Recommended
More Related Content
What's hot
Similar to Token based-oauth2
Similar to Token based-oauth2 (20)
Recently uploaded
Recently uploaded (20)
Token based-oauth2
- 1. 1CONFIDENTIAL OAUTH2 TOKEN BASED AUTHORIZATION, JSON WEB TOKENS NOVEMBER 23, 2017 Andrey Radzkov
- 2. 2CONFIDENTIAL AGENDAAGENDA Token based auth1 Json Web Tokens2 OAUTH23 Live demo4
- 5. 5CONFIDENTIAL HISTORY: COOKIE-BASED (FORMS): SEQUENCE DIAGRAMM Browser Server Post /auth {j_username:"uName", j_password:"password"} HTTP 200 OK. Set cookie: j_sessionId=..... GET /api/smth Cookie: j_sessionId=..... HTTP 200 OK. Response: {smth:....}
- 6. 6CONFIDENTIAL HISTORY: COOKIE-BASED (FORMS) Server1 Server 2 Server 3 Load balancer Web app Mobile app Shared session
- 7. 7CONFIDENTIAL HISTORY: COOKIE-BASED (FORMS): SUMMARY Easy, transparent Supports by many frameworks Possible to design forms - No browser clients - Distributed applications - Cross-domain apps
- 9. 9CONFIDENTIAL TOKEN BASED AUTHORIZATION Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate, sdch, br Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Cache-Control:no-cache Connection:keep-alive Authorization: Bearer MTQ5NzQ1MTAzODE4NTphZDJiODc0NTI0NmQxNmIyZDQ6dXNlckB1c2VyLmNvbTo4YW YzYzg1NWU4OTI4YThkNjYxNGNlOTA3NzgxNGUzMTlmNDQ3YjQxZDdkNTdhMjc1YTY0 MDRmYWYyN2FjMmJiMWFkOGQ3YjY0Y2QyZGM4MWQxNGQ0ZTk0MmMwZDhhY2MyY2RjNW Q2MjZlNTdhZTJiYTFlMzFhMzI4N2NmNmNmMA==
- 10. 10CONFIDENTIAL TOKEN BASED AUTHORIZATION – SEQUENCE DIAGRAMM Client Server Post /auth {j_username:"uName", j_password:"password"} HTTP 200 OK. Response: {auth_token:”MTQ5NzQ1MTAzODE4NTphZDJi...”, expiration_time:Wed Jun 21 2017 23:09:13} GET /api/smth Headers: Authorization: Bearer: MTQ5NzQ1MTAzODE ... HTTP 200 OK. Response: {smth:....}
- 11. 11CONFIDENTIAL TOKEN BASED AUTHORIZATION: SEVARAL SERVERS Server1 Server 2 Server 3 Load balancer Web app Mobile app {token:”…”} {token:”…”} {token:”…”}
- 12. 12CONFIDENTIAL TOKEN BASED AUTHORIZATION: TOKEN SIZE MTQ5NzQ1MTAzODE4NTphZDJiODc0NTI0NmQxNmIyZDQ 6dXNlckB1c2VyLmNvbTo4YWYzYzg1NWU4OTI4YThkNj YxNGNlOTA3NzgxNGUzMTlmNDQ3YjQxZDdkNTdhMjc1Y TY0MDRmYWYyN2FjMmJiMWFkOGQ3YjY0Y2QyZGM4MWQx NGQ0ZTk0MmMwZDhhY2MyY2RjNWQ2MjZlNTdhZTJiYTF lMzFhMzI4N2NmNmNmMA==
- 13. 13CONFIDENTIAL TOKEN BASED AUTHORIZATION: SUMMARY Supports by many frameworks Easy implementation for distributed applications Good support for not-browser clients Flexible implementation: content, size, encryption, expiration Works with different domains - Header of requests should be extended - Not standard - Be careful with size
- 16. 16CONFIDENTIAL JWT: STRUCTURE: HEADER { "alg": "HS256", "typ": "JWT" }
- 17. 17CONFIDENTIAL JWT: STRUCTURE: PAYLOAD {"sub": "1234567890", "name": "John Doe", "admin": true} iss — address or name of auth center sub — user id aud — client name exp — expiration nbf — time from iat — time of token creation jti — token id
- 18. 18CONFIDENTIAL JWT: STRUCTURE: SIGNATURE HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
- 20. 20CONFIDENTIAL JWT: SUMMARY Specification for tokens Self-contained token Token signature - Rather big size - Content not encrypted ! Use HTTPS
- 22. 22CONFIDENTIAL OAUTH2: WHAT IS IT? Server1 Server 2 Server 3 Web app Mobile app
- 23. 23CONFIDENTIAL OAUTH2: ABSTRACT FLOW Query Resource Request Token Resource server Auth Server Client Application Validate Token
- 24. 24CONFIDENTIAL OAUTH2: GRANT TYPES Authorization code(backend)1 Implicit (frontend)2 Username/password (deprecated)3 Grant for credentials editing4
- 25. 25CONFIDENTIAL OAUTH2: AUTHORIZATION CODE - ANIMATION Resource server Auth Server Query Resource With token Request Token Validate Token Client side Server side Enter credentials Auth code Provide code Client Application https://oauth.example.com/aut horize?response_type=code&cli ent_id=CLIENT_ID&redirect_uri =CALLBACK_URL&scope=read https://yourapp.com/callback? code=AUTHORIZATION_CODEhttps:/oauth.exapmle.com/token? client_id=CLIENT_ID&client_secret= CLIENT_SECRET&grant_type=authoriza tion_code&code=AUTHORIZATION_CODE& redirect_uri=CALLBACK_URL { "access_token" : "...", "token_type" : "...", "expires_in" : "...", "refresh_token“ : "...“ }
