This document discusses using OAuth for securing web services on Android applications. It begins with an introduction to OAuth and its goals of allowing users to grant access to private resources like social media profiles without sharing usernames and passwords. It then explains the basic OAuth workflow involving a 3-step handshake to obtain a request token, having the user authorize the client, and exchanging the request token for an access token. The document concludes by demonstrating how to implement OAuth in an Android app using the Signpost library, which integrates with HTTP clients and handles token management.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
Speaking of modern authentication for the Web, we usually assume features like single sign-on, social login, strong multifactor auth, protection from brute-force attacks and automated registrations & many more.
Unfortunately, Sling offers only very basic authentication and identity management out of the box. Our proposal is not to reinvent all of the above within Sling, but rather to delegate authentication and IDM to mature, open-source and standards-compliant external service.
In this session, we'll discuss and demonstrate implementation of this approach with Keycloak, open-source identity solution.
https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/ - Code and presentation.
https://netdava.github.io/adapt-to-2018-keycloak-sling-presentation/
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
Explains the process described in the core specification for OpenID Connect 1.0 which is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect is the newest iteration of the OpenID Internet authentication standard that’s been developed in coordination by Google, Facebook, Microsoft and others at the OpenID Foundation.
OpenID Connect performs many of the same tasks as OpenID 1 & 2, but does so in a way that is API-friendly, and usable by native and mobile applications.
OpenID 1 and 2 lend part of their name, but Connect is a complete re-write that is fundamentally better architected for the modern web in a few important ways.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
Speaking of modern authentication for the Web, we usually assume features like single sign-on, social login, strong multifactor auth, protection from brute-force attacks and automated registrations & many more.
Unfortunately, Sling offers only very basic authentication and identity management out of the box. Our proposal is not to reinvent all of the above within Sling, but rather to delegate authentication and IDM to mature, open-source and standards-compliant external service.
In this session, we'll discuss and demonstrate implementation of this approach with Keycloak, open-source identity solution.
https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/ - Code and presentation.
https://netdava.github.io/adapt-to-2018-keycloak-sling-presentation/
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
Explains the process described in the core specification for OpenID Connect 1.0 which is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect is the newest iteration of the OpenID Internet authentication standard that’s been developed in coordination by Google, Facebook, Microsoft and others at the OpenID Foundation.
OpenID Connect performs many of the same tasks as OpenID 1 & 2, but does so in a way that is API-friendly, and usable by native and mobile applications.
OpenID 1 and 2 lend part of their name, but Connect is a complete re-write that is fundamentally better architected for the modern web in a few important ways.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Presentation describes different authentication ways to protect web application. It shows difference between custom approach and authentication with OAuth1 and OAuth2.
Slides for my presentation about OAuth, going in depth in the details of the Authorization Code Grant and PKCE, also describing several security threats to OAuth
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
4. The mobile Web
What was WAP again?
Nevermind.
With today's hardware and infrastructure, mobile
applications have become full blown Web clients.
5. Mobile HTTP Clients
Secure channel?
Data integrity?
Client Web service
Authentication?
Authorized access?
6. HTTPS
Secure Socket Layer + HTTP
Secures the whole communication channel
Uses certificates and public key encryption
Very secure!
But...
7. Right tool for the job?
Does all my data need encryption?
Do users know, care about, or trust digital
certificates? I'm still giving away my password!
What about authorization, and who
actually decides that?
8. What is OAuth?
OAuth.net
”An open protocol to allow secure API authorization
in a simple and standard method from desktop and
web applications.”
Wikipedia.org
”OAuth is an open protocol that allows users to share
their private resources [...] stored on one site with
another site without having to hand out their
username and password.”
9. Motivation
Web users typically have their data spread
across various, often interweaved websites
e.g. Flickr, Twitter, Vimeo, ...
Each time users want to access their data, they must
give away their username and password
11. Where OAuth sets in
Without OAuth, users have to share their credentials
with potentially untrustworthy applications.
a.k.a. the ”password anti-pattern”
OAuth solves this by letting the user grant revokable
access rights over a limited period of time.
12. Implications
OAuth does not require the user to trust
the client application.
instead:
OAuth is about trust into the service being used.
13. Implications
OAuth does not automatically grant clients
permission by e.g. issueing certificates.
instead:
OAuth is about access right delegation
from user to client.
15. How OAuth works
Alice wants to read her latest mentions on her
Android phone using SecTweet.
Or in OAuth lingo:
Consumer SecTweet requires user Alice's permission to access the
protected resource http://twitter.com/statuses/mentions from the
service provider Twitter.
16. OAuth Access Delegation
SecTweet does not yet have Alice's permission to
access Twitter mentions on her behalf.
However, Alice can pass authorization over to
SecTweet by means of an access token.
As long as this token is valid, SecTweet is allowed
to access Alice's resources.
