i/o preso: openid and oauth for google apps - chrome browser

103

Upload: others

Post on 12-Sep-2021

15 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser
Page 2: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OpenID Single Sign On andOAuth Data Access for Google AppsRyan Boyd @ryguyrgDave PrimmerMay 2010

Page 3: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Why?

Page 4: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

View live notes and questions about this session on Google Wave:

http://bit.ly/magicwave

Page 5: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Agenda

TerminologyHistoryOpen Protocols

OpenID user authenticationOAuth data accessHybrid authentication + data access

Google Apps MarketplaceCase Study - Evolution of 'SaaSy Payroll'Q&A

Page 6: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy Payroll

Page 7: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy Payroll

Fictitious app for handling the payroll of SMBsUsed by smart-lawfirm.com for their payroll

Page 8: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Terminology

Page 9: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Authentication and Authorization

AuthenticationGoal: Secure knowledge of the identity of the user

AuthorizationGoal: Appropriate access to resources, such as Google Data APIs (Calendar, Contacts, Docs, etc)

Page 10: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History

Page 11: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2001-2005)

Page 12: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 13: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 14: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 15: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 16: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 17: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 18: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

History (2006-2010)

Page 19: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OpenID Federated Identity

Page 20: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

What do we mean by Federated Identity?

Web applications (relying parties) accept the assertion of identity from identity providers, such as Google and Yahoo.

Page 21: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

What information does OpenID provide an app?

Identity of the user:http://smart-lawfirm.com/openid?id=0123456789Static each time the user visits the relying party web application

Page 22: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

"OpenID is a safe, faster, and easier way to log in to web sites."

openid.net

Page 23: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Safe, Faster and Easier

SafeThe user only enters their credentials one place: on the website of their OpenID provider

FasterThe user is often already logged into their OpenID provider

EasierThe user no longer needs to create and maintain a new account and credentials on every web site

Page 24: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Discovery: Determining the OpenID provider for a user.

Page 25: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OpenID Login Options

Page 26: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OpenID Login Options

http://www.google.com/accounts/o8/id

Page 27: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Improved UX

Page 28: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OpenID Demo with a Gmail account

Page 29: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

But... what if you want to use an OpenID on your own domain without a complicated URL to

remember?

Page 30: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Ideal User Experience: WebFinger

Page 31: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Accounts versus Google Apps accounts

Page 32: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Login

Page 33: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Discovering the OpenID Provider

Page 34: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Format of the OpenID Identity

Google consumer account (including Gmail accounts):https://www.google.com/accounts/o8/id?id=AItOawlTW-qs7L-bpYc0oxROHDQaFmQHyGRnaLM

Google Apps account:http://smart-lawfirm.com/openid?id=0123456789

Page 35: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Supported Extensions

Provider Auth Policy Extension (PAPE)Allows a relying party to ask for security restrictions

OpenID User Interface ExtensionEnables pop-up UI

OAuth HybridEnables getting both the user's identity and access to some of the user's data

Attribute Exchange (AX)Provides additional info about the user

Page 36: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Attribute Exchange (AX)

Remember, without AX we only get a URI:http://smart-lawfirm.com/openid?id=0123456789We want more information to improve the user experience

First NameLast NameE-mail AddressLanguage

Page 37: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Attribute Exchange (AX) Trust

Don't trust attributes without verificationWhitelist trusted IDPsSame-origin policy for emailOne-time confirmation messages

Page 38: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

How it's done - OpenID Federated Identity

Page 39: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Welcome Bob!ryan@smart-lawfir

***********

Sounds complicated, but not hard in practice!

OpenID Federated Identity

Page 40: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Language Libraries

Java OpenID4Java, Step2

.NET DotNetOpenAuth

PHP php-openid, php-openid-apps-discovery

Ruby ruby-openid,ruby-openid-apps-discovery

Any RPX, Ping Identity

OpenID Libraries

Page 41: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Data Access

Page 42: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Terms

Protected Resourceresides on serverrequires authorization

Page 43: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Terms

Protected Resourceresides on serverrequires authorization

Resource Ownerowns protected resourceapproves access

Page 44: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Terms

Protected Resourceresides on serverrequires authorization

Resource Ownerowns protected resourceapproves access

Serverreceives http request

Page 45: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Terms

Protected Resourceresides on serverrequires authorization

Resource Ownerowns protected resourceapproves access

Serverreceives http request

Clientmakes http request

Page 46: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Old OAuth Terminology

Pre 2009 Current

Consumer Client

Service Provider Server / Protected Resource

User User / Resource Owner

More Info: The Authoritative Guide to OAuth 1.0

Now, with more RFC! http://www.rfc-editor.org/info/rfc5849

Page 47: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth Components

Key ManagementEstablishes trust between client and server

Access ControlGrants done per-user, or for a whole Google Apps domain.

Page 48: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Basic steps to use OAuth

Step 1 Client Registration <- Key Management

Step 2 Resource owner grant <- Access Control

Step 3 Client Application Accesses resource

Page 49: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy App - www.saasyapp.com

Page 50: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy App - www.saasyapp.com

Page 51: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Getting your OAuth client key and secret

Step 1 - For the Developer:

Page 52: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

A Google Client App Registration Page

Page 53: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Access Control

Step 2 - For the Resource Owner:

Page 54: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Two types of Access Control

Resource Owner: An entity capable of approving access to a protected resource.

