SlideShare una empresa de Scribd logo

Incorporating OAuth

Descargar como PPTX, PDF
Twobo Technologies
Twobo Technologies

How to incorporate OAuth 2 into a mobile application with an example of an Android app created with PhoneGap and JQuery Mobile

Tecnología
1 de 21
Incorporating OAuth How to integrate OAuth into your mobile app By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda  The security challenge in context  Neo-security stack  OAuth Basics  Overview of other layers Copyright © 2013 Twobo Technologies AB. All rights reserved
Crucial Security Concerns Copyright © 2013 Twobo Technologies AB. All rights reserved Enterprise Security API Security Mobile Security
Identity is Central Copyright © 2013 Twobo Technologies AB. All rights reserved MDM MAM A u t h Z Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson
Neo-security Stack  SCIM, SAML, OAuth, and JWT are the new standards-based cloud security stack  OAuth 2 is the new meta-protocol defining how tokens are handled  These address old requirements, solves new problems & are composed in useful ways Copyright © 2013 Twobo Technologies AB. All rights reserved Grandpa SAML & junior OpenID Connect
OAuth Actors  Client  Authorization Server (AS)  Resource Server (RS) (i.e., API)  Resource Owner (RO) Copyright © 2013 Twobo Technologies AB. All rights reserved Get a token User a token RS Client AS
OAuth Mobile App Flow Copyright © 2013 Twobo Technologies AB. All rights reserved
Request Authorization Copyright © 2013 Twobo Technologies AB. All rights reserved
Authenticate & Authorize Copyright © 2013 Twobo Technologies AB. All rights reserved
Register Custom Scheme in App <activity android:name=".CallbackActivity“ …> <intent-filter> <data android:scheme="twobo" /> … </intent-filter> </activity> Copyright © 2013 Twobo Technologies AB. All rights reserved
Callback to Custom Scheme In OAuth Server, configure to callback to scheme that was registered Copyright © 2013 Twobo Technologies AB. All rights reserved
Exchange Code for Token Copyright © 2013 Twobo Technologies AB. All rights reserved AC
Calling the Token Endpoint var data = { "client_id" : clientId, "client_secret" : clientSecret, "code" : code, "grant_type" : "authorization_code", "response_type" : "token" }; $.post(tokenEndpoint, data, processAccessToken, "json"); Copyright © 2013 Twobo Technologies AB. All rights reserved AC AT, RT
Tokens are Often JWTs  Pronounced like the English word “jot”  Lightweight tokens passed in HTTP headers & query strings  Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XML Copyright © 2013 Twobo Technologies AB. All rights reserved
Calling the API Provide AT to API according to bearer token profile $.ajax({ url: apiEndpoint, dataType: 'json', headers: {"Authorization":"Bearer "+accessToken}, success: processResults }); Copyright © 2013 Twobo Technologies AB. All rights reserved
API May Validate Token def validateToken(self, tokenEndpoint, clientId, clientSecret, accessToken): values = { "client_id" : clientId, "client_secret" : clientSecret, "grant_type" : “…", "token" : accessToken, } request = urllib2.Request(tokenEndpoint, urllib.urlencode(values)) return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved
• App should only present AT to API • Never send RT to API • Use RT to get new AT if AT expires • App can’t use AT to determine anything about user App Consumes API Data Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of OpenID Connect  Builds on OAuth for profile sharing  Uses the flows optimized for user-consent scenarios  Adds identity-based inputs/outputs to core OAuth messages  Tokens are JWTs Copyright © 2013 Twobo Technologies AB. All rights reserved
What OAuth is and is not for Copyright © 2013 Twobo Technologies AB. All rights reserved Not for authentication Not really for authorization For delegation
Questions & Thanks @2botech @travisspencer www.2botech.com travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved
Incorporating OAuth

Recomendados

Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 

Recomendados

Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open IdConSanFrancisco123
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesOAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesNordic APIs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Windows azure media services overview
Windows azure media services overviewWindows azure media services overview
Windows azure media services overviewGuada Casuso
 
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...Edureka!
 
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...JoAnna Cheshire
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Introduction to Comoyo
Introduction to ComoyoIntroduction to Comoyo
Introduction to ComoyoNordic APIs
 

Más contenido relacionado

La actualidad más candente

Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesOAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesNordic APIs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Windows azure media services overview
Windows azure media services overviewWindows azure media services overview
Windows azure media services overviewGuada Casuso
 
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...Edureka!
 
