SlideShare a Scribd company logo
OAuth2 and REST




          Securing REST-ful Web Services with OAuth2
          Dave Syer, 2012
          Twitter: @david_syer
          Email: dsyer@vmware.com

          Agenda
              Why would I use OAuth2?
              If I was going to use Spring how would that look?
              What's the easiest way to get something working?
              Blog: http://blog.cloudfoundry.org/2012/10/09/oauth-rest/

          Introduction
              There is a strong trend distributed systems with lightweight architectures




              So what are people doing about security in such systems?

          What is a Lightweight Service?
              HTTP transport.
              Text-based message content, usually JSON.
              Small, compact messages, and quick responses.
              REST-ful, or at least inspired by the REST
              Some degree of statelessness
              Interoperability.

          What Are the Security Requirements
          Identity and permissions:

              how is identity and permission information conveyed to a service?
              how is it decoded and interpreted?
              what data are needed to make the access decision (user accounts, roles, ACLs etc.)?
              how is the data managed: who is responsible for storing and retrieving it?

          HTTP Basic Authentication
              something of a lowest common denominator
              supported on practically all servers natively and out of the box
              ubiquitous support on the client side in all languages

          Example:



1 of 10                                                                                             17/10/12 05:40
OAuth2 and REST


            $ curl "https://$username:$password@myhost/resource"


          So what's wrong with that?
             Nothing, but...
             Where do you get the credentials (the username and password)?
             Fine for systems where all participants can share secrets securely
             In practice that means small systems
             Only supports username/password
             Only covers authentication

          User or Client Permissions
             Finer-grained information about the authenticated party
             Role-based access: very common, sometimes available in server/container
             Need to categorize user accounts, e.g. USER and ADMIN
             Often business requirements are more complex

          Identity Management: Three Corners




          Identity Management: Four Corners




2 of 10                                                                                17/10/12 05:40
OAuth2 and REST




          Centralized Identity Management




          Centralized Identity Management
              Centralized: scales better than peers sharing secrets
              Peer-to-peer: N(N-1)/2 pairs
              Centralized: N pairs
              For user accounts the scalability benefit is even bigger

          OAuth2
          Centralizing accounts and secrets is great, but what about permissions?




3 of 10                                                                             17/10/12 05:40
OAuth2 and REST


               OAuth 2.0 adds an extra dimension - more information for the access decision
               Standards always help in security
               Lightweight - easy to curl
               Requires HTTPS for secure operation, but you can test with HTTP

          Quick Introduction to OAuth2
               A Client application, often web application, acts on behalf of a User, but with the User's approval

               Authorization Server
               Resource Server
               Client application

          Common examples of Authorization Servers on the internet:

               Facebook - Graph API
               Google - Google APIs
               Cloud Foundry - Cloud Controller

          Typical Web Application Client




          OAuth2 and the Lightweight Service
          Example command line Client:
          $ curl -H "Authorization: Bearer $TOKEN" https://myhost/resource


                            is a Resource Server
               https://myhost
               TOKENis a Bearer Token
               it came from an Authorization Server

          Role of Client Application
               Register with Authorization Server (get a client_id and maybe a   client_secret)
               Do not collect user credentials
               Obtain a token (opaque) from Authorization Server
                   On its own behalf - client_credentials
                   On behalf of a user



4 of 10                                                                                                              17/10/12 05:40
OAuth2 and REST


                 Use it to access Resource Server

          Obtaining a Client Credentials Token
          A client can act in its own right (not on behalf of a user):
          $ curl "https://myclient:mysecret@uaa.cloudfoundry.com"
              -d grant_type=client_credentials -d client_id=myclient


          Result:
          {
              access_token: FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh,
              expires_in: 43200,
              client_id: myclient,
              scope: uaa.admin
          }


          OAuth2 Key Features
                 Extremely simple for clients
                 Access tokens carry information (beyond identity)

                 Resource Servers are free to interpret tokens

                 Example token contents:

                       Client id
                       Resource id (audience)
                       User id
                       Role assignments

          UAA Bearer Tokens
                 OAuth 2.0 tokens are opaque to clients
                 But they carry important information to Resource Servers

                 Example of implementation (from Cloud Foundry UAA, JWT = signed, base64-encoded, JSON):
                 {   "client_id":"vmc",
                     "exp":1346325625,
                     "scope":["cloud_controller.read","openid","password.write"],
                     "aud":["openid","cloud_controller","password"],
                     "user_name":"vcap_tester@vmware.com",
                     "user_id":"52147673-9d60-4674-a6d9-225b94d7a64e",
                     "email":"vcap_tester@vmware.com",
                     "jti":"f724ae9a-7c6f-41f2-9c4a-526cea84e614" }


          Web Application Client Again
          The Client wants to access a Resource on behalf of the User




5 of 10                                                                                                    17/10/12 05:40
OAuth2 and REST




          Obtaining a User Token
          A client can act on behalf of a user (e.g.   authorization_code   grant):




          Authorization Code Grant Summary
            1. Authorization Server authenticates the User

            2. Client starts the authorization flow and obtain User's approval

            3. Authorization Server issues an authorization code (opaque one-time token)

            4. Client exchanges the authorization code for an access token.

          Role of Resource Server


6 of 10                                                                                    17/10/12 05:40
OAuth2 and REST


            1. Extract token from request and decode it
            2. Make access control decision
                    Scope
                    Audience
                    User account information (id, roles etc.)
                    Client information (id, roles etc.)
            3. Send 403 (FORBIDDEN) if token not sufficient

          Role of the Authorization Server
            1.   Grant tokens
            2.   Interface for users to confirm that they authorize the Client to act on their behalf
            3.   Authenticate users (/authorize)
            4.   Authenticate clients (/token)

          #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons).

          Client Registration and Scopes
          For secure channels a client has to authenticate itself to obtain a token, so it has to be known to the Authorization
          Server. Registration provides at a mimimum:

                 authentication (shared secret)
                 registered redirect URI (optional but essential to prevent attacks)
                 allowed scopes (clients are not permitted access to all resources)

          Also useful:

                 a way to identify which resources can be accessed
                 ownership information (which user registered the client)

          More on Scopes
          Per the spec they are arbitrary strings. The Authorization Server and the Resource Servers agree on the content
          and meanings.

          Examples:

                 Google: https://www.googleapis.com/auth/userinfo.profile
                 Facebook: email, read_stream, write_stream
                 UAA: cloud_controller.read, cloud_controller.write, scim.read,   openid


          Authorization Server has to decide whether to grant a token to a given client and user based on the requested
          scope (if any).

          UAA Scopes
                 UAA scopes are actually Groups in the User accounts

                 GET /Groups, Get /Users/{id}

                 {
                     "id": "73ba999e-fc34-49eb-ac26-dc8be52c1d82",
                     "meta": {...},
                     "userName": "marissa",
                     "groups": [
                      ...
                      {
                         "value": "23a71835-c7ce-43ac-b511-c84d3ae8e788",
                         "display": "uaa.user",
                         "membershipType": "DIRECT"
                       }
                     ],
                 }


          Special Mention for Vmc

7 of 10                                                                                                                 17/10/12 05:40
OAuth2 and REST


          The UAA authenticates requests from          vmc   in a special way:

          $ curl   https://uaa.cloudfoundry.com/oauth/authorize
              -d   response_type=token -d client_id=vmc
              -d   redirect_uri=https:uaa.cloudfoundry.com/redirect/vmc
              -d   source=credentials
              -d   username=$username -d password=$password


          Result:

          302 FOUND
          ...
          Location: https:uaa.cloudfoundry.com/redirect/vmc#access_token=FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh...


          Authentication and the Authorization Server
               Authentication (checking user credentials) is orthogonal to authorization (granting tokens)
               They don't have to be handled in the same component of a large system
               Authentication is often deferred to existing systems (SSO)
               Authorization Server has to be able to authenticate the OAuth endpoints ( /authorize and /token)
               It does not have to collect credentials (except for grant_type=password)

          Cloud Foundry UAA Authorization Server




          Cloud Foundry Login Server




8 of 10                                                                                                                   17/10/12 05:40
OAuth2 and REST




          Role of Login Server
               Authenticate users and collect user approvals for OAuth2 scopes
               Send authenticated user info in trusted channel to UAA
               Maintain SSO state (e.g. session cookie)
               Branded UI
               OAuth2 endpoints - delegate (pass through) to UAA

          Cloud Foundry UAA as a General Purpose Solution
               User Account and Authentication Service is part of Cloud Foundry
               open source and fairly generic
               sample apps (including login server)
               wrapper for Spring Security OAuth
               runs in a servlet container (e.g. tomcat)
               easy for Spring developers to install and customize
               look for UAA blogs at http://blog.cloudfoundry.org (and .com)

          UAA OAuth Implementation
          UAA makes some explicit choices where the spec allows it, and also adds some useful features:

               Client registration validation, e.g. implicit has no secret
               Client has separate allowed scopes for user tokens and client tokens (if allowed).
               User account management: groups = scopes, period-separated
               JWT tokens, signed but not encoded, includes audience (a.k.a. resource_id)
               /userinfo endpoint for remote authentication (SSO)
               Auto-approve for client apps that are part of platform
               Special authentication channels for /authorize:
                     source=credentials - used by vmc
                     source=login - used by Login Server
                     (Login Server) autologin via code=...

