OAuth2 + API Security

Amila Paranawithana
Amila ParanawithanaSoftware Engineer en Amila Paranawithana
OAuth 2+ API Security
API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
Need A Better method
Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
OAuth 2.0
4 Roles Resource Owner Client Resource Server Authorization Server
Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena
1 de 43

OAuth2 + API Security

Descargar para leer sin conexión
Tecnología
Amila Paranawithana
Amila ParanawithanaSoftware Engineer en Amila Paranawithana

Recomendados

OAuth 2.0 and OpenId Connect por
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
3K vistas39 diapositivas
OAuth 2 por
OAuth 2OAuth 2
OAuth 2ChrisWood262
364 vistas20 diapositivas
Demystifying OAuth 2.0 por
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
7.5K vistas57 diapositivas
OAuth 2.0 por
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
4.8K vistas44 diapositivas
An Introduction to OAuth2 por
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
14.7K vistas78 diapositivas
Intro to OAuth2 and OpenID Connect por
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
141 vistas15 diapositivas

Más contenido relacionado

La actualidad más candente

An introduction to OAuth 2 por
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
733 vistas31 diapositivas
Implementing OAuth por
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
28.2K vistas72 diapositivas
Rest API Security - A quick understanding of Rest API Security por
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
1.2K vistas21 diapositivas
OAuth - Open API Authentication por
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
22.3K vistas23 diapositivas
OpenID Connect Explained por
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
11.3K vistas31 diapositivas
OAuth - Don’t Throw the Baby Out with the Bathwater por
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
13.4K vistas33 diapositivas

La actualidad más candente(20)

An introduction to OAuth 2 por Sanjoy Kumar Roy
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy733 vistas
Implementing OAuth por leahculver
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver28.2K vistas
Rest API Security - A quick understanding of Rest API Security por Mohammed Fazuluddin
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin1.2K vistas
OAuth - Open API Authentication por leahculver
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver22.3K vistas
OpenID Connect Explained por Vladimir Dzhuvinov
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov11.3K vistas
OAuth - Don’t Throw the Baby Out with the Bathwater por Apigee | Google Cloud
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud13.4K vistas
REST API Design & Development por Ashok Pundit
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
Ashok Pundit1.2K vistas
OAuth por Iván Fernández Perea
OAuthOAuth
OAuth
Iván Fernández Perea2.3K vistas
Stateless authentication with OAuth 2 and JWT - JavaZone 2015 por Alvaro Sanchez-Mariscal
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal28.3K vistas
Applications secure by default por SecuRing
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing1.9K vistas
Stateless Auth using OAuth2 & JWT por Gaurav Roy
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy11.5K vistas
Introduction to REST - API por Chetan Gadodia
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia1.1K vistas
OpenID Connect: An Overview por Pat Patterson
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson13.2K vistas
An Introduction to OAuth 2 por Aaron Parecki
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki108.2K vistas
API por Masters Academy
APIAPI
API
Masters Academy551 vistas
Building layers of defense for your application por VMware Tanzu
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu1.4K vistas
Oauth 2.0 por Manish Kumar Singh
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh3K vistas
OAuth 2.0 and OpenID Connect por Jacob Combs
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs244 vistas
API Security : Patterns and Practices por Prabath Siriwardena
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena4.6K vistas
Modern API Security with JSON Web Tokens por Jonathan LeBlanc
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc3.7K vistas

Similar a OAuth2 + API Security

Learn with WSO2 - API Security por
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
1.4K vistas59 diapositivas
The OAuth 2.0 Authorization Framework por
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
984 vistas25 diapositivas
Best Practices in Building an API Security Ecosystem por
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
1.4K vistas73 diapositivas
Securing APIs with OAuth 2.0 por
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
784 vistas58 diapositivas
(4) OAuth 2.0 Obtaining Authorization por
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
295 vistas33 diapositivas
Microservice security with spring security 5.1,Oauth 2.0 and open id connect por
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
75 vistas61 diapositivas

Similar a OAuth2 + API Security(20)

