introduc)on to oauth 2 · the oauth 2.0 authorization framework enables a third-party application...
TRANSCRIPT
Introduc)ontoOAuth2.0
Jus)nRicherBespokeEngineering
1
©2016BespokeEngineeringLLC
APIsaremeanttobeused• Muchofmydataandthefunc)onalityofmylifeisavailablethroughAPIstoday
• Iwanttohaveapplica)onsaccessmyAPIs• Idon’twanttheapplica)onstohavetoimpersonateme
• Idon’twanttosharemykeyswitheveryone
©2016BespokeEngineeringLLC
2
AvaletkeyforAPIs• Avaletkeygivessomeoneelselimitedaccesstoacar
• WhatifwecoulddothatforwebAPIs?
©2016BespokeEngineeringLLC
3
OAUTH2.0
4
©2016BespokeEngineeringLLC
Fromthespec(RFC6749)The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
5
©2016BespokeEngineeringLLC
ThegoodbitsThe OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
6
©2016BespokeEngineeringLLC
InotherwordsOAuth 2.0 is a delegation protocol that lets people allow applications to access things (like APIs) on their behalf.
7
©2016BespokeEngineeringLLC
Whoisinvolved?
Resource Owner Authorization
Server
ProtectedResource
Client
8
©2016BespokeEngineeringLLC
Theresourceowner• HasaccesstosomeresourceorAPI• CandelegateaccesstothatresourceorAPI• Usuallyhasaccesstoawebbrowser• Usuallyisaperson
9
©2016BespokeEngineeringLLC
Theprotectedresource• Webservice(API)withsecuritycontrols• Protectsthingsfortheresourceowner• Sharesthingsontheresourceowner’srequest
10
©2016BespokeEngineeringLLC
Theclientapplica)on• Wantstoaccesstheprotectedresource• Doesthingsontheresourceowner’sbehalf• Couldbeawebserver– Butit’ss)lla“client”inOAuthparlance– Couldalsobeana)veapporJSapp
11
©2016BespokeEngineeringLLC
Whatarewetryingtosolve?
Resource Owner
The Goal:
Give the client access to the protected
resource on behalf of the resource owner.
ProtectedResource
Client
12
©2016BespokeEngineeringLLC
IntroducingtheAuthoriza)onServer(AS)
Resource Owner Authorization
Server
ProtectedResource
Client
The Authorization Server gives us a mechanism to bridge the gap between
the client and the protected resource
13
©2016BespokeEngineeringLLC
TheAuthoriza)onServer• Generatestokensfortheclient• Authen)catesresourceowners(users)• Authen)catesclients• Managesauthoriza)ons
14
©2016BespokeEngineeringLLC
OAuthTokens• Representgranteddelegatedauthori)es– Fromtheresourceownertotheclientfortheprotectedresource
• Issuedbyauthoriza)onserver• Usedbyclient– Formatisopaquetoclients
• Consumedbyprotectedresource
15
©2016BespokeEngineeringLLC
ExampleOAuthTokens• 92d42038006dba95d0c501951ac5b5eb• 2df029c6-b38d-4083-b8d9-db67c774d13f• eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
• waterbuffalo-elephant-helicopter-argument
16
©2016BespokeEngineeringLLC
TheOAuthapproachattheAS• Clientauthen)catesforitself• Userauthorizesclienttoactonuser’sbehalf• Servergeneratesatokentorepresentthatauthoriza)on
• Clientpresentsthattokentogainaccess
17
©2016BespokeEngineeringLLC
You’veusedOAuth
18
©2016BespokeEngineeringLLC
ThepiecesofOAuth
Resource Owner
Access Token
Authorization Server
ProtectedResource
Client
19
©2016BespokeEngineeringLLC
THEAUTHORIZATIONCODEFLOWAdeepdiveintothecanonicalOAuth2.0transac)on
20
©2016BespokeEngineeringLLC
Theauthoriza)oncodeflow
Resource Owner Authorization
Server
ProtectedResource
Client
21
©2016BespokeEngineeringLLC
TWOFORMSOFCOMMUNICATION
22
©2016BespokeEngineeringLLC
Thefrontchannel
Resource Owner Authorization
Server
ProtectedResource
Client
Front channel uses HTTP redirects through the web browser, no direct connections
23
©2016BespokeEngineeringLLC
Thebackchannel
Resource Owner Authorization
Server
ProtectedResource
Client
Back channel uses direct HTTP connections between components,
the browser is not involved
24
©2016BespokeEngineeringLLC
THEAUTHORIZATIONCODEFLOWStepbystep
25
©2016BespokeEngineeringLLC
Authoriza)onCode:Step1
Resource Owner Authorization
Server
ProtectedResource
Client
Client redirects the resource owner to the authorization server
26
©2016BespokeEngineeringLLC
Authoriza)onCode:Step2
Resource Owner Authorization
Server
ProtectedResource
Client
Resource owner authenticates to the authorization server
27
©2016BespokeEngineeringLLC
Authoriza)onCode:Step3
Resource Owner Authorization
Server
ProtectedResource
Client
Resource owner authorizes the client
?