Sometimes the resource owner is not the same as the user

Consumer Business

Individual User is Resource Owner

Company Admin is Resource Owner

Page 55: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Two types of Access Control

Consumer Business

Individual User is Resource Owner

Company Admin is Resource Owner

Three-LeggedOAuth

Two-LeggedOAuth

Page 56: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Two types of Access Control

Authorization using browser redirection

Requests pre-authorized for a group of users

Individual prompted User not prompted

Three-LeggedOAuth

Two-LeggedOAuth

Page 57: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Manage OAuth Client Data Access

Approval for a group of users:

Page 58: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Administrator Access Control

Page 59: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Administrator Access Control

Page 60: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Administrator Access Control

Page 61: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Administrator Access Control

Page 62: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Demo: Two-Legged OAuth cURL

Step #3 Access the resource

Page 63: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Two-Legged OAuthWhat is it?

An authenticated HTTP request. Very much like HTTP Digest Auth.

Client has a role account name and password:consumer_key -> account nameconsumer_secret -> password

Request param to indicate the [email protected]

Some request attributes are bundled up and signed in a standard way. That's it.

Page 64: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Two-Legged OAuthWhy?

You don't want to bother the user with approval

The common Enterprise IT scenario

Server to Server -- no browser involved

Main trust relationship:Resource Owner (admin) tells the Server, via ACL to trust the clientPermission stored in server ACL, not a token

Page 65: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Three-legged OAuth

The "other" style of authorization

Page 66: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Three-Legged OAuthWhat is it?

Describes the access control delegation to a Client by a Resource Owner

Redirection-Based AuthorizationThe authorization flow is what most people think of when they talk about OAuth. It is the process in which the user's browser is redirected to the server to approve access

Page 67: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Three-Legged OAuthWhat is it?

Adds an Access Token to the 2LO request during data access that identifies the permission granted.

"Joe gives the SaaSy Payroll client permission to write to Joe's Google Calendar."

oauth_token=1%2FSTnrUiu8N4OQvrwEpsltnpYwFX5an2j2i-VAK5l_3No

Page 68: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy App - www.saasyapp.com

Page 69: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

SaaSy App - www.saasyapp.com

Page 70: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Authorization by Resource Owner

Page 71: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Authorization by Resource Owner

Page 72: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Three-Legged OAuthWhy?

Appropriate for access grant by individual user(Also works for Apps users)

User identity is opaque to client application

Main trust relationship:User is the Resource Owner and trusts the client app with an Access Token

Page 73: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

OAuth 2

Already? Why?Make it IETF standardAdd new use casesAvoid crypto!

OAuth 1 + WRAP = OAuth 2

Facebook has working OAuth 2 prototypes, Microsoft Azure and Google have WRAP prototypes.

http://tools.ietf.org/html/draft-ietf-oauth-v2

Page 74: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Hybrid OpenID + OAuth

Page 75: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Hybrid OpenID + OAuth

Identity and Data Access in 1 step

Google Calendar

Page 76: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Hybrid OpenID + OAuth

Page 77: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Google Apps Marketplace

Page 78: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: Simple installation flow

Page 79: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: True Single Sign On

SaaSy PayrollVideo

Groups

Page 80: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: True Single Sign On

Page 81: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: True Single Sign On

Page 82: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: 2-legged OAuth access to Data APIs

Page 83: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: 2-legged OAuth access to Data APIsConsumer Key and Secret available in the Marketplace

Page 84: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Features: 2-legged OAuth access to Data APIsConsumer Key and Secret available in the Marketplace

Page 85: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Summary of Protocols

Page 86: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Summary of ProtocolsClientLogin Don't use for new apps

AuthSub Don't use for new apps

3-Legged OAuth Access data for individual users

2-Legged OAuth Access data for an entire Google Apps domain

OpenID Access a user's identity. Can be used for Gmail

OpenID with Google Apps

extensions

Access a user's identity for Google Apps accounts

OpenID / OAuth Hybrid

On-board new users and get their data in one step

Page 87: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of an Integrated App

Page 88: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

email [email protected] AxNAAFSnz

Page 89: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Page 90: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

email password [email protected] AxNAAFSnz ZD1FNKL4

Page 91: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Page 92: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

email password openid [email protected] AxNAAFSnz ----- ZD1FNKL4

[email protected] ----- http://goo.com/1234 JFNB2ANS

Page 93: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Page 94: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

email password openid token type [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----

[email protected] ----- http://goo.com/1234 JFNB2ANS AS ----

[email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f

Page 95: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Page 96: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

email password openid token type [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----

[email protected] ----- http://goo.com/1234 JFNB2ANS ---- ----

[email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f

kim@smart-lawfi ---- http://smb.com/123 ----- 2LO ----

ryan@smart-law ---- http://smb.com/456 ----- 2LO ----

dmb@smart-law ---- http://smb.com/789 ----- 2LO ----

Page 97: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Page 98: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Evolution of 'SaaSy Payroll'

Improved User ExperienceEasier on-boarding of usersAccess granted by appropriate resource owners

Access to over 2 million businessesMultiple code paths

Page 99: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Resources

Page 100: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Resources

Google Apps Marketplace:http://developer.googleapps.com/marketplaceTechnical docs on Google Apps:http://code.google.com/googleapps/Technical docs on OpenID and OAuth:http://code.google.com/apis/accounts/OAuth Playground:http://www.googlecodesamples.com/oauth_playground

Page 101: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Q & A

Page 102: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Ask your questions on Google Wave:http://bit.ly/magicwave

Page 103: I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser