Más contenido relacionado Similar a Who Are You 20120922 (7) Who Are You 201209221. Who
Are
You?
1 CSI @mjidhage
2011-05-06
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 1
2. Detour
2011-05-06
2
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 2
3. start
REST
SUM
AUTH
?
stop
CASE
OAUTH
2011-05-06
3
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 3
4. REST
• wiki:a style of software architecture for distributed systems
• Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform
interface
“Representational State Transfer (REST)
is a style of software architecture for
distributed hypermedia systems such as
the World Wide Web”
2011-05-06
4
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 4
5. REST
Richardson Maturity Model
• Level 0
SOAP, XML RPC, POX – Single URI
• Level 1
URI Tunnelling – Many URIs, Single verb
• Level 2
Many URIs, many verbs
CRUD services (e.g. Amazon S3)
• Level 3
Level 2 + Hypermedia – RESTful Service, HATEOAS
2011-05-06
5
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 5
6. What’s the problem?
“The client–server communication is
further constrained by no client context
being stored on the server between
requests. Each request from any client
contains all of the information necessary
to service the request, and any session
state is held in the client.”
2011-05-06
6
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 6
7. Authentication?
• Identification
• Authentication
• Authorization
2011-05-06
7
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 7
8. Authentication + REST
Basic Authentication
send user+pass, base64 enc. in HTTP Header
Digest Authentication
hashed user+pass+other stuff in HTTP Header
Client Certificates
sign content with the client private key
NTLM/SPNEGO
didn’t bother - no news since 2005
Session based
classic form based login and a session id (cookie, URL, hidden)
Token based
OpenID, SAML, OAuth
2011-05-06
8
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 8
9. What to choose?
2011-05-06
9
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 9
10. Scope cut
internal external
web
Client
smartphone
2011-05-06
10
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 10
11. Authentication + REST
Basic Authentication
send user+pass, base64 enc. in HTTP Header
Digest Authentication
hashed user+pass+other stuff in HTTP Header
Client Certificates
sign with the client private key
NTLM/SPNEGO
didn’t bother - no news since 2005
Session based
form based login
Token based
OpenID, SAML, OAuth
2011-05-06
11
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 11
12. Basic Authentication
Benefits HTTP Header
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
Simple
Libraries available for every occasion
Tested
Problems
Password sharing anti-pattern
• Users get trained to give the password away
The app or site store the password
• Stolen device has user/pass locally stored - hacked site too
No access granularity
• it’s all or nothing
Access revocation is a manual process
• and universal
A mistake in HTTPS leaks user/pass forever and ever
• Stored in browser until tab or browser closed
• Automatic submission of BA header if MitM?
Changing password (which is sometimes neccessary...) revokes all access
2011-05-06
12
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 12
13. Token based
Benefits
No user/pass disclosed
Granularity
Revocation
Separation of duties
Problems
Standards under development
No complete solution stack
OAuth delivers authorization
OpenID or own solution for authentication
2011-05-06
13
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 13
14. 2011-05-06
14
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 14
15. What?
A simple, open standard for secure API
authentication authorization.
Possible to share private information stored on one
website with another website
Saturday, September 22, 12 15
16. When?
— 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.
— 2007-04 A Google group started to write a draft protocol specification
— 2007-06 A first draft was ready and the group was opened for everyone interested in
contributing to the specification
t
2011-05-06
16
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 16
17. When?
•2007-12 Initial version OAuth 1.0 ready
•mainly based on the Flickr Auth API and Google AuthSub
•2009-06 Revised version 1.0a due to a security flaw
•http://oauth.net/core/1.0a
•2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”
•OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31
•New protocol, not backward compatible with OAuth1
•Simplify and create a better user experience
t •Less secure due to no digital signature?
