oauth2 + api security
TRANSCRIPT
OAuth 2+ API Security
API and Managing API
• Private APIs , Public APIs(twitter, facebook)
• Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
Securing APIs(before OAuth)
•Basic auth – Sending user credentials in http authentication header
•Mutual Authentication - based on certificates, server authenticate to client , client to server
Problem ..?ONLY 2 Parties
What Happens if a 3rd party (client/app) wants to call APIs on
behalf of you
Need A Better method
Why we need a better method
• Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources.
• Resource owner can not limit the time of access or what resources to access by clients to his resources.
• Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients.
• Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
Why we need a better method
Pre OAuth Era•Google oauth
•Flicker oauth
•Yahoo BB-oauth
OAuth 2.0
4 Roles
Resource Owner
Resource ServerClient
Authorization Server
Resource Owner
• An entity capable of granting access to a protected resource
• When the resource owner is a person, it is referred to as an end‐user.
Resource Server
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client
An application making protected resource requests on behalf of the resource owner and with its authorization
2 types,
• Confidential clients- can securely keep client_secret and client_id(eg:Web application)• Public clients(eg: Browser based clients, mobile apps)
Authorization Server
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
OAuth 2 (A) Authorization Request
(B) Authorization Grant
(C) Authorization Grant
(D) Access Token
(E) Access Token
(F) Protected Resource
Resource owner
Authorization Server
Resource Server
Client
OAuth 2 (A) Give me the key of your car
(B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key
(C) Give me car key. Here is the chit of approve from owner
(D) Ok, This is accepted, here is the key
(E) Give me car to repair, this is the key
(F) Ok, have the car
Car owner
Key Holder
Car park
Mechanic
OAuth 2 (A) Authorization Request
(B) Authorization Grant
(C) Authorization Grant
(D) Access Token
(E) Access Token
(F) Protected Resource
Resource owner
Authorization Server
Resource Server
Client
Implicit
Resource Owner Password Credentials
Client Credentials
Authorization Code
Authorization Code
User Agent
Client
Resource owner
Authorization Server
(A) Client Identifier & redirect URL
(B) User Authenticates(C) Authorization Code
(B)
(A) (C)
(D) Authorization Code & Redirect URI
(E) Access Token
Scope
Scope• Scope indicates what resource client wants access and which actions he wants to perform on that.
• The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server.
• The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
Authorization Code
User Agent
Client
Resource owner
Authorization Server
(A) Client Identifier & redirect URL
(B) User Authenticates(C) Authorization Code
(B)
(A) (C)
(D) Authorization Code & Redirect URI
(E) Access Token
Confidential Client Type
Web application
Authorization Code
User Agent
Client
Resource owner
Authorization Server
(A) Client Identifier & redirect URL
(B) User Authenticates(C) Authorization Code
(B)
(A) (C)
(D) Authorization Code & Redirect URI
(E) Access Token
Scope
Client Authenticates to authorization server
Basic Auth Client_ID/Client_secret
Authorization Code - Benefits
• Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client.
• Access token is given directly to the client without passing it through the resource owner's user-agent
Authorization Grant Request
•response_type:REQUIRED.Value MUST be set to "code".
• client_id: REQUIRED. The client identifier.
• redirect_url: OPTIONAL. Where to be redirected by the Authorization Server
• scope: OPTIONAL. The scope of the access request.
• state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
Authorization Code
Authorization Grant Request
https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
Authorization Code
Authorization Grant Response
• code :REQUIRED. The authorization code generated by the authorization server
• state : REQUIRED .if the "state" parameter was present in the client authorization request.
Authorization Code
https://oauth2client.com/cb?code=AUTH_CODE_HERE
Access Token Request
• grant_type :REQUIRED. Value MUST be set to "authorization_code"
• code : REQUIRED . The authorization code received from the Authorization Server.
• redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization
POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
Authorization Code
Access Token Response
•access_token : REQUIRED.The access token issued by the authorization server.
•token_type : REQUIRED.The type of the token. Value is case insensitive.
•expires_in : RECOMMENDED.The lifetime in seconds of the access token
Authorization Code
Access Token
• Credentials used to access protected resources• A string representing an authorization issued to the client.• Tokens represent specific scopes and durations of accessRefresh Token
• Used to obtain a new access token when the current access token becomes invalid or expires.• Can use to obtain additional access tokens with identical or narrower scope
Access Token Response
{ "access_token":"RsT5OjbzRn430zqMLgV3Ia"}
Authorization Code
The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
Implicit
User Agent
Client
Resource owner
Authorization Server
(A) Client Identifier & redirect URL
(B) User Authenticates
(C) Redirection URI with access token in fragment
(B)
(A) (C)
(D) Redirection URI without fragment
(E) Script
Scope
Implicit
Web hosted client resource
•The authorization server does not authenticate the client.
• Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
Implicit
User Agent
Client
Resource owner
Authorization Server
(A) Client Identifier & redirect URL
(B) User Authenticates
(C) Redirection URI with access token in fragment
(B)
(A) (C)
(D) Redirection URI without fragment
(E) Script
Scope
Implicit
Web hosted client resource
Public client Type
User Agent based Application
Authorization Grant Request
• response_type: REQUIRED.Value MUST be set to ”token".• client_id : REQUIRED. The client identifier.• redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server.• scope : OPTIONAL. The scope of the access request.• state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback.
https://oauth2server.com/auth?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
Implicit
Access Token Response• access_token : REQUIRED.The access token issued by the authorization server.• token_type : REQUIRED. The type of the token. Value is case insensitiv.• expires_in : RECOMMENDED. The lifetime in seconds of the access token• scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED.• state : REQUIRED if the "state" parameter was present in the client authorization request
https://oauth2client.com/cb#token=ACCESS_TOKEN
Implicit
Client credentials are used as an authorization grant
when the client is also the resource owner. or
is requesting access to protected resources based on an authorization previously arranged with the
authorization server.
Client Credentials
Client Credentials
Authorization ServerClient
(A) Client Authentication
(B) Access Token
Client Credentials
Authorization ServerClient
(A) Client Authentication
(B) Access Token
Confidential Client Type
Access Token request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".
• scope: OPTIONAL. The scope of the access request.
POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
•access_token : REQUIRED. The access token issued by the authorization server.
•token_type : REQUIRED. The type of the token. Value is case insensitive.
•expires_in : RECOMMENDED. The lifetime in seconds of the access token
Access Token Response
Resource owner password credentials
Resource owner
Authorization Server
(A) Resource owner password credentials
(B) Resource owner password credentials
(C) Access token
Client
When to use•In mobile applications
▫Will exchange your user name password to a access token and only store this access token in mobile app.
▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
Token Request
POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
Resource owner password credentials
References•OAuth 2.0 Authorization Framework, specification
•OAuth 2 implified , Aron Parecki
•Oauth 2.0 with pet care house , Prabath Siriwardena