18. Step 1: The request token
GET twitter.com/oauth/request_token
SecTweet
request token
SecTweet contacts twitter.com,
asking for a request token.
This token must be ”blessed” by Alice.
19. Step 2: Token blessing
open web browser / web view
SecTweet
call back with token + verification code
SecTweet opens Twitter's authorization website
in a browser (or Web view).
Alice is asked to either grant or deny
SecTweet access to her Twitter data.
21. Step 3: Token exchange
GET twitter.com/oauth/access_token
SecTweet
access token
If Alice agrees, SecTweet will then exchange the
blessed request token for an access token.
22. Message signing
Once an access token has been retrieved, SecTweet
can use it to access Alice's resources on Twitter.com
by signing all requests with it.
HTTP
message
Signature
23. Message Signing
There is no need to store Alice's
username or password on the device.
24. Message Signing
An OAuth signature is a unique fingerprint, typically
computed using keyed cryptographic hash functions.
Thus, both integrity and authenticity of a signed
message can be verified by the receiver.
Signatures are protected from eavesdropping and
replay attacks by using timestamps and nonces.
25. Example
GET /statuses/mentions.xml HTTP/1.1
Host: twitter.com
Authorization: OAuth oauth_version='1.0',
oauth_consumer_key='v5Dev9QtVuzkhssYoH',
oauth_token='pbZXhbz2p5w8h6y',
oauth_timestamp='1265563431',
oauth_nonce='73980654659',
oauth_signature='pvISiky7dm9FD45mfZkP0S50yu0=',
oauth_signature_method='HMAC-SHA1'
26. Observations so far
OAuth is not just about machines. It actually
involves the user as an authority.
OAuth protects the user's credentials by
simply not sending them!
OAuth checks the integrity, authenticity and
authorization of Web service calls.
27. Observations so far
OAuth operates on the same OSI layer as HTTP
and integrates seamlessly with it.
OAuth does not obfuscate message payload,
making it easy to debug.
OAuth itself is a fairly non-technical protocol.
It emerged from real world requirements
and use cases.
28. On the flip-side
OAuth requires a fair amount of set-up work,
e.g. for keeping track of nonces and tokens.
OAuth affects the user signup journey.
Balancing UX here can be a two-edged sword.
29. On the flip-side
OAuth does not guarantee data privacy. It must be
used in conjunction with existing protocols to
achieve that (e.g. SSL).
The OAuth standard is unclear and difficult to read at
times, resulting in compatibility issues.
Hammer time!
30. OAuth on Android
What we need is a library which is:
Written in Java.
Integrates with Apache Commons HTTP.
Is lightweight and easy to integrate.
31. That would be Signpost
Signpost is an extensible, HTTP layer independent,
client-side OAuth library for the Java platform.
It works on Android!
32. Using Signpost
Have an Activity that can receive callbacks:
<activity android:name=".activities.OAuthActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="mycallback"/>
</intent-filter>
</activity>
33. Using Signpost
Implement OAuthActivity to have a Signpost
OAuthConsumer and OAuthProvider:
public class OAuthActivity {
private OAuthConsumer consumer =
new CommonsHttpOAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET);
private OAuthProvider provider = new CommonsHttpOAuthProvider(
'http://example.com/oauth/request_token',
'http://example.com/oauth/access_token',
'http://www.example.com/oauth/authorize');
. . .
}
34. Using Signpost
Step 1: Retrieving the request token
public class OAuthActivity {
private void step1() {
String url =
provider.retrieveRequestToken(consumer, 'mycallback:///');
storeTokenToPreferences(consumer.getToken());
storeTokenSecretToPreferences(consumer.getTokenSecret());
startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse(url));
}
}
36. Using Signpost
Step 3: Retrieving the access token
public class OAuthActivity {
// website called back with:
// mycallback:///?oauth_token=xxx&oauth_verifier=12345
private void step3(callbackUrl) {
String oauthVerifier =
callbackUrl.getQueryParameter(OAuth.OAUTH_VERIFIER);
String token = readTokenFromPreferences();
String secret = readSecretFromPreferences();
provider.retrieveAccessToken(consumer, oauthVerifier);
storeTokenToPreferences(consumer.getToken());
storeTokenSecretToPreferences(consumer.getTokenSecret());
}
}
37. Using Signpost
Signing messages sent with HttpClient:
public class AnyActivity {
private HttpClient httpClient = new DefaultHttpClient();
private void sendSignedRequest() {
HttpRequest request =
new HttpGet('http://example.com/protected.xml');
consumer.sign(request);
HttpResponse response = httpClient.execute(request);
// . . .
}
}
38. Outlook: WRAP
The Web Resource Authorization Protocol is an OAuth
variant, aiming to simplify and extend OAuth 1.0a
Drops signatures in favor of SSL secured connections and
short lived access-tokens
Defines additional ways to retrieve tokens