28
©2016BespokeEngineeringLLC
AlayeredtrustmodelWhitelistInternal partiesKnown business partnersCustomer organizationsTrust frameworks
• Centralized control• Traditional policy management
GreylistUnknown entitiesTrust On First Uuse
• End user decisions• Extensive auditing and logging• Rules on when to move to the
white or black lists
BlacklistKnown bad partiesAttack sites
• Centralized control• Traditional policy management
29
©2016BespokeEngineeringLLC
Authoriza)onCode:Step4
Resource Owner Authorization
Server
ProtectedResource
Client
Authorization server redirects resource owner back to the client with an
authorization code
30
©2016BespokeEngineeringLLC
Authoriza)onCode:Step5
Resource Owner Authorization
Server
ProtectedResource
Client
Client sends the authorization code back
to the authorization server along with its own
credentials
31
©2016BespokeEngineeringLLC
Authoriza)onCode:Step6
Resource Owner Authorization
Server
ProtectedResource
Client
Authorization server issues OAuth token to
the client
32
©2016BespokeEngineeringLLC
Authoriza)onCode:Step7
Resource Owner Authorization
Server
ProtectedResource
Client
Client accesses the protected resource using
the access token
33
©2016BespokeEngineeringLLC
Interpre)ngthetoken• Theclientneverknowsorcareswhat’sinthetokenitself
• Theresourceserverneedstounderstandwhat’sinthetoken– Whoit’sissuedfor– Whatit’sgoodfor
34
©2016BespokeEngineeringLLC
ThankYou
©2016BespokeEngineeringLLC
35
BACKUPSLIDESHeretherebedragons
©2016BespokeEngineeringLLC
36
OTHERWAYSTODOOAUTH2.0
37
©2016BespokeEngineeringLLC
Theimplicitflow
Resource Owner Authorization
Server
ProtectedResource
Client Inside the Browser
Implicit grant type uses only the front
channel since the client is inside the browser
38
©2016BespokeEngineeringLLC
Theclientcreden)alsflow
Authorization Server
ProtectedResource
Client
Client credentials grant type: Client trades its own credentials for a
token, uses only the back channel since the client is acting on its own behalf
39
©2016BespokeEngineeringLLC
Theresourceownerpasswordflow
Resource Owner Authorization
Server
ProtectedResource
Client
?
Resource owner credentials grant type:
Client trades username and password for an OAuth token over the back channel
40
©2016BespokeEngineeringLLC
Theasser)onsflows
Authorization Server
Assertion provider
ProtectedResource
Client
Client trades a cryptographically protected element
(assertion) for a token
41
©2016BespokeEngineeringLLC
Differentusecases• Authoriza)oncodeflow:webapplica)ons,somena)veapplica)ons
• Implicitflow:in-browserapplica)ons• Clientcreden)alsflow:non-interac)ve• Passwordflow:trustedlegacyclients• Asser)onflows:trustframeworks
42
©2016BespokeEngineeringLLC
HowtochooseaflowIs the client acting on behalf of a resource
owner?
Is the client running completely inside of a
web browser?
Yes
Yes
Yes
Yes
Yes Yes
No
No
NoNo
Can the resource owner interact with a web browser
while using the client?
Does the user have a simple set of credentials
like a password?
Is the client acting on its own behalf?
Authorization Code
Assertion
Resource Owner Credentials
Client Credentials
Implicit
Is the client acting on behalf of a third party
authority?
Choose the appropriate OAuth grant type for
the type of application you’re building
43
©2016BespokeEngineeringLLC
CANWEBUILDAUTHENTICATIONONOAUTH?
44
©2016BespokeEngineeringLLC
Howcanwesplitthenetwork?
Resource Owner
User
Authorization Server
Identity Provider
The security domain
boundary is crossed
ProtectedResource
Security Dom
ain Boundary
Client
Relying Party
OAuthSign-In
45
©2016BespokeEngineeringLLC
Abemerwaytosplitthenetwork
Resource Owner
User
Authorization Server
Identity Provider
ProtectedResource
Client
+
OAuth
Security Dom
ain Boundary
Sign-In
Relying Party
The security domain
boundary is preserved
46
©2016BespokeEngineeringLLC
Thatworks!• We’reusingOAuthtoprotecttheiden)ty• Theclientconsumestheiden)ty
©2016BespokeEngineeringLLC
47
Authoriza)onisChocolate• Goodonitsown• Greataspartofalargerrecipe• Manydifferentrecipescanuseit
48
©2016BespokeEngineeringLLC
Authen)ca)onisFudge• Confec)onwithseveralingredients• Tendstohaveoneflavorasthemostobvious• Couldbemadeusingchocolate– Butnotrequired
49
©2016BespokeEngineeringLLC
Agreeingonarecipe• Let’smakearecipeforchocolatefudge:– Standardauthen)ca)onprotocol– Builtontopofstandardauthoriza)onprotocol– Interoperablecrossdomain
50
©2016BespokeEngineeringLLC
OpenIDConnect• IdPoffersinterac)veOAuthflows• IDTokencarriesauthen)ca)oninforma)on– FormamedasaJWT– Audienceistheclient,nottheresource
• UserInfoEndpoint– Standardsetofclaimsandscopes
51
©2016BespokeEngineeringLLC
USERMANAGEDACCESS
52
©2016BespokeEngineeringLLC
Persontopersondelega)on• OAuthletsAlicesharewithherself• UMAletsAlicesharewithBob– Bobisthe“Reques)ngParty(RqP)”toAlice’s“ResourceOwner(RO)”
– Alicecansetpoliciesaheadof)me
53
©2016BespokeEngineeringLLC
UserManagedAccess
Resource Owner
Requesting Party
Authorization Server
Protection API Authorization API
ProtectedResource
Client
©2016BespokeEngineeringLLC
54
Wideecosystembenefits• AlicecanintroduceanewresourcetoherAS• TheresourceservercanmanageitsaccessusingthisASanditstokens
55
©2016BespokeEngineeringLLC
ReferencebookforOAuth2• OAuth2InAc+on• First9chaptersavailabletoday,morecomingsoon
• Outthisspring/summer
56
©2016BespokeEngineeringLLC
hmps://manning.com/books/oauth-2-in-ac)on