oauth 2.0 in depth
DESCRIPTION
This presentation talks about Why OAuth 2.0 came into picture, What it is, How to use it Shows practical example of OAuth 2.0 on Facebook and Google It also talks about OpenID History, how it is different than OAuth. The next steps in OpenID that is OpenID Connect (in theory)TRANSCRIPT
OAuth 2.0 in Depth
By Rohit GhatolDirector @ Synerzip
Passionate about TechNext
Why study about OAuth?
Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
Do you care about these or Similar Sites?
Browser
Mashups
LinkedInFoursquare
Http Access
Api Access
Security
Closed ClosedOpen
Authentication Authorization
OAuth In a Nut ShellCan I have your
Debit Card and ATM Pin?
OAuth In a Nut ShellCan I have your
Credit Card?
OAuth Practical Example
Without OAuth
Without OAuth
Without OAuth
Lets Start Again
With OAuth
With OAuth
With OAuth
With OAuth
Lets get Technical
Why OAuth is required?
• What are limitations with Passwords?– Trust – User not trusting– More Access than required– No Support for Granular permissions– Phishing – Helping Phishing activities– Lower Reliability to API interfaces– Unable to revoke access once provided
Why OAuth is required?
• OAuth is required for Delegating Access– To Certain Party– For Certain Resource– For Limited Time– Which can be selectively be revoked
Understand OAuth Roles
Roles
• Resource Owner – e.g Picasa User• Resource Server – e.g Picasa Hosting• Client – e.g Mashup built for Picasa• Authorization Server – e.g Google Auth Server
Resource Owner
• An entity capable of granting access to a protected resource.
• When the resource owner is a person, it is referred to as an end-user
Resource Server
• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client
• An application making protected resource requests on behalf of the resource owner and with its authorization.
Authorization Server
• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Client
Resource Owner
Authorization Server
Resource Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
Protocol Flow
Pre Requisite for OAuth
• Register Application with OAuth Provider– Facebook
• https://developers.facebook.com/apps
– Google• https://code.google.com/apis/console/b/0/?pli=1#
access
– Twitter• https://dev.twitter.com/apps/new
– LinkedIn• https://www.linkedin.com/secure/developer?newapp=
Pre Requisite for OAuth
• This will give you two essential things– client_id– client_secret– Redirect_uri
Tools used to try OAuth
Different ways to Do OAuth
Grant Types
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
Client
Resource Owner
Authorization Server
Resource Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
Protocol Flow
ClientAuthorization
ServerResource
Server
Access Grant & Client Credentials
Access Token & Refresh Token
Access Token
Protected Resource
Protocol Flow
Access Token
Invalid Token Error
Refresh Token & Client Credentials
Access Token & Optional Refresh Token
Live Example Facebook
Step 1 – Get Authorization Code
Understanding the URL
• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri
State which we sent
Authorization Grant Code which needs to be exchanged for Access
Token
Step 2 – Exchange to get Access Code
Important Note
• This Step is to performed at the Server Side. • Why?• Because you need to use your Client ID and
Client Secret along side the Authorization Code you just received to gain an Access Code
• Access Code is required to gain access to protected resources
Understanding the URL
• client_id – The ID of the Client App• client_secret– The Secret of the Client App• redirect_uri– The Registered redirect_uri• code– Authorization Grant Code
Step 3 – Access Protected Resource
Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies
2. Also position as a Query Parameter
Facebook Protected Resource
Facebook Protected Resource
Live Example Google
Step 1 – Get Authorization Code
Understanding the URL
• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri• response_type = “code” means authorization
code• access_type = “offline” to get access to the
“refresh_token”
State which we sent
Authorization Grant Code which needs to be exchanged for Access
Token
Step 2 – Exchange to get Access Code
Step 3 – Access Protected Resource
Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies
2. Also position as a Query Parameter
Google Protected Resource
What happens when access token expires?
Use Refresh_Token to Issue Access_Token
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
Grant Types
Client
Resource Owner
Resource Server
Authorization Request
Access Token
Access Token
Protected Resource
Protocol Flow
Live Example Facebook
Step 1 – Get Access Code
Step 1 – Get Access Code
See you directly got the access code
Step 2 – Access Protected Resource
Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies
2. Also position as a Query Parameter
Facebook Protected Resource
Facebook Protected Resource
Live Example Google
Step 1 – Get Access Code
Step 1 – Get Access Code
Step 1 – Get Access Code
See you directly got the access code
Step 2 – Access Protected Resource
Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies
2. Also position as a Query Parameter
Google Protected Resource
PostMan Import Scripts
• Authorization-Grant – http://www.getpostman.com/collections/
0c31cb5910e6a60896f7 • Implicit-Grant – http://www.getpostman.com/collections/
3085769daec37cc41c1a
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
Grant Types
Client
Authorization Server
Resource Server
Username/Password
Access Token with Optional Refresh Token
Access Token
Protected Resource
Protocol Flow
Resource Owner
Resource Owner Credentials & Client Credentials
Use Cases
• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App
• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided
• Example – Salesforce OAuth has provision for this
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
Grant Types
Client
Authorization Server
Resource Server
Access Token with Optional Refresh Token
Access Token
Protected Resource
Protocol Flow
Client Credentials
Use case
• The Data accessed is not owned by Resource Owner, but by the Client
• Say Skype showing statistics of uptime of its services
Use case
• There is contract already set between the Client and the Authorization Server
• E.g Google Apps Marketspace
• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
OAuth from Mobile Device
Popular Approaches
• Using User Agent (Stock Browser)• Using Embedded WebView
Disclaimer
• Following slides are extracted from http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
• I have no claim on the following slides with reference stated in them
• Thank you Brian Campbell for the excellent presentation
Request Authorization
When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint
Device
NativeApp
Browser
1
Cloud!