2011-05-06
17
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 17
18. Who?
2011-05-06
18
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 18
19. Why?
2011-05-06
19
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 19
20. Lisa
2011-05-06
20
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 20
21. Information
Lisa
2011-05-06
21
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 21
22. Lisa
2011-05-06
22
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 22
23. Lisa
Service Provider
2011-05-06
23
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 23
24. Lisa
2011-05-06
24
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 24
25. Lisa
Consumer
2011-05-06
25
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 25
26. Lisa
2011-05-06
26
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 26
27. Why?
: Hi Lisa, what’s your username?
fake
: Hmm, don’t know - could it be, lisa@hotmail.com?
fake : Ok, great! What’s your password?
: h4pp1n3ss
: Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find
fake any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.
2011-05-06
27
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 27
28. How?
Authorization in 5 easy steps
1. Intent
2. Request Token
3. Authorize Request Token
4. Exchange Token
5. Access Data
2011-05-06
28
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 28
29. Step 1: Intent
: Hi, ! I would like to order printouts of some of my
on , they are marked as private.
Could you please print them?
: Sure, we just need to ask permission from
2011-05-06
29
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 29
30. Step 2: Request Token
Hi ! This is speaking! Can I have a Request Token?
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”
: Thanks!
2011-05-06
30
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 30
31. Step 3: Authorize Request Token
: Hi , could you please go to to authorize
the Request Token:9iKot2y5UQTDlS2V?
When you have made the authorization, I can
fetch your .
: Sure, just redirect my browser and I will be
done in a second!
2011-05-06
31
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 31
32. Step 3, Continued
: , I would like to authorize 9iKot2y5UQTDlS2V
: Sure - to be on the safe side; you are allowing to read your
private pictures? We trust them, so there are no issues from our
side.
: Yes, that is correct!
: Ok, good. Now get back too and tell them it is ok to proceed.
2011-05-06
32
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 32
33. Step 3, Optional Notify
: Hi , I just told that you are allowed to access my
private pictures and they told me the pictures are ready for
you to access them.
: Perfect, thank you!
2011-05-06
33
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 33
34. Step 4: Exchange Token
: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V
for an Access Token? HMAC-SHA1 (Yours Truly, Moo.)
: Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”
: Perfect, thank you!
2011-05-06
34
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 34
35. Step 5: Access Data
: Hi , I would like to fetch the private pictures owned by
94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.)
: Here they are , anything else?
2011-05-06
35
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 35
36. Take Away
No information on the identity of Lisa is passed to Moo and Moo have
no idea of what Lisas credentials on Flickr is.
API independent
there are lots of different implementations on both client and server side
2011-05-06
36
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 36
37. Reality & Creativity
“OAuth is an open protocol to allow secure API authorization in a simple and
standard method from desktop and web applications.”
This is NOT the only way OAuth is used...
2011-05-06
37
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 37
38. Case 1
OAuth 1.0(a)
2011-05-06
38
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 38
39. Authentication & Authorization
REST API - OAuth signed or unauthenticated requests query
keyword
Search API - unauthenticated requests
Stream API - OAuth signed or HTTP Basic authenticated requests
realtime
firehose
2 basic methods
2011-05-06
39
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 39
40. REST API
Tweets Saved searches
Timelines (set of tweets) Places & Geo
Direct Messages Trends
Friends&Followers Block
Users Spam
Suggested Users OAuth
Favorites Help
Lists Legal
Accounts Deprecated
Notifications
2011-05-06
40
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 40
41. OAuth API
POST oauth/request_token Server gets a request token (oauth_callback)
GET oauth/authenticate Client redirect “Sign in with Twitter” (oauth_token)
GET oauth/authorize Client redirect “3-legged authentication” (oauth_token)
POST oauth/access_token Server gets an access token (oauth_verifier)
2011-05-06
41
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 41
42. OAuth
authenticates
Want to offer a "Sign in with Twitter" button on Sign in with Twitter
your website...
authorize
Want to read or post Twitter data on behalf of 3-legged OAuth
visitors to your website...
no
redirect URL
Have a mobile, desktop, or embedded app which PIN-based OAuth
can't access a browser...
