Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Incorporating OAuth: How to integrate OAuth into your mobile app

4,519 views

Published on

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013

Published in: Technology, Business

Incorporating OAuth: How to integrate OAuth into your mobile app

  1. 1. Incorporating OAuthHow to integrate OAuth into your mobile appBy Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Crucial Security ConcernsCopyright © 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity
  4. 4. Identity is CentralCopyright © 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson
  5. 5. Neo-security Stack SCIM, SAML, OAuth, and JWT are the newstandards-based cloud security stack OAuth 2 is the new meta-protocol defining howtokens are handled These address old requirements, solves newproblems & are composedin useful waysCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& juniorOpenID Connect
  6. 6. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  7. 7. OAuth Mobile App FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  8. 8. Request AuthorizationCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Authenticate & AuthorizeCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Register Custom Scheme in App<activity android:name=".CallbackActivity“ …><intent-filter><data android:scheme="twobo" />…</intent-filter></activity>Copyright © 2013 Twobo Technologies AB. All rights reserved
  11. 11. Callback to Custom SchemeIn OAuth Server, configure to callback to schemethat was registeredCopyright © 2013 Twobo Technologies AB. All rights reserved
  12. 12. Exchange Code for TokenCopyright © 2013 Twobo Technologies AB. All rights reservedAC
  13. 13. Calling the Token Endpointvar data = {"client_id" : clientId,"client_secret" : clientSecret,"code" : code,"grant_type" : "authorization_code","response_type" : "token" };$.post(tokenEndpoint, data,processAccessToken, "json");Copyright © 2013 Twobo Technologies AB. All rights reservedAC AT, RT
  14. 14. Tokens are Often JWTs Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. Calling the APIProvide AT to API according to bearer token profile$.ajax({url: apiEndpoint,dataType: json,headers: {"Authorization":"Bearer "+accessToken},success: processResults });Copyright © 2013 Twobo Technologies AB. All rights reserved
  16. 16. API May Validate Tokendef validateToken(self, tokenEndpoint, clientId,clientSecret, accessToken):values = { "client_id" : clientId,"client_secret" : clientSecret,"grant_type" : “…","token" : accessToken, }request = urllib2.Request(tokenEndpoint,urllib.urlencode(values))return urllib2.urlopen(request)Copyright © 2013 Twobo Technologies AB. All rights reserved
  17. 17. • App should only presentAT to API• Never send RT to API• Use RT to get new AT ifAT expires• App can’t use AT todetermine anything aboutuserApp Consumes API DataCopyright © 2013 Twobo Technologies AB. All rights reserved
  18. 18. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consentscenarios Adds identity-based inputs/outputs to core OAuthmessages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  19. 19. What OAuth is and is not forCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  20. 20. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×