SlideShare una empresa de Scribd logo

Securing APIs with OAuth 2.0

Kai Hofstetter
Kai Hofstetter

Slides of my talk at the Java User Group Mannheim, December 2014.

Tecnología
1 de 58
Descargar para leer sin conexión
Securing APIs with OAuth 2.0 Kai Hofstetter
Kai Hofstetter Senior Software Developer at 1&1 kai.hofstetter@gmx.de @KaiHofstetter https://github.com/KaiHofstetter
There is a Need for Securing APIs! 0 2.000 4.000 6.000 8.000 10.000 Growth in Web APIs since 2005 API Count Source: http://www.slideshare.net/programmableweb/web-api-growthsince2005
Authenticating is Good Thing • Make sure you know who is calling you • Split access rights to API across different clients Mobile READ Control Panel FULL Operating and Support SPECIAL BULK • Be able to cut-off or throttle misbehaving clients without affecting all others
Meet the OAuth 2.0 Players
Meet the OAuth 2.0 Players The Resource Owner
Meet the OAuth 2.0 Players The Resource Server
Meet the OAuth 2.0 Players The Client
Meet the OAuth 2.0 Players The Authorization Server
Client Credentials Grant • There is no direct association to a given user ...some configuration data • Information is public …tweets on Twitter • User is already authenticated e.g. using some kind of session token • Twitter Search API Examples
Client Credentials Grant Request an AccessToken POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=client_credentials Client AuthS ResourceS
Client Credentials Grant Request an AccessToken Issue an AccessToken 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600 } Client AuthS ResourceS
Client Credentials Grant Request an AccessToken Issue an AccessToken Use AccessToken in API call Validate AccessToken API Call ... Authorization: Bearer YotnFZFEjr1zCsicMWpAA Client AuthS ResourceS
Client Credentials Grant Request an AccessToken Issue an AccessToken Use AccessToken in API call Validate AccessToken Positive responseData API Call ... Authorization: Bearer YotnFZFEjr1zCsicMWpAA Client AuthS ResourceS
The Client Credentials Grant • Easy to implement as a client • A trivial HTTP POST with credentials will return an AccessToken in JSON • Just for confidential clients, which can keep a secret • Warning about the Bearer token: Whoever has that AccessToken is authorized, so don‘t go about passing it along to other apps! • No magical signatures, certificates or encryption... ...though HTTPS is an absolute MUST
Access Request Scope • Principle of least privilege: The less access rights the better! • Request minimum needed rights • Permit only minimum needed rights
Access Token Scope POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=client_credentials&scope=read_calendar 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600, "scope":"read_calendar" } Client Access Token Request Authorization Server Response
Access Token Scope • Defines the access rights of the client • Scopes are case-sensitive and space-delimited • Client can optionally add scopes to the access token request. • Authorization Service determines the actual access token scope
It‘s Time for a Demo!
https://flic.kr/p/jAZdRp The Foosball Booking Service
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Icons: https://www.iconfinder.com/iconsets/social-media-8
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi Google Calendar! I am Bob with the password “foobar”
Authenticating the User is Good Thing …but sharing credentials is the root of all evil Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi Google Calendar! I am Bob with the password “foobar”
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob.
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that?
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that? Sure!
Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that? Sure! App, use this token to prove that Bob granted you access
The Authorization Code Grant • Application requests an AccessToken • Users browser gets redirected to grant access • An AuthorizationCode is returned • Application exchanges the AuthorizationCode for a real AccessToken • Client passes the AccessToken as part of the API call
Authorization Code Grant Backend Authorization Server Resource Server • The application redirects the browser of the user to the Authorization Server. • The Authorization Server authenticates the user and asks him to approve the request.
• Upon successful approval, the Authorization Server sends an AuthorizationCode as part of the redirect to the app backend Backend Authorization Server Resource Server Authorization Code Grant
• The app backend then exchanges the AuthorizationCode for a regular AccessToken Backend Authorization Server Resource Server Authorization Code Grant
• The app backend then uses the AccessToken to call the Resource Server Backend Authorization Server Resource Server Authorization Code Grant