          UAA Resources (Endpoints)
          Brief list of all the UAA endpoints (with valid scopes if it is an OAuth2 resource):




9 of 10                                                                                                   17/10/12 05:40
OAuth2 and REST


           OAuth2 Authorization Server: oauth/authorize and /oauth/token
           User info endpoint (for SSO): /userinfo, scope openid
           Token decoding endpoint: /check_token
           Login info endpoint (open to anyone): /login
           SCIM user account management: /Users, scopes [scim.read, scim.write].
           Password changes: /Users/{id}/password, scope password.write

       UAA Resources (continued)
           Token management, e.g. cancelling an approval:      /oauth/users/{id}/tokens   and   /oauth/clients/{id}/tokens,   scopes
           [tokens.read, tokens.write]
           Client registration: /oauth/clients, scopes [clients.read, clients.write, clients.secret]
           Password strength meter: /password
           Management endpoints, used by the Cloud Foundry platform internally: /health and              /varz


       Alternatives to OAuth2
           OAuth 1.0a
           SAML
           Custom solution, e.g. HMAC signed requests
           Extensions to OAuth2

       In Conclusion
           Lightweight services demand lightweight infrastructure
           Security is important, but should be unobtrusive
           OAuth 2.0 is a standard, and has a lot of useful features
           Spring Security OAuth aims to be a complete solution at the framework level
           Cloud Foundry UAA adds some implementation details and makes some concrete choices

       Links
           http://github.com/springsource/spring-security-oauth
           http://github.com/cloudfoundry/uaa
           http://blog.cloudfoundry.org
           http://blog.cloudfoundry.com
           http://blog.springsource.org




10 of 10                                                                                                                         17/10/12 05:40

More Related Content

What's hot

Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016
Issac Goldstand
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud Labs
RapidValue
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
HasiniG
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
CloudIDSummit
 
Microservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsMicroservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applications
Stijn Van Den Enden
 
Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020
Microsoft 365 Developer
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG   Deep dive IAM 2 - no json101Windsor AWS UG   Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
Goran Karmisevic
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen12
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
Gordon Dickens
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
Amazon Web Services
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure Enterprise
WSO2
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
HasiniG
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
Rakesh Gujjarlapudi
 

What's hot (20)

Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud Labs
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
 
Microservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsMicroservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applications
 
Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG   Deep dive IAM 2 - no json101Windsor AWS UG   Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure Enterprise
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 

Similar to When and Why Would I use Oauth2?

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
Vishal Shah
 
Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849aut
Vishal Shah
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Restful api
Restful apiRestful api
Restful api
Anurag Srivastava
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
Arpit Suthar
 

Similar to When and Why Would I use Oauth2? (20)

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 
Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849aut
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Restful api
Restful apiRestful api
Restful api
 
OAuth2
OAuth2OAuth2
OAuth2
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 

Recently uploaded

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 

Recently uploaded (20)

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 

When and Why Would I use Oauth2?