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...JoAnna Cheshire
 

La actualidad más candente (20)

Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesOAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Windows azure media services overview
Windows azure media services overviewWindows azure media services overview
Windows azure media services overview
 
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...
 
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...
 

Destacado

Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Introduction to Comoyo
Introduction to ComoyoIntroduction to Comoyo
Introduction to ComoyoNordic APIs
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 

Destacado (7)

Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of Things
 
Introduction to Comoyo
Introduction to ComoyoIntroduction to Comoyo
Introduction to Comoyo
 
Beveiliging en REST services
Beveiliging en REST servicesBeveiliging en REST services
Beveiliging en REST services
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 

Similar a Incorporating OAuth

OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveAT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveMichael Owens
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Amazon Web Services
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksAmazon Web Services
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Reply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedReply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedAndrea Mercanti
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT ArchitecturesAmazon Web Services
 

Similar a Incorporating OAuth (20)

OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveAT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
App Security with Keycloak and Quarkus
App Security with Keycloak and QuarkusApp Security with Keycloak and Quarkus
App Security with Keycloak and Quarkus
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech Talks
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Reply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT AdvancedReply Webinar Online - Mastering AWS - IoT Advanced
Reply Webinar Online - Mastering AWS - IoT Advanced
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures3 Easy Steps to Building Large-Scale IoT Architectures
3 Easy Steps to Building Large-Scale IoT Architectures
 

Último

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Incorporating OAuth

  • 1. Incorporating OAuth How to integrate OAuth into your mobile app By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda  The security challenge in context  Neo-security stack  OAuth Basics  Overview of other layers Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 3. Crucial Security Concerns Copyright © 2013 Twobo Technologies AB. All rights reserved Enterprise Security API Security Mobile Security
  • 4. Identity is Central Copyright © 2013 Twobo Technologies AB. All rights reserved MDM MAM A u t h Z Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson
  • 5. Neo-security Stack  SCIM, SAML, OAuth, and JWT are the new standards-based cloud security stack  OAuth 2 is the new meta-protocol defining how tokens are handled  These address old requirements, solves new problems & are composed in useful ways Copyright © 2013 Twobo Technologies AB. All rights reserved Grandpa SAML & junior OpenID Connect
  • 6. OAuth Actors  Client  Authorization Server (AS)  Resource Server (RS) (i.e., API)  Resource Owner (RO) Copyright © 2013 Twobo Technologies AB. All rights reserved Get a token User a token RS Client AS
  • 7. OAuth Mobile App Flow Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 8. Request Authorization Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Authenticate & Authorize Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Register Custom Scheme in App <activity android:name=".CallbackActivity“ …> <intent-filter> <data android:scheme="twobo" /> … </intent-filter> </activity> Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 11. Callback to Custom Scheme In OAuth Server, configure to callback to scheme that was registered Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 12. Exchange Code for Token Copyright © 2013 Twobo Technologies AB. All rights reserved AC
  • 13. Calling the Token Endpoint var data = { "client_id" : clientId, "client_secret" : clientSecret, "code" : code, "grant_type" : "authorization_code", "response_type" : "token" }; $.post(tokenEndpoint, data, processAccessToken, "json"); Copyright © 2013 Twobo Technologies AB. All rights reserved AC AT, RT
  • 14. Tokens are Often JWTs  Pronounced like the English word “jot”  Lightweight tokens passed in HTTP headers & query strings  Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XML Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. Calling the API Provide AT to API according to bearer token profile $.ajax({ url: apiEndpoint, dataType: 'json', headers: {"Authorization":"Bearer "+accessToken}, success: processResults }); Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 16. API May Validate Token def validateToken(self, tokenEndpoint, clientId, clientSecret, accessToken): values = { "client_id" : clientId, "client_secret" : clientSecret, "grant_type" : “…", "token" : accessToken, } request = urllib2.Request(tokenEndpoint, urllib.urlencode(values)) return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 17. • App should only present AT to API • Never send RT to API • Use RT to get new AT if AT expires • App can’t use AT to determine anything about user App Consumes API Data Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Overview of OpenID Connect  Builds on OAuth for profile sharing  Uses the flows optimized for user-consent scenarios  Adds identity-based inputs/outputs to core OAuth messages  Tokens are JWTs Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 19. What OAuth is and is not for Copyright © 2013 Twobo Technologies AB. All rights reserved Not for authentication Not really for authorization For delegation