- 26. 26CONFIDENTIAL OAUTH2: GRANT TYPE IMPLICIT - ANIMATION Resource server Auth Server Query Resource With token Auth token in redirect Validate Token Client side Server side Enter credentials Client Application https://oauth.example.com/aut horize?response_type=token&cl ient_id=CLIENT_ID&redirect_ur i=CALLBACK_URL&scope=read https://yourapp.com/callback# token=ACCESS_TOKEN
- 27. 27CONFIDENTIAL OAUTH2: GRANT TYPE – USER PASSWORD - ANIMATION Resource server Auth Server Query Resource With token Auth token in response Client side Server side Send credentials Validate Token https://oauth.example.com/autho rize?password=PASSWORD&username =USERNAME&client_id=CLIENT_ID
- 28. 28CONFIDENTIAL OAUTH2: GRANT TYPE – CLIENT CREDENTIALS https://oauth.example.com/token?grant_type=client_c redentials&client_id=CLIENT_ID&client_secret=CLIENT _SECRET
- 29. 29CONFIDENTIAL OAUTH2: APP REGISTRATION (ON VK EXAMPLE)
- 30. 30CONFIDENTIAL OAUTH2: APP REGISTRATION (ON VK EXAMPLE)
- 31. 31CONFIDENTIAL OAUTH2: SUMMARY Ability to authorize user for other application Separated login and business Application can`t steal user info Based on tokens - Gaps in specification - Different implementations in popular services - High complexity - Possible performance issues ! Use HTTPS
- 34. 34CONFIDENTIAL LINKS HTTP Authentication: Basic and Digest Access Authentication link to oauth2 spec https://tools.ietf.org/html/rfc6749 JWT spec https://tools.ietf.org/html/rfc7519 https://vk.com/editapp?act=create https://vk.com/dev/mobile_apps https://vk.com/dev/android_sdk https://jwt.io/introduction/ https://oauth2.thephpleague.com/requirements/ - good description https://github.com/andrey-radzkov/tech-talk-oauth2-demo - demo
Editor's Notes
- You all see this window in your browser. This is the first version of web – authentification/authorization
- We want to have integrated to app desing, we don`t want to share username/password in network.
- Cookie based, sometimes called forms. We have integrated design
- Transfer login/pass only one time via https. Than we receive cookie with session id and use it. Simple implementation. A lot of frameworks support it by default Minuses – we don`t control this session id generation. Someone can steal cookie and make fake ip in ip packet
- What if app client is not a browser?
- Reincarnation of digest. You can control cpntent, encryption, live - time
- Reincarnation of digest. You can control cpntent, encryption, live - time
- Now with token based it`s easier to do authentication between several nodes and with several client types
- Example of token. See for weight . No username-pass. Just encrypted string. Go through header.
- Then, this JSON is Base64Url encoded to form the first part of the JWT.
- Payload The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: reserved, public, and private claims. Reserved claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others. Notice that the claim names are only three characters long as JWT is meant to be compact. Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace. Private claims: These are the custom claims created to share information between parties that agree on using them.
- Question: what is wrong? The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
- Can`t align(
- What is it? Why? Purposes It`s protocol about authorization. It doesn`t handle authentication. It describes flow of data between appplications to stay secure
- Question: what is wrong? The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
- Simple sceme -auth request -get grant by user -give grant to auth server -Take token -use token for resource Code access sceme -access resource -decline -go to auth server with redirect url -Auth server shows form -redirect to url -grab token by code
- If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
- If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
- If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
- ALLOWS USER TOEDIT INFO ON AUTH SERVER
- PAGE FOR CREATION
- OPTIONS
- Dear listeners, our lection goes to end. We learned a little bit about oauth2 and I hope now we understand that it`s flexible way of authorization your application. Easy to add SSO, mobile clients, other resources, No needs to completely rewrite it or create “system” users. Starting you app with OAUTH2 you will quarantee that during grow(scaling) of your app, increasing of users amount security will still be actual modern and durable. Questions?
- OPTIONS