Looks Complicated? Not Really... Step 1: Requests a token by redirecting the browser to the Authorization Server GET /authorize?response_type=code&client_id=s6BhdRkqt3& state=xyz&redirect_uri=https%3A%2F%2Fclient... 3 Simple Steps for the Client
Looks Complicated? Not Really... https://client...?code=SplxlO...&state=xyz 3 Simple Steps for the Client Step 2: The AuthorizationCode is sent to the redirect_uri as query parameter…
Looks Complicated? Not Really... POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=authorization_code&code=SplxlO...& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 3 Simple Steps for the Client Step 3: Exchanges the AuthorizationCode for an AccessToken
Demo!
The Authorization Code Grant • Requesting application never sees the credentials • Application gets access to the users data without sharing the password • The browser never has the AccessToken, only a harmless AuthorizationCode • The application has to provide credentials when exchanging the AuthorizationCode for an AccessToken …making a lost AuthorizationCode useless!
The Story of Refresh Tokens The RefreshTokens are issued along side of AccessTokens: { "access_token":"2Yotn…AA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0…" } RefreshTokens can be used to request a new AccessToken: POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=refresh_token&refresh_token=tGzv3JOkF0...
Refresh Tokens • …are used to request new AccessTokens once these have expired • …are a MUST for long-living access rights, e.g. when the user should not be bothered with constant re-authentication • …are credentials which should just be shared between the client and the authorization server
Long Living AccessTokens are a Bad Idea Security • The longer the AccessToken lives, the longer it can be misused • A short-lived AccessToken forces the application to re-authenticate Performance • Short lived AccessTokens are cached by the Authorization Server • Costly re-authentication is only done when generating a new token e.g. using the RefreshToken
Implicit Grant • Clients, which can not keep a secret • Public client applications e.g. JavaScript browser applications
Implicit Grant • Application requests an AccessToken • Users browser gets redirected to grant access • The AccessToken is returned
Implicit Grant Authorization Server Resource Server • The application redirects the browser of the user to the Authorization Server. • The Authorization Server authenticates the user and asks him to approve the request.
• Upon successful approval, the Authorization Server sends an AccessToken as part of the redirect url. Authorization Server Resource Server Implicit Grant
• The browser uses the AccessToken to call the Resource Server Authorization Server Resource Server Implicit Grant
Implicit Grant Request a token by redirecting the browser to the Authorization Server GET /authorize?response_type=token&client_id=s6BhdRkqt3& state=xyz&redirect_uri=https%3A%2F%2Fclient... The AccessToken is sent to the redirect_uri as fragment identifier… https://client...#access_token=2Yotn&state=xyz&token_type=bearer &expires_in=3600…
Demo!
Implicit Grant • Client doesn’t have a secret and is not authenticated • Only the user is authenticated • User has to ensure that the client is trustable • Only short living access tokens! • No refresh tokens! User has to re-authenticate if the access token has expired!
• Clients from the same vendor as the application • Clients which might not support redirects • Clients which are highly trusted to receive the user credentials e.g. Mobile app of the same vendor Resource Owner Password Credentials Grant
Resource Owner Password Credentials Grant Request an AccessToken POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=password&username=john…& password=A3… Client AuthS
Resource Owner Password Credentials Grant Request an AccessToken Issue an AccessToken 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0X…" } Client AuthS
Demo!
• No need to store user credentials • No redirect for user authentication needed No user experience break by opening a browser • User credentials are shared! Client must be highly trustable! Resource Owner Password Credentials Grant
• Client access token revocation request: • Later added spec • Rarely implemented in the wild. Access Token Revocation POST .../revoke Authorization: Basic czZCaGRSa3F0... token=45ghiuk…&token_type_hint=refresh_token
Summary OAuth 2.0 is • a framework, not a strict protocol • extensible with own token types, grants… • easy to implement • no magic encryption or signatures • HTTPS is a must
Links • OAuth 2.0 Spec https://tools.ietf.org/html/rfc6749 • Oauth 2.0 Bearer Token Spec https://tools.ietf.org/html/rfc6750 • OAuth 2.0 Token Revocation Spec https://tools.ietf.org/html/rfc7009 • Spring Security OAuth http://projects.spring.io/spring-security-oauth/ • Samples https://github.com/KaiHofstetter