  • 1. OAuth2 and REST Securing REST-ful Web Services with OAuth2 Dave Syer, 2012 Twitter: @david_syer Email: dsyer@vmware.com Agenda Why would I use OAuth2? If I was going to use Spring how would that look? What's the easiest way to get something working? Blog: http://blog.cloudfoundry.org/2012/10/09/oauth-rest/ Introduction There is a strong trend distributed systems with lightweight architectures So what are people doing about security in such systems? What is a Lightweight Service? HTTP transport. Text-based message content, usually JSON. Small, compact messages, and quick responses. REST-ful, or at least inspired by the REST Some degree of statelessness Interoperability. What Are the Security Requirements Identity and permissions: how is identity and permission information conveyed to a service? how is it decoded and interpreted? what data are needed to make the access decision (user accounts, roles, ACLs etc.)? how is the data managed: who is responsible for storing and retrieving it? HTTP Basic Authentication something of a lowest common denominator supported on practically all servers natively and out of the box ubiquitous support on the client side in all languages Example: 1 of 10 17/10/12 05:40
  • 2. OAuth2 and REST $ curl "https://$username:$password@myhost/resource" So what's wrong with that? Nothing, but... Where do you get the credentials (the username and password)? Fine for systems where all participants can share secrets securely In practice that means small systems Only supports username/password Only covers authentication User or Client Permissions Finer-grained information about the authenticated party Role-based access: very common, sometimes available in server/container Need to categorize user accounts, e.g. USER and ADMIN Often business requirements are more complex Identity Management: Three Corners Identity Management: Four Corners 2 of 10 17/10/12 05:40
  • 3. OAuth2 and REST Centralized Identity Management Centralized Identity Management Centralized: scales better than peers sharing secrets Peer-to-peer: N(N-1)/2 pairs Centralized: N pairs For user accounts the scalability benefit is even bigger OAuth2 Centralizing accounts and secrets is great, but what about permissions? 3 of 10 17/10/12 05:40
  • 4. OAuth2 and REST OAuth 2.0 adds an extra dimension - more information for the access decision Standards always help in security Lightweight - easy to curl Requires HTTPS for secure operation, but you can test with HTTP Quick Introduction to OAuth2 A Client application, often web application, acts on behalf of a User, but with the User's approval Authorization Server Resource Server Client application Common examples of Authorization Servers on the internet: Facebook - Graph API Google - Google APIs Cloud Foundry - Cloud Controller Typical Web Application Client OAuth2 and the Lightweight Service Example command line Client: $ curl -H "Authorization: Bearer $TOKEN" https://myhost/resource is a Resource Server https://myhost TOKENis a Bearer Token it came from an Authorization Server Role of Client Application Register with Authorization Server (get a client_id and maybe a client_secret) Do not collect user credentials Obtain a token (opaque) from Authorization Server On its own behalf - client_credentials On behalf of a user 4 of 10 17/10/12 05:40
  • 5. OAuth2 and REST Use it to access Resource Server Obtaining a Client Credentials Token A client can act in its own right (not on behalf of a user): $ curl "https://myclient:mysecret@uaa.cloudfoundry.com" -d grant_type=client_credentials -d client_id=myclient Result: { access_token: FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh, expires_in: 43200, client_id: myclient, scope: uaa.admin } OAuth2 Key Features Extremely simple for clients Access tokens carry information (beyond identity) Resource Servers are free to interpret tokens Example token contents: Client id Resource id (audience) User id Role assignments UAA Bearer Tokens OAuth 2.0 tokens are opaque to clients But they carry important information to Resource Servers Example of implementation (from Cloud Foundry UAA, JWT = signed, base64-encoded, JSON): { "client_id":"vmc", "exp":1346325625, "scope":["cloud_controller.read","openid","password.write"], "aud":["openid","cloud_controller","password"], "user_name":"vcap_tester@vmware.com", "user_id":"52147673-9d60-4674-a6d9-225b94d7a64e", "email":"vcap_tester@vmware.com", "jti":"f724ae9a-7c6f-41f2-9c4a-526cea84e614" } Web Application Client Again The Client wants to access a Resource on behalf of the User 5 of 10 17/10/12 05:40
  • 6. OAuth2 and REST Obtaining a User Token A client can act on behalf of a user (e.g. authorization_code grant): Authorization Code Grant Summary 1. Authorization Server authenticates the User 2. Client starts the authorization flow and obtain User's approval 3. Authorization Server issues an authorization code (opaque one-time token) 4. Client exchanges the authorization code for an access token. Role of Resource Server 6 of 10 17/10/12 05:40
