Introduc^On to Oauth

Introduc^On to Oauth

Introduc)on to OAuth 2.0 Jus)n Richer ©2016 Bespoke Engineering LLC Bespoke Engineering 1 APIs are meant to be used • Much of my data and the func)onality of my life is available through APIs today • I want to have applicaons access my APIs • I don’t want the applicaons to have to impersonate me ©2016 Bespoke Engineering LLC • I don’t want to share my keys with everyone 2 A valet key for APIs • A valet key gives someone else limited access to a car • What if we could do that for web APIs? ©2016 Bespoke Engineering LLC 3 OAUTH 2.0 ©2016 Bespoke Engineering LLC 4 From the spec (RFC6749) The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its ©2016 Bespoke Engineering LLC own behalf. 5 The good bits The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its ©2016 Bespoke Engineering LLC own behalf. 6 In other words OAuth 2.0 is a delegation protocol that lets people allow applications to access things (like APIs) on their behalf. ©2016 Bespoke Engineering LLC 7 Who is involved? Resource Authorization Owner Server ©2016 Bespoke Engineering LLC Client Protected Resource 8 The resource owner • Has access to some resource or API • Can delegate access to that resource or API • Usually has access to a web browser • Usually is a person ©2016 Bespoke Engineering LLC 9 The protected resource • Web service (API) with security controls • Protects things for the resource owner • Shares things on the resource owner’s request ©2016 Bespoke Engineering LLC 10 The client applicaon • Wants to access the protected resource • Does things on the resource owner’s behalf • Could be a web server – But it’s s)ll a “client” in OAuth parlance – Could also be a nave app or JS app ©2016 Bespoke Engineering LLC 11 What are we trying to solve? The Goal: Resource Owner Give the client access to the protected resource on behalf of the resource owner. ©2016 Bespoke Engineering LLC Client Protected Resource 12 Introducing the Authorizaon Server (AS) The Authorization Server gives us a mechanism to Resource Authorization Owner bridge the gap between Server the client and the protected resource ©2016 Bespoke Engineering LLC Client Protected Resource 13 The Authorizaon Server • Generates tokens for the client • Authen)cates resource owners (users) • Authen)cates clients • Manages authorizaons ©2016 Bespoke Engineering LLC 14 OAuth Tokens • Represent granted delegated authori)es – From the resource owner to the client for the protected resource • Issued by authorizaon server • Used by client – Format is opaque to clients ©2016 Bespoke Engineering LLC • Consumed by protected resource 15 Example OAuth Tokens • 92d42038006dba95d0c501951ac5b5eb • 2df029c6-b38d-4083-b8d9-db67c774d13f • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiO iIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiw iYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RM HrHDcEfxjoYZgeFONFh7HgQ ©2016 Bespoke Engineering LLC • waterbuffalo-elephant-helicopter-argument 16 The OAuth approach at the AS • Client authen)cates for itself • User authorizes client to act on user’s behalf • Server generates a token to represent that authorizaon • Client presents that token to gain access ©2016 Bespoke Engineering LLC 17 You’ve used OAuth ©2016 Bespoke Engineering LLC 18 The pieces of OAuth Resource Authorization Owner Server Access Token ©2016 Bespoke Engineering LLC Client Protected Resource 19 THE AUTHORIZATION CODE FLOW A deep dive into the canonical OAuth 2.0 transac)on ©2016 Bespoke Engineering LLC 20 The authorizaon code flow Resource Authorization Owner Server ©2016 Bespoke Engineering LLC Client Protected Resource 21 TWO FORMS OF COMMUNICATION ©2016 Bespoke Engineering LLC 22 The front channel Resource Front channel uses Authorization Owner HTTP redirects through Server the web browser, no direct connections ©2016 Bespoke Engineering LLC Client Protected Resource 23 The back channel Back channel uses direct HTTP connections between components, the browser is not involved Resource Authorization Owner Server ©2016 Bespoke Engineering LLC Client Protected Resource 24 THE AUTHORIZATION CODE FLOW Step by step ©2016 Bespoke Engineering LLC 25 Authorizaon Code: Step 1 Resource Client redirects the Authorization Owner resource owner to the Server authorization server ©2016 Bespoke Engineering LLC Client Protected Resource 26 Authorizaon Code: Step 2 Resource Resource owner Authorization Owner authenticates to the Server authorization server ©2016 Bespoke Engineering LLC Client Protected Resource 27 Authorizaon Code: Step 3 ? Resource Resource owner Authorization Owner authorizes the client Server ©2016 Bespoke Engineering LLC Client Protected Resource 28 A layered trust model • Centralized control Whitelist • Traditional policy management Internal parties Known business partners Customer organizations Trust frameworks • End user decisions Greylist • Extensive auditing and logging • Rules on when to move to the Unknown entities white or black lists Trust On First Uuse • Centralized control Blacklist • Traditional policy management Known bad parties ©2016 Bespoke Engineering LLC Attack sites 29 Authorizaon Code: Step 4 Resource Authorization server Authorization Owner redirects resource owner Server back to the client with an authorization code ©2016 Bespoke Engineering LLC Client Protected Resource 30 Authorizaon Code: Step 5 Client sends the authorization code back to the authorization server along with its own credentials Resource Authorization Owner Server ©2016 Bespoke Engineering LLC Client Protected Resource 31 Authorizaon Code: Step 6 Authorization server issues OAuth token to the client Resource Authorization Owner Server ©2016 Bespoke Engineering LLC Client Protected Resource 32 Authorizaon Code: Step 7 Resource Client accesses the Authorization Owner protected resource using Server the access token ©2016 Bespoke Engineering LLC Client Protected Resource 33 Interpre)ng the token • The client never knows or cares what’s in the token itself • The resource server needs to understand what’s in the token – Who it’s issued for ©2016 Bespoke Engineering LLC – What it’s good for 34 Thank You ©2016 Bespoke Engineering LLC 35 BACKUP SLIDES Here there be dragons ©2016 Bespoke Engineering LLC 36 OTHER WAYS TO DO OAUTH 2.0 ©2016 Bespoke Engineering LLC 37 The implicit flow Resource Client Inside Authorization Owner the Browser Server Implicit grant type uses only the front channel since the client is inside the browser ©2016 Bespoke Engineering LLC Protected Resource 38 The client creden)als flow Client credentials grant type: Client trades its own credentials for a token, uses only the back channel since the client is acting on its own behalf Authorization Server ©2016 Bespoke Engineering LLC Client Protected Resource 39 The resource owner password flow Resource owner credentials grant type: Client trades username and password for an OAuth token over the back channel Resource Authorization Owner Server ? ©2016 Bespoke Engineering LLC Client Protected Resource 40 The asser)ons flows Client trades a cryptographically protected element (assertion) for a token Assertion provider Authorization Server ©2016 Bespoke Engineering LLC Client Protected Resource 41 Different use cases • Authorizaon code flow: web applicaons, some nave applicaons • Implicit flow: in-browser applicaons • Client creden)als flow: non-interac)ve • Password flow: trusted legacy clients ©2016 Bespoke Engineering LLC • Asser)on flows: trust frameworks 42 How to choose a flow Is the client acting on Can the resource owner Is the client running Yes Yes Yes behalf of a resource interact with a web browser completely inside of a owner? while using the client? web browser? Implicit No No Does the user have a simple set of credentials No like a password? Authorization Yes Code Resource Owner Credentials Choose the appropriate Is the client acting Client on its own behalf? Yes Credentials OAuth grant type for No the type of application Is the client acting on Yes you’re building ©2016 Bespoke Engineering LLC behalf of a third party authority? Assertion 43 CAN WE BUILD AUTHENTICATION ON OAUTH? ©2016 Bespoke Engineering LLC 44 How can we split the network? Security Domain Boundary Security Resource Client Protected Authorization Owner Resource Server OAuth Sign-In The security domain boundary is crossed User Relying Party ©2016 Bespoke Engineering LLC Identity Provider 45 A bemer way to split the network Security Domain Boundary Security + Resource Client Protected Authorization Owner Resource Server OAuth Sign-In The security domain boundary is preserved User Relying Party ©2016 Bespoke Engineering LLC Identity Provider 46 That works! • We’re using OAuth to protect the iden)ty • The client consumes the iden)ty ©2016 Bespoke Engineering LLC 47 Authorizaon is Chocolate • Good on its own • Great as part of a larger recipe • Many different recipes can use it ©2016 Bespoke Engineering LLC 48 Authen)caon is Fudge • Confec)on with several ingredients • Tends to have one flavor as the most obvious • Could be made using chocolate – But not required ©2016 Bespoke Engineering LLC 49 Agreeing on a recipe • Let’s

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    56 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us