Recomendados

The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 

Recomendados

The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 

Más contenido relacionado

La actualidad más candente

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 

La actualidad más candente (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 

Similar a Securing APIs with OAuth 2.0

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 

Similar a Securing APIs with OAuth 2.0 (20)

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 

Último

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Securing APIs with OAuth 2.0

  • 1. Securing APIs with OAuth 2.0 Kai Hofstetter
  • 2. Kai Hofstetter Senior Software Developer at 1&1 kai.hofstetter@gmx.de @KaiHofstetter https://github.com/KaiHofstetter
  • 3.
  • 4. There is a Need for Securing APIs! 0 2.000 4.000 6.000 8.000 10.000 Growth in Web APIs since 2005 API Count Source: http://www.slideshare.net/programmableweb/web-api-growthsince2005
  • 5. Authenticating is Good Thing • Make sure you know who is calling you • Split access rights to API across different clients Mobile READ Control Panel FULL Operating and Support SPECIAL BULK • Be able to cut-off or throttle misbehaving clients without affecting all others
  • 6. Meet the OAuth 2.0 Players
  • 7. Meet the OAuth 2.0 Players The Resource Owner
  • 8. Meet the OAuth 2.0 Players The Resource Server
  • 9. Meet the OAuth 2.0 Players The Client
  • 10. Meet the OAuth 2.0 Players The Authorization Server
  • 11. Client Credentials Grant • There is no direct association to a given user ...some configuration data • Information is public …tweets on Twitter • User is already authenticated e.g. using some kind of session token • Twitter Search API Examples
  • 12. Client Credentials Grant Request an AccessToken POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=client_credentials Client AuthS ResourceS
  • 13. Client Credentials Grant Request an AccessToken Issue an AccessToken 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600 } Client AuthS ResourceS
  • 14. Client Credentials Grant Request an AccessToken Issue an AccessToken Use AccessToken in API call Validate AccessToken API Call ... Authorization: Bearer YotnFZFEjr1zCsicMWpAA Client AuthS ResourceS
  • 15. Client Credentials Grant Request an AccessToken Issue an AccessToken Use AccessToken in API call Validate AccessToken Positive responseData API Call ... Authorization: Bearer YotnFZFEjr1zCsicMWpAA Client AuthS ResourceS
  • 16. The Client Credentials Grant • Easy to implement as a client • A trivial HTTP POST with credentials will return an AccessToken in JSON • Just for confidential clients, which can keep a secret • Warning about the Bearer token: Whoever has that AccessToken is authorized, so don‘t go about passing it along to other apps! • No magical signatures, certificates or encryption... ...though HTTPS is an absolute MUST
  • 17. Access Request Scope • Principle of least privilege: The less access rights the better! • Request minimum needed rights • Permit only minimum needed rights
  • 18. Access Token Scope POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=client_credentials&scope=read_calendar 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600, "scope":"read_calendar" } Client Access Token Request Authorization Server Response
  • 19. Access Token Scope • Defines the access rights of the client • Scopes are case-sensitive and space-delimited • Client can optionally add scopes to the access token request. • Authorization Service determines the actual access token scope
  • 20. It‘s Time for a Demo!
  • 22. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Icons: https://www.iconfinder.com/iconsets/social-media-8
  • 23. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi Google Calendar! I am Bob with the password “foobar”
  • 24. Authenticating the User is Good Thing …but sharing credentials is the root of all evil Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi Google Calendar! I am Bob with the password “foobar”
  • 25. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders
  • 26. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob.
  • 27. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that?
  • 28. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that? Sure!
  • 29. Authenticating the User is Good Thing Scenario: A ‘Booking Service’ wants to add dates to your Google Calendar, as reminders Hi! I’d like to add an entry to the Calendar of Bob. Bob, should the App be allowed to do that? Sure! App, use this token to prove that Bob granted you access
  • 30. The Authorization Code Grant • Application requests an AccessToken • Users browser gets redirected to grant access • An AuthorizationCode is returned • Application exchanges the AuthorizationCode for a real AccessToken • Client passes the AccessToken as part of the API call
  • 31. Authorization Code Grant Backend Authorization Server Resource Server • The application redirects the browser of the user to the Authorization Server. • The Authorization Server authenticates the user and asks him to approve the request.
  • 32. • Upon successful approval, the Authorization Server sends an AuthorizationCode as part of the redirect to the app backend Backend Authorization Server Resource Server Authorization Code Grant