  • 7. OAuth2 and REST 1. Extract token from request and decode it 2. Make access control decision Scope Audience User account information (id, roles etc.) Client information (id, roles etc.) 3. Send 403 (FORBIDDEN) if token not sufficient Role of the Authorization Server 1. Grant tokens 2. Interface for users to confirm that they authorize the Client to act on their behalf 3. Authenticate users (/authorize) 4. Authenticate clients (/token) #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons). Client Registration and Scopes For secure channels a client has to authenticate itself to obtain a token, so it has to be known to the Authorization Server. Registration provides at a mimimum: authentication (shared secret) registered redirect URI (optional but essential to prevent attacks) allowed scopes (clients are not permitted access to all resources) Also useful: a way to identify which resources can be accessed ownership information (which user registered the client) More on Scopes Per the spec they are arbitrary strings. The Authorization Server and the Resource Servers agree on the content and meanings. Examples: Google: https://www.googleapis.com/auth/userinfo.profile Facebook: email, read_stream, write_stream UAA: cloud_controller.read, cloud_controller.write, scim.read, openid Authorization Server has to decide whether to grant a token to a given client and user based on the requested scope (if any). UAA Scopes UAA scopes are actually Groups in the User accounts GET /Groups, Get /Users/{id} { "id": "73ba999e-fc34-49eb-ac26-dc8be52c1d82", "meta": {...}, "userName": "marissa", "groups": [ ... { "value": "23a71835-c7ce-43ac-b511-c84d3ae8e788", "display": "uaa.user", "membershipType": "DIRECT" } ], } Special Mention for Vmc 7 of 10 17/10/12 05:40
  • 8. OAuth2 and REST The UAA authenticates requests from vmc in a special way: $ curl https://uaa.cloudfoundry.com/oauth/authorize -d response_type=token -d client_id=vmc -d redirect_uri=https:uaa.cloudfoundry.com/redirect/vmc -d source=credentials -d username=$username -d password=$password Result: 302 FOUND ... Location: https:uaa.cloudfoundry.com/redirect/vmc#access_token=FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh... Authentication and the Authorization Server Authentication (checking user credentials) is orthogonal to authorization (granting tokens) They don't have to be handled in the same component of a large system Authentication is often deferred to existing systems (SSO) Authorization Server has to be able to authenticate the OAuth endpoints ( /authorize and /token) It does not have to collect credentials (except for grant_type=password) Cloud Foundry UAA Authorization Server Cloud Foundry Login Server 8 of 10 17/10/12 05:40
  • 9. OAuth2 and REST Role of Login Server Authenticate users and collect user approvals for OAuth2 scopes Send authenticated user info in trusted channel to UAA Maintain SSO state (e.g. session cookie) Branded UI OAuth2 endpoints - delegate (pass through) to UAA Cloud Foundry UAA as a General Purpose Solution User Account and Authentication Service is part of Cloud Foundry open source and fairly generic sample apps (including login server) wrapper for Spring Security OAuth runs in a servlet container (e.g. tomcat) easy for Spring developers to install and customize look for UAA blogs at http://blog.cloudfoundry.org (and .com) UAA OAuth Implementation UAA makes some explicit choices where the spec allows it, and also adds some useful features: Client registration validation, e.g. implicit has no secret Client has separate allowed scopes for user tokens and client tokens (if allowed). User account management: groups = scopes, period-separated JWT tokens, signed but not encoded, includes audience (a.k.a. resource_id) /userinfo endpoint for remote authentication (SSO) Auto-approve for client apps that are part of platform Special authentication channels for /authorize: source=credentials - used by vmc source=login - used by Login Server (Login Server) autologin via code=... UAA Resources (Endpoints) Brief list of all the UAA endpoints (with valid scopes if it is an OAuth2 resource): 9 of 10 17/10/12 05:40
  • 10. OAuth2 and REST OAuth2 Authorization Server: oauth/authorize and /oauth/token User info endpoint (for SSO): /userinfo, scope openid Token decoding endpoint: /check_token Login info endpoint (open to anyone): /login SCIM user account management: /Users, scopes [scim.read, scim.write]. Password changes: /Users/{id}/password, scope password.write UAA Resources (continued) Token management, e.g. cancelling an approval: /oauth/users/{id}/tokens and /oauth/clients/{id}/tokens, scopes [tokens.read, tokens.write] Client registration: /oauth/clients, scopes [clients.read, clients.write, clients.secret] Password strength meter: /password Management endpoints, used by the Cloud Foundry platform internally: /health and /varz Alternatives to OAuth2 OAuth 1.0a SAML Custom solution, e.g. HMAC signed requests Extensions to OAuth2 In Conclusion Lightweight services demand lightweight infrastructure Security is important, but should be unobtrusive OAuth 2.0 is a standard, and has a lot of useful features Spring Security OAuth aims to be a complete solution at the framework level Cloud Foundry UAA adds some implementation details and makes some concrete choices Links http://github.com/springsource/spring-security-oauth http://github.com/cloudfoundry/uaa http://blog.cloudfoundry.org http://blog.cloudfoundry.com http://blog.springsource.org 10 of 10 17/10/12 05:40