Who Are You 20120922

Who
Are
You?

1 CSI @mjidhage
2011-05-06

© Copyright Omegapoint AB 2011

Saturday, September 22, 12 1

Detour

2011-05-06
2



start

REST

SUM
AUTH

?
stop

CASE

OAUTH

2011-05-06
3



REST
• wiki:a style of software architecture for distributed systems
• Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform
interface

“Representational State Transfer (REST)
is a style of software architecture for
distributed hypermedia systems such as
the World Wide Web”

2011-05-06
4



REST

Richardson Maturity Model
• Level 0
SOAP, XML RPC, POX – Single URI
• Level 1
URI Tunnelling – Many URIs, Single verb
• Level 2
Many URIs, many verbs
CRUD services (e.g. Amazon S3)
• Level 3
Level 2 + Hypermedia – RESTful Service, HATEOAS

2011-05-06
5



What’s the problem?

“The client–server communication is
further constrained by no client context
being stored on the server between
requests. Each request from any client
contains all of the information necessary
to service the request, and any session
state is held in the client.”

2011-05-06
6



Authentication?

• Identification
• Authentication
• Authorization

2011-05-06
7



Authentication + REST
Basic Authentication
send user+pass, base64 enc. in HTTP Header
Digest Authentication
hashed user+pass+other stuff in HTTP Header
Client Certificates
sign content with the client private key
NTLM/SPNEGO
didn’t bother - no news since 2005
Session based
classic form based login and a session id (cookie, URL, hidden)
Token based
OpenID, SAML, OAuth

2011-05-06
8



What to choose?

2011-05-06
9



Scope cut

internal external

web
Client

smartphone

2011-05-06
10



Authentication + REST
send user+pass, base64 enc. in HTTP Header
Digest Authentication
hashed user+pass+other stuff in HTTP Header
Client Certificates
sign with the client private key
NTLM/SPNEGO
didn’t bother - no news since 2005
Session based
form based login
Token based
OpenID, SAML, OAuth

2011-05-06
11



Beneﬁts HTTP Header
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
Simple
Libraries available for every occasion
Tested

Problems
Password sharing anti-pattern
• Users get trained to give the password away
The app or site store the password
• Stolen device has user/pass locally stored - hacked site too
No access granularity
• it’s all or nothing
Access revocation is a manual process
• and universal
A mistake in HTTPS leaks user/pass forever and ever
• Stored in browser until tab or browser closed
• Automatic submission of BA header if MitM?
Changing password (which is sometimes neccessary...) revokes all access

2011-05-06
12



Token based

Beneﬁts
No user/pass disclosed
Granularity
Revocation
Separation of duties

Problems
Standards under development
No complete solution stack
OAuth delivers authorization
OpenID or own solution for authentication

2011-05-06
13



2011-05-06
14



What?

A simple, open standard for secure API
authentication authorization.

Possible to share private information stored on one
website with another website


When?

— 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.

— 2007-04 A Google group started to write a draft protocol specification

— 2007-06 A first draft was ready and the group was opened for everyone interested in
contributing to the specification

t

2011-05-06
16



When?

•2007-12 Initial version OAuth 1.0 ready
•mainly based on the Flickr Auth API and Google AuthSub

•2009-06 Revised version 1.0a due to a security flaw
•http://oauth.net/core/1.0a

•2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”

•OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31
•New protocol, not backward compatible with OAuth1
•Simplify and create a better user experience
t •Less secure due to no digital signature?

2011-05-06
17



Who?

2011-05-06
18



Why?

2011-05-06
19



Lisa

2011-05-06
20



Information
Lisa

2011-05-06
21



Lisa

2011-05-06
22



Lisa

Service Provider

2011-05-06
23



Lisa

2011-05-06
24



Lisa

Consumer

2011-05-06
25



Lisa

2011-05-06
26



Why?

: Hi Lisa, what’s your username?
fake

: Hmm, don’t know - could it be, lisa@hotmail.com?

fake : Ok, great! What’s your password?

: h4pp1n3ss

: Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find
fake any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.

2011-05-06
27



How?

Authorization in 5 easy steps
1. Intent
2. Request Token
3. Authorize Request Token
4. Exchange Token
5. Access Data

2011-05-06
28



Step 1: Intent

: Hi, ! I would like to order printouts of some of my
on , they are marked as private.
Could you please print them?

: Sure, we just need to ask permission from

2011-05-06
29



Step 2: Request Token

Hi ! This is speaking! Can I have a Request Token?
HMAC-SHA1 (Yours Truly, Moo.)

: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”

: Thanks!

2011-05-06
30



Step 3: Authorize Request Token

: Hi , could you please go to to authorize
the Request Token:9iKot2y5UQTDlS2V?
When you have made the authorization, I can
fetch your .

: Sure, just redirect my browser and I will be
done in a second!

2011-05-06
31



Step 3, Continued

: , I would like to authorize 9iKot2y5UQTDlS2V

: Sure - to be on the safe side; you are allowing to read your
private pictures? We trust them, so there are no issues from our
side.

: Yes, that is correct!

: Ok, good. Now get back too and tell them it is ok to proceed.

2011-05-06
32



Step 3, Optional Notify

: Hi , I just told that you are allowed to access my
private pictures and they told me the pictures are ready for
you to access them.

: Perfect, thank you!

2011-05-06
33



Step 4: Exchange Token

: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V
for an Access Token? HMAC-SHA1 (Yours Truly, Moo.)

: Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”

: Perfect, thank you!

