oauth tokens

12
OAuth Tokens By Vindhya N

Upload: nu-the-open-security-community

Post on 06-May-2015

475 views

Category:

Education


1 download

DESCRIPTION

null Bangalore Chapter - March 2014 Meet

TRANSCRIPT

Page 1: OAuth Tokens

OAuth

Tokens

By

Vindhya N

Page 2: OAuth Tokens

Contents

Page 3: OAuth Tokens

Understanding REST

A Web service is a software system designed to support inter-

operable, machine-to-machine interaction over a network. In layman terms

they are the calls made by the application to a service present on the web

to perform the specified actions.

Two major web services:

1. REST compliant Web services, in which the primary purpose of the

service is to manipulate XML representations of Web

resources using a uniform set of stateless operations

2. Arbitrary Web services, in which the service may expose an

arbitrary set of operations

Page 4: OAuth Tokens

REST Web Service

Rest is a stateless architecture which uses a client-

server, cacheable communication protocol HTTP. It

is an Application Programming Interface (API) which

performs all the functions using HTTP methods.

Page 5: OAuth Tokens

Why OAuth is Required?

Consider a 3rd party application, like a gaming app in facebook.

To login to the app, you don’t want to give your facebook password.

Neither you can access the application directly

So in this case, there should be an authorisation process from facebook to

authorize the 3rd Party app.

The authorisation is done by oAuth

Page 6: OAuth Tokens

Types of authorisation

1. Open ID:

De-centralized Single Sign-on for the Web

2. Basic Authentication

3. Session based

4. OAuth

Page 7: OAuth Tokens

What is OAuth?

OAuth is a simple and secure delegation protocol to

access resources on behalf of a user without requiring

them to share passwords.

It is an authorization mechanism

Provides a single point of authentication for multiple

services

Helps in integrating an application with an existing

authentication service.

Page 8: OAuth Tokens

OAuth Jargons

Client -> 3rd Party Application

Resource owner -> User (You)

Authorisation Server -> Application you have

logged in (Facebook, twitter)

Resource Server -> Server that has data

Page 9: OAuth Tokens

OAuth Mechanisms

1.Authorisation

2. Implicit Grant

3.Resource owner password

credentials

4.Client Credentials Grant

Page 10: OAuth Tokens

Securing OAuth

1. Should be patched for all web application

security vulnerabilities

2. Encrypt all OAuth credentials

3. OAuth token should be random

4. Signed with HMAC

5. Short lived

6. Generate verifiable consumer keys

Page 11: OAuth Tokens

References

• https://developers.google.com/accounts/docs/OAuth2

• http://docs.oracle.com/cd/E39820_01/doc.11121/gatewa

y_docs/content/oauth_flows.html

• https://www.greendizer.com/docs/api/oauth/#flow_code

• https://www.youtube.com/watch?v=tFYrq3d54Dc

Page 12: OAuth Tokens

Thank You