  • 33. • The app backend then exchanges the AuthorizationCode for a regular AccessToken Backend Authorization Server Resource Server Authorization Code Grant
  • 34. • The app backend then uses the AccessToken to call the Resource Server Backend Authorization Server Resource Server Authorization Code Grant
  • 35. Looks Complicated? Not Really... Step 1: Requests a token by redirecting the browser to the Authorization Server GET /authorize?response_type=code&client_id=s6BhdRkqt3& state=xyz&redirect_uri=https%3A%2F%2Fclient... 3 Simple Steps for the Client
  • 36. Looks Complicated? Not Really... https://client...?code=SplxlO...&state=xyz 3 Simple Steps for the Client Step 2: The AuthorizationCode is sent to the redirect_uri as query parameter…
  • 37. Looks Complicated? Not Really... POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=authorization_code&code=SplxlO...& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 3 Simple Steps for the Client Step 3: Exchanges the AuthorizationCode for an AccessToken
  • 38. Demo!
  • 39. The Authorization Code Grant • Requesting application never sees the credentials • Application gets access to the users data without sharing the password • The browser never has the AccessToken, only a harmless AuthorizationCode • The application has to provide credentials when exchanging the AuthorizationCode for an AccessToken …making a lost AuthorizationCode useless!
  • 40. The Story of Refresh Tokens The RefreshTokens are issued along side of AccessTokens: { "access_token":"2Yotn…AA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0…" } RefreshTokens can be used to request a new AccessToken: POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=refresh_token&refresh_token=tGzv3JOkF0...
  • 41. Refresh Tokens • …are used to request new AccessTokens once these have expired • …are a MUST for long-living access rights, e.g. when the user should not be bothered with constant re-authentication • …are credentials which should just be shared between the client and the authorization server
  • 42. Long Living AccessTokens are a Bad Idea Security • The longer the AccessToken lives, the longer it can be misused • A short-lived AccessToken forces the application to re-authenticate Performance • Short lived AccessTokens are cached by the Authorization Server • Costly re-authentication is only done when generating a new token e.g. using the RefreshToken
  • 43. Implicit Grant • Clients, which can not keep a secret • Public client applications e.g. JavaScript browser applications
  • 44. Implicit Grant • Application requests an AccessToken • Users browser gets redirected to grant access • The AccessToken is returned
  • 45. Implicit Grant Authorization Server Resource Server • The application redirects the browser of the user to the Authorization Server. • The Authorization Server authenticates the user and asks him to approve the request.
  • 46. • Upon successful approval, the Authorization Server sends an AccessToken as part of the redirect url. Authorization Server Resource Server Implicit Grant
  • 47. • The browser uses the AccessToken to call the Resource Server Authorization Server Resource Server Implicit Grant
  • 48. Implicit Grant Request a token by redirecting the browser to the Authorization Server GET /authorize?response_type=token&client_id=s6BhdRkqt3& state=xyz&redirect_uri=https%3A%2F%2Fclient... The AccessToken is sent to the redirect_uri as fragment identifier… https://client...#access_token=2Yotn&state=xyz&token_type=bearer &expires_in=3600…
  • 49. Demo!
  • 50. Implicit Grant • Client doesn’t have a secret and is not authenticated • Only the user is authenticated • User has to ensure that the client is trustable • Only short living access tokens! • No refresh tokens! User has to re-authenticate if the access token has expired!
  • 51. • Clients from the same vendor as the application • Clients which might not support redirects • Clients which are highly trusted to receive the user credentials e.g. Mobile app of the same vendor Resource Owner Password Credentials Grant
  • 52. Resource Owner Password Credentials Grant Request an AccessToken POST .../token Authorization: Basic czZCaGRSa3F0... grant_type=password&username=john…& password=A3… Client AuthS
  • 53. Resource Owner Password Credentials Grant Request an AccessToken Issue an AccessToken 200 OK { "access_token":"2YotnFZcMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0X…" } Client AuthS
  • 54. Demo!
  • 55. • No need to store user credentials • No redirect for user authentication needed No user experience break by opening a browser • User credentials are shared! Client must be highly trustable! Resource Owner Password Credentials Grant
  • 56. • Client access token revocation request: • Later added spec • Rarely implemented in the wild. Access Token Revocation POST .../revoke Authorization: Basic czZCaGRSa3F0... token=45ghiuk…&token_type_hint=refresh_token
  • 57. Summary OAuth 2.0 is • a framework, not a strict protocol • extensible with own token types, grants… • easy to implement • no magic encryption or signatures • HTTPS is a must
  • 58. Links • OAuth 2.0 Spec https://tools.ietf.org/html/rfc6749 • Oauth 2.0 Bearer Token Spec https://tools.ietf.org/html/rfc6750 • OAuth 2.0 Token Revocation Spec https://tools.ietf.org/html/rfc7009 • Spring Security OAuth http://projects.spring.io/spring-security-oauth/ • Samples https://github.com/KaiHofstetter