N/A
Just want to access the API from your own dev.twitter.com
account...
authenticates
NEED to use usernames/passwords AND have xAuth
been approved for xAuth...
API delegate
Offer an API where clients send you data on OAuth Echo
behalf of Twitter users...
local iOS
account
Have an iOS5-based integration and need access Using Reverse Auth
tokens for server-side integrations...
2011-05-06
42
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 42
43. Mobility
Native application
Secure way
Redirect to browser, authorize/authenticate (NB! Not an embedded UI View!)
Redirect back to app
Possible without multitasking?
Not so secure way
xAuth
works if there is trust between app and api (internal enterprise solution)
Alternative?
for 3rd party app that absolutely does not want to use external browser
Use Twitter app?
2011-05-06
43
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 43
44. Mobility
HTML5 application
Redirect to auth-site
Redirect to app-site
2011-05-06
44
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 44
45. Case 2
Facebook Graph API - OAuth v2 draft 14 (January 2011)
2011-05-06
45
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 45
46. OAuth
authenticate
authorize
Authentication in native Android apps
• Authentication in native iOS apps facebook
app
• Authentication within a Page Tab on www.facebook.com facebook
spec
• Authentication within a Canvas Page on apps.facebook.com
• Authentication for Websites & Mobile Web apps using Javascript (client-side flow)
• Authentication for Websites & Mobile Web apps using a Server (server-side flow)
• Authentication for devices without access to a browser
PIN
2011-05-06
46
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 46
47. Mobility
Native application
Standard is using the Facebook app
if not logged in - log in (app)
if logged in but not authorized - pop authorization question (app)
If no Facebook app
Redirect to web
HTML5 application
Redirect to auth-site
Redirect to app-site
Reflection
2011-05-06
47
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 47
48. Case 3
Home brew oauth-style authentication
2011-05-06
48
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 48
49. Anonymous TVM
2011-05-06
49
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 49
50. Identity TVM
2011-05-06
50
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 50
51. Mobility
Native application - identity TVM
Login towards TVM to collect token
Use token towards API
2011-05-06
51
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 51
52. OAuth 2.0
rev 31
2011-05-06
52
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 52
53. OAuth 2.0
2011-05-06
53
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 53
54. RFC 5849
6 Flows
• User-Agent Flow – for clients running inside a user-agent (typically a web
browser).
• Web Server Flow – for clients that are part of a web server application, accessible
via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
• Device Flow – suitable for clients executing on limited devices, but where the end-
user has separate access to a browser on another computer or device.
• Username and Password Flow – used in cases where the user trusts the client
to handle its credentials but it is still undesirable for the client to store the user’s
username and password. This flow is only suitable when there is a high degree of
trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access
token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to
the authorization server in exchange for an access token.
2011-05-06
54
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 54
55. Conclusion
Tokens are great!
Authentication is hard.
switch (scenario) { How2
case 3rd party native client consumes your enterprise API: enforce?
Make sure the 3rd party uses an external browser for authentication;
Alternative is to create own enterprise app on mobile device;
case own app consumes service api to access resource owner’s stuff:
Pop an external browser - because it’s the good thing todo;
case you are the resource owner:
Do not hand out your user & pass to untrusted parties;
case your app consumes your api:
see 3rd party options;
add xauth, Indentity TVM, Username and Password flow;
}
In comparison - Web is easy!
2011-05-06
55
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 55
56. Thank You
?
@mjidhage
@weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?”
@webtonull - JavaZone - ‘RESTful Security’
@rickardoberg - JFokus - ‘Road to REST’
@bebb00 - OPKoKo 2010 - ‘OAuth’
@jancalmered - OPKoKo 2010 - ‘OAuth’
2011-05-06
56
© Copyright Omegapoint AB 2011
Saturday, September 22, 12 56