Learn with WSO2 - API Security por WSO2
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO21.4K vistas
The OAuth 2.0 Authorization Framework por Samuele Cozzi
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi984 vistas
Best Practices in Building an API Security Ecosystem por Prabath Siriwardena
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena1.4K vistas
Securing APIs with OAuth 2.0 por Kai Hofstetter
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter784 vistas
(4) OAuth 2.0 Obtaining Authorization por anikristo
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo295 vistas
Microservice security with spring security 5.1,Oauth 2.0 and open id connect por Nilanjan Roy
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy75 vistas
O auth 2.0 authorization framework por John Temoty Roca
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca415 vistas
Oauth2 and OWSM OAuth2 support por Gaurav Sharma
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma4K vistas
Deep Dive into OAuth for Connected Apps por Salesforce Developers
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers1.1K vistas
O Auth 2.0 The Path to Heaven from Hell por WSO2
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
WSO21.9K vistas
A Survey on SSO Authentication protocols: Security and Performance por Amin Saqi
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi524 vistas
OAuth 2.0 with Pet Care House por Prabath Siriwardena
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena1.4K vistas
Protecting your APIs with Doorkeeper and OAuth 2.0 por Mads Toustrup-Lønne
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne1.9K vistas
Intro to API Security with Oauth 2.0 por Functional Imperative
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative876 vistas
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020 por Matt Raible
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible177 vistas
oauth-for-credentials-security-in-rest-api-access por idsecconf
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
idsecconf491 vistas
(1) OAuth 2.0 Overview por anikristo
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo560 vistas
Spring security oauth2 por axykim00
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00342 vistas
Oauth 2.0 security por vinoth kumar
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar942 vistas
.NET Core, ASP.NET Core Course, Session 19 por aminmesbahi
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
aminmesbahi475 vistas

Último

Network Source of Truth and Infrastructure as Code revisited por
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisitedNetwork Automation Forum
42 vistas45 diapositivas
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... por
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...ShapeBlue
57 vistas25 diapositivas
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue por
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueShapeBlue
96 vistas7 diapositivas
The Research Portal of Catalonia: Growing more (information) & more (services) por
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
136 vistas25 diapositivas
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... por
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
54 vistas15 diapositivas
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates por
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
119 vistas15 diapositivas

Último(20)

Network Source of Truth and Infrastructure as Code revisited por Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum42 vistas
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... por ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue57 vistas
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue por ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue96 vistas
The Research Portal of Catalonia: Growing more (information) & more (services) por CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya136 vistas
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... por ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue54 vistas
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates por ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue119 vistas
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue por ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 vistas
20231123_Camunda Meetup Vienna.pdf por Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH46 vistas
Igniting Next Level Productivity with AI-Infused Data Integration Workflows por Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software344 vistas
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... por ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue46 vistas
MVP and prioritization.pdf por rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14138 vistas
DRBD Deep Dive - Philipp Reisner - LINBIT por ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 vistas
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive por Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum46 vistas
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... por ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue48 vistas
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online por ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue102 vistas
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... por James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 vistas
Scaling Knowledge Graph Architectures with AI por Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge53 vistas
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... por ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 vistas
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue por ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue46 vistas
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue por ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue46 vistas

OAuth2 + API Security

  • 1. OAuth 2+ API Security
  • 2. API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
  • 3. Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
  • 4. Need A Better method
  • 5. Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
  • 6. Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
  • 7. Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
  • 9. 4 Roles Resource Owner Client Resource Server Authorization Server
  • 10. Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
  • 11. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • 12. Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
  • 13. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • 14. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
  • 15. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
  • 16. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
  • 17. Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
  • 18. Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
  • 19. Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
  • 20. Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
  • 21. Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
  • 22. Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
  • 23. Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 24. Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
  • 25. Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  • 26. Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
  • 27. Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
  • 28. Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
  • 29. Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
  • 30. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
  • 31. Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
  • 32. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
  • 33. Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 34. Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
  • 35. Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
  • 36. Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
  • 37. Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
  • 38. Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
  • 39. Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
  • 40. Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
  • 41. When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
  • 42. Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
  • 43. References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena