh token is not used to access to resources but only to generate a new token without the whole generation handshake. access_token (expires in 1 hour) refresh_token (expires in 1 month)
  39. 39. Just few words...
  40. 40. Thanks for listening
  • skotam

    Dec. 30, 2017

Authentication and authorization problem for RESTful infrastructures. From Basic Authentication to Open Authorization 2.0 (OAuth2)

Views

Total views

250

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

5

Shares

0

Comments

0

Likes

1

×