2011-05-06
34



Step 5: Access Data

: Hi , I would like to fetch the private pictures owned by
94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.)

: Here they are , anything else?

2011-05-06
35



Take Away

No information on the identity of Lisa is passed to Moo and Moo have
no idea of what Lisas credentials on Flickr is.

API independent
there are lots of different implementations on both client and server side

2011-05-06
36



Reality & Creativity

“OAuth is an open protocol to allow secure API authorization in a simple and
standard method from desktop and web applications.”

This is NOT the only way OAuth is used...

2011-05-06
37



Case 1

OAuth 1.0(a)

2011-05-06
38



Authentication & Authorization

REST API - OAuth signed or unauthenticated requests query
keyword
Search API - unauthenticated requests
Stream API - OAuth signed or HTTP Basic authenticated requests
realtime
ﬁrehose

2 basic methods

2011-05-06
39



REST API
Tweets Saved searches
Timelines (set of tweets) Places & Geo
Direct Messages Trends
Friends&Followers Block
Users Spam
Suggested Users OAuth
Favorites Help
Lists Legal
Accounts Deprecated
Notifications

2011-05-06
40



OAuth API
POST oauth/request_token Server gets a request token (oauth_callback)

GET oauth/authenticate Client redirect “Sign in with Twitter” (oauth_token)

GET oauth/authorize Client redirect “3-legged authentication” (oauth_token)

POST oauth/access_token Server gets an access token (oauth_veriﬁer)

2011-05-06
41



OAuth
authenticates
Want to offer a "Sign in with Twitter" button on Sign in with Twitter
your website...
authorize
Want to read or post Twitter data on behalf of 3-legged OAuth
visitors to your website...
no
redirect URL
Have a mobile, desktop, or embedded app which PIN-based OAuth
can't access a browser...
N/A
Just want to access the API from your own dev.twitter.com
account...
authenticates
NEED to use usernames/passwords AND have xAuth
been approved for xAuth...
API delegate
Offer an API where clients send you data on OAuth Echo
behalf of Twitter users...
local iOS
account
Have an iOS5-based integration and need access Using Reverse Auth
tokens for server-side integrations...
2011-05-06
42



Mobility
Native application

Secure way
Redirect to browser, authorize/authenticate (NB! Not an embedded UI View!)
Redirect back to app
Possible without multitasking?

Not so secure way
xAuth
works if there is trust between app and api (internal enterprise solution)

Alternative?
for 3rd party app that absolutely does not want to use external browser
Use Twitter app?

2011-05-06
43



Mobility
HTML5 application

Redirect to auth-site
Redirect to app-site

2011-05-06
44



Case 2

Facebook Graph API - OAuth v2 draft 14 (January 2011)

2011-05-06
45



OAuth

authenticate
authorize

Authentication in native Android apps
• Authentication in native iOS apps facebook
app

• Authentication within a Page Tab on www.facebook.com facebook
spec
• Authentication within a Canvas Page on apps.facebook.com

• Authentication for Websites & Mobile Web apps using Javascript (client-side ﬂow)
• Authentication for Websites & Mobile Web apps using a Server (server-side ﬂow)

• Authentication for devices without access to a browser
PIN

2011-05-06
46



Mobility

Native application

Standard is using the Facebook app
if not logged in - log in (app)
if logged in but not authorized - pop authorization question (app)
If no Facebook app
Redirect to web

HTML5 application

Redirect to auth-site
Redirect to app-site

Reflection
2011-05-06
47



Case 3

Home brew oauth-style authentication

2011-05-06
48



Anonymous TVM

2011-05-06
49



Identity TVM

2011-05-06
50



Mobility

Native application - identity TVM
Login towards TVM to collect token
Use token towards API

2011-05-06
51



OAuth 2.0

rev 31

2011-05-06
52



OAuth 2.0

2011-05-06
53



RFC 5849
6 Flows
• User-Agent Flow – for clients running inside a user-agent (typically a web
browser).
• Web Server Flow – for clients that are part of a web server application, accessible
via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
• Device Flow – suitable for clients executing on limited devices, but where the end-
user has separate access to a browser on another computer or device.
• Username and Password Flow – used in cases where the user trusts the client
to handle its credentials but it is still undesirable for the client to store the user’s
username and password. This flow is only suitable when there is a high degree of
trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access
token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to
the authorization server in exchange for an access token.

2011-05-06
54



Conclusion

Tokens are great!
Authentication is hard.

switch (scenario) { How2
case 3rd party native client consumes your enterprise API: enforce?
Make sure the 3rd party uses an external browser for authentication;
Alternative is to create own enterprise app on mobile device;
case own app consumes service api to access resource owner’s stuff:
Pop an external browser - because it’s the good thing todo;
case you are the resource owner:
Do not hand out your user & pass to untrusted parties;
case your app consumes your api:
see 3rd party options;
add xauth, Indentity TVM, Username and Password flow;

}

In comparison - Web is easy!
2011-05-06
55



Thank You

?
@mjidhage

@weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?”
@webtonull - JavaZone - ‘RESTful Security’
@rickardoberg - JFokus - ‘Road to REST’
@bebb00 - OPKoKo 2010 - ‘OAuth’
@jancalmered - OPKoKo 2010 - ‘OAuth’

2011-05-06
56



Who Are You 20120922

Recomendados

Recomendados

Más contenido relacionado

Similar a Who Are You 20120922

Similar a Who Are You 20120922 (7)

Último

Último (20)

Who Are You 20120922