1
Authorization Endpoint
Token Endpoint
Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status");
Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);
startActivity(launchBrowser);
NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status";
[[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status
http://
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
Authenticate and Approve The AS authenticates the user
Directly Indirectly via Facebook, Twitter, Google, Yahoo, etc.
Device
NativeApp
Browser
Cloud!
2
Authorization Endpoint
Token Endpoint
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
Approve
Device
NativeApp
Browser
Cloud!
2
Authorization Endpoint
Token Endpoint
User approves the requested access
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
Handle Callback
Server returns control to the app via HTTP redirection and includes an authorization code
HTTP/1.1 302 Found
Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAhttp://
Device
NativeApp
Browser
Cloud!
3
Authorization Endpoint
Token Endpoint
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
<activity android:name=".MyAppCallback” … >
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="x-com.mycorp.myapp" />
</intent-filter>
</activity>
Handle Callback (cont’d)Registering a custom URI scheme
String authzCode = getIntent().getData().getQueryParameter("code");
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
3
In AndroidManifest.xml file:
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url
{
NSString *queryString = [url query];
NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init];
for (NSString *param in [queryString componentsSeparatedByString:@"&"]) {
NSArray *elts = [param componentsSeparatedByString:@"="];
if([elts count] < 2) continue;
[qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]];
};
NSString *code = [qsParms objectForKey:@"code"];
...
Handle Callback (cont’d)Registering a custom URI scheme
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
3
In app info plist file:
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
Trade Code for Token(s)
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
4
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"token_type":"Bearer",
"expires_in":3600,
"access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”,
"refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8”
}
http://
http://
Token Endpoint Request
Token Endpoint Response
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
POST /api/update-status HTTP/1.1
Host: rs.example.com
Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
status=Almost%20done.
Using an Access Token
http://
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
5
NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken];
NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];
[request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]];
[request setValue:authzHeader forHTTPHeaderField:@"Authorization"];
DefaultHttpClient httpClient = new DefaultHttpClient();
HttpPost post = new HttpPost("https://rs.example.com/api/update-status");
post.setHeader("Authorization", "Bearer " + accessToken);
Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
Pros and Cons
• Pros– User may be already
logged in most cases– User will trust as he/she
sees https and domain name
• Cons– Complicated Custom URI
schema
Popular Approaches
• Using User Agent (Stock Browser)• Using Embedded WebView
Pros and Cons
• Pros– Easier to monitor pages
and extract authorization or access codes
• Cons– May not appeal since
neither https or domain name is visible
– WebView has separate cookie and history leading to client entering credentials each time
Open ID Story
Example of OpenID
What are you doing?
Proving you own http://rohitghatol.myopenid.com
Another Example
Wait!!
It’s http://openid.rohitghatol.com your own page, how does open id work then
Discover who is the Identity provider
Behind the Scene
Reference - http://openid.net/pres/protocolflow-1.1.png
Difference between OpenID and OAuth
Open ID• Know who is coming to your
site .
• Delegated Authentication
OAuth• Give rights to certain APIs
.
• Delegated Authorization
Next Steps : OpenID Connect
Disclaimer
• My Understanding on OpenID Connect is limited.
• Me talking about OpenID Connect is an attempt to understand Why it is born and what is the purpose of it
OpenID Connect
OpenID Connect
OpenID Connect
• Why it came into Picture?– Both OpenID and OAuth rely on redirection to
allow client to grant permissions– Protocol Flow is similar – redirection & verification– Passing Permissions to Gain Authentication
(Identity Information) is same as Passing Permission to Gain authority to some APIs
Let’s see a Dummy Flow
Step 1 – Get Access_Code and ID_Token
Build the OAuth URL for id_token & access_token (implicit grant flow)
Dummy Response
https://oauth2demo.appspot.com/oauthcallback# access_token=ya29.AHES6ZSzX & token_type=Bearer& expires_in=3600& id_token =eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY…
ID_Token
• Is a Json Web Token• It can be decrypted to get details• Or • taken to the Check ID Endpoint to get the
decryption done
Step 2 – Verify the Identity by going to Check ID End Point
Verify with Check ID End Point
{ "iss" : "https://accounts.example.com", "user_id" : "113487456102835830811", "aud" : "753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com", "exp" : 1311281970, “nounce”:12345677}
What does the response mean?
• “user_id”: Authenticated User• “aud”: client_id so we know its meant for it• “exp”: Expiry• “nounce”: what we sent to prevent replay
attacks
Step 3 – Get User Info from UserInfo EndPoint
UserInfo EndPoint is a special resource accessed by providing access_token
Reference
• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation