OAuth Dance with MuleYuan Meng – Sr. Solutions Architect, Perficient Inc.Email: [email protected]
https://blogs.perficient.com/author/ymeng/
Robin Walsh – Sr. Technical Architect, Ameren Corp.Email: [email protected]
All contents © MuleSoft Inc.
Security in the New Age
2
• Challenges of Security in the New Cyber Age
– Ubiquitous – SAAS, mobile apps, APIs
– Anonymous
– Multi-party
– Fluid and Dynamic
• Traditional Security
– Closed, inflexible, hard to maintain
– Pre-configured, domain user, SSO
– Fixed service account (e.g. basic authentication)
• OAuth Promises
– Grant instant access without sharing credential
– One-time use
All contents © MuleSoft Inc.
OAuth2 & Grant Types
3
• OAuth2 - https://tools.ietf.org/html/rfc6749
– A framework, not a protocol
– Completely replaces and obsoletes OAuth 1.0 protocol (RFC 5849)
– Allows on-demand access
– Grant permissions without sharing credential
– One time use token
– Accommodate traditional access paradigms
– Hailed as the valet parking key for the internet security, delegation
– Four Grant Types:
• Client-credential
• Authorization code
• Implicit
• Username & password
Notes: • 2 extensions
• SAML token• JWT
• Refresh token is not a grant type, despite some informally calling it sub-grant type
All contents © MuleSoft Inc.
OAuth2 Roles
4
Client /Client application
Authorization Server (AS)
Resource Server (RS)
Resources (e.g. APIs)
Call Service with Token
Request for token
Resource
Owner
Permissions
This diagram reflects the static relationship; it does not reflect the dynamic sequence of interactions, which are defined by the grant types
Four Roles in OAuth2 and Their Relationships
All contents © MuleSoft Inc.
Mule & OAuth2
5
Anypoint Platform OAuth Support
– OpenAM
– PingFederate
– MuleSoft External OAuth2 Provider (https://github.com/mulesoft/template-gw-external-oauth2-provider)
– Okta
– OpenID
Since OAuth2 is not a protocol, each product may have some implementation variations; therefore, configuration parameters are conceptually similar, but will have specific differences from product to product.
Presentation Approach:
Live CURL scripts with Mule External Provider and PingFederate.
All contents © MuleSoft Inc.
Let’s Dance – The Two Steps
6
These OAuth grants take two steps to call the service:
• Client Credential Grant
• Username & Password Grant
• Implicit Grant
Step 1 – Client request for Access Token from AS
Step 2 – Client calls the service with the newly acquired Access Token
Resource owner is not directly involved.
Client application
Authorization Server (AS)
Resource Server (RS)
Resources (e.g. APIs)
2. Call Service with Token
1. Request for token
All contents © MuleSoft Inc.
Client Credential Grant
7
Client Credential (get token in 1 step, then call service)
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic
QTQXXX=" -d "grant_type=client_credentials&scope=" "https://perficient-oauth2-
provider.cloudhub.io/external/access_token" -k
HTTP/1.1 200
Content-Type: application/json; charset=UTF-8
Date: Sun, 06 May 2018 13:49:33 GMT
MULE_ENCODING: UTF-8
Server: nginx
Content-Length: 145
Connection: keep-alive
{"access_token":"PGjT0pXtIc1W41uLo0jT1d9QYl-
6K2mPAIjBqCLHERdMeYUySNupZuV41Lin5gopyoM2vEEfErHzJgPXBmSK2Q","token_type":"bearer
","expires_in":1800}
Calling the Service (with Authorization header, can also use access_token parameter)
curl -i -X GET -H "Authorization: Bearer Your-token-DO-NOT-Base64-ENCODE" http://perficient-
hello-api.cloudhub.io/hello/foo
All contents © MuleSoft Inc.
Username & Password Grant
8
Username & Password (get token in 1 step, then call the service)
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -H
"Authorization: Basic OTQXXX=" -d
"grant_type=password&username=max&password=mule" "https://perficient-
oauth2-provider.cloudhub.io/external/access_token" -k
HTTP/1.1 200
Content-Type: application/json; charset=UTF-8
Date: Sun, 06 May 2018 13:50:22 GMT
MULE_ENCODING: UTF-8
Server: nginx
Content-Length: 250
Connection: keep-alive
{"access_token":"pp-uo3-
K7Gr9jb2qfm9_C9YtlTHAB44e13_EBtYl884RfGXu1I56NuIGU5_kzsNjNbUdKZY
jdA9stP5TQh5UVw","refresh_token":"frDAKhmJAjgFh-EWZT1IhzGAbvM-
gPibTm0hEGgIhVQtRDP7OrxncwY-
NH0DN8axly5rNUDJyioxjcweBsOJ9g","token_type":"bearer","expires_in":1800}
All contents © MuleSoft Inc.
Implicit Grant
9
Implicit Grant – It’s similar to Authorization Code, but without the dancing steps, therefore reserved for
secure and trusted devices, such as mobile.
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d
"username=max&password=mule&client_id=94699509eeaa45b3b08ebe0f1a49249a&response_type=t
oken&redirect_uri=http://localhost:8080/oauth/handler&scope=" "https://prft-oauth2-
provider.cloudhub.io/external/authorize" -k
HTTP/1.1 302
Content-Type: application/x-www-form-urlencoded
Date: Sun, 06 May 2018 14:05:06 GMT
Location:
http://localhost:8080/oauth/handler#access_token=1iXbhu3XUsk2FPSsbIxBIFn6qk63QnfYmERtiWd1Br
UQFgpIz8RXa8ik_YxdLIhPobW6fVCMnUddNUsm4Y7K7w&token_type=bearer&expires_in=1800
All contents © MuleSoft Inc.
The True Dance – Authorization Code Grant
10
Authorization Code Grant needs multi-steps to get the token
Client application
Authorization Server (AS)
Resource Server (RS)
Resources (e.g. APIs)Call Service with Token
Redirect Authorization Code
Authorization Server (AS)
This is often referred to as “three-legged” flow
Owner
Side note: postman hides the underlying steps
All contents © MuleSoft Inc.
The True Dance – Authorization Code Grant - I
11
Authorization Code Grant needs multi-steps to get the token
Step 1 (optional) – Result in a popup box for username & password
curl -i "https://perficient-oauth2-
provider.cloudhub.io/external/authorize?client_id=946xx&scope=&state=5675388&redirect_uri=http://lo
calhost:8080/oauth/handler&response_type=code"
HTTP/1.1 200...
<form id="login-form" method="post" class="form-horizontal">
<div class="control-group">
<label for="username" class="control-label">Username</label>
<div class="controls"><input id="username" name="username" type="text"></div>
</div>
<div class="control-group">
<label for="password" class="control-label">Password</label>
<div class="controls"><input id="password" name="password" type="password"></div>
</div>
All contents © MuleSoft Inc.
The True Dance – Authorization Code Grant - II
12
Authorization Code Grant needs multi-step to get the token
Step 2 - Get “Authorization code”
curl -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d
"username=max&password=mule&client_id=94699509eeaa45b3b08ebe0f1a49249a&response_type=c
ode&redirect_uri=http://localhost:8080/oauth/handler&scope=" "https://prft-oauth2-
provider.cloudhub.io/external/authorize" -k
HTTP/1.1 302
Content-Type: application/x-www-form-urlencoded
Date: Fri, 16 Mar 2018 01:05:55 GMT
Location:
http://localhost:8080/oauth/handler?code=I7qTexTnQ_fS_3GgzCjmdr_5tzWXxv30dn7r1kNqhPjXRJpzR
BUT0odg9ndfGe9RmpHpdeWoz9r4cCAtOqmc_A
MULE_ENCODING: UTF-8
Server: nginx
Content-Length: 0
Connection: keep-alive
All contents © MuleSoft Inc.
Mule External OAuth Provider Configuration
13
One single URL, that’s it!Scope is for extra authorization control, not discussed here
All contents © MuleSoft Inc.
Sample Okta Configuration Page with Mule
14
.
Sample endpoints and parameters for
Oka OAuth server configuration
As is shown, the configuration blocks, and
the endpoints are neither the same as
PingFederate nor as Mule external provider.
All contents © MuleSoft Inc.
Sample PingFederate Configuration Page with Mule
15
Same endpoint
Client with validate token permission
Standard formatted strings
User with permission to create clients in PingFederate
Sample endpoints and parameters for Ping Federate server configuration
All contents © MuleSoft Inc.
Ext-1 Ping
Ext-2 Ping
Int-1 Ping
Int-2 Ping
ExtAPI
IntAPI
DMZ
APIcaller
APIcaller
The 4-Nodes Ping Cluster
2 public facing nodes in DMZ, 2 green internal nodes
• Firewall must permit yellow line DB traffic for the
cluster
• Internal firewall must permit black lines to connect
Green arrows allow Int-API to validate token
Ext-API Validates Access Token
Token validation action is initiated from the server where
the API is deployed (CloudHub worker for Ext-API, or the
VM for onPrem server).
Firewall must allow the cyan or the red dash line traffic.
VPC DNS determines how Ext API resolves
ping.acme.com.
Ideally, VPN DNS should resolve ping.acme.com to Ext-
Ping (cyan dashed line), however, when DNS 8.8.8.8 was
added, an unexpected side effect causes VPN to fail.
Final solution was to let VPC DNS resolves to Int-Ping,
and firewall must allow red dashed line to go through, now
Ext-API can validate token with Int-Ping (green boxes).
Gray IPs only accessible externally
Green IPs only accessible internally
Hatched lines are VPN
Complex PingFederate and Mule Configuration
Cloudhub
All contents © MuleSoft Inc.
PingFederate Scripts
17
1. Get the login page (need cookie):curl -c cookie.txt -i -X GET "https://ping.acme.com/as/authorization.oauth2?response_type=code&state=&client_id=57xx&scope=&redirect_uri=http://localhost:8080/oauth/handler"
2. Get the authorization code (need cookie, need get nonce “8cqEI” from previous response):curl -b cookie.txt -c cookie.txt -i -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "pf.username=joe&pf.pass=xxx&pf.ok=&pf.cancel=&pf.adapterId=HTMLFormIdPAdapter" "https://ping.acme.com/as/8cqEI/resume/as/authorization.ping" -k –L
3. Get Access Token:curl -i POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=X1xxx&client_id=570xxx&client_secret=xxx&redirect_uri=http://localhost:8080/oauth/handler" "https://ping.acme.com/as/token.oauth2”
Endpoints, parameters are all product specific!
nounce
All contents © MuleSoft Inc.
Discussion
18
• OAuth2
– Fresh approach to address practical problems in the Internet age
– No panacea - it is not “be-all & end-all” for security
– As secure as people properly use it
– Interoperability concern – mentioned even the RFC (Section 1.8) https://tools.ietf.org/html/rfc6749
– General discussions: https://en.wikipedia.org/wiki/OAuth
All contents © MuleSoft Inc.
Take Away
19
• Four Grant Types
• Authorization Code is the “valet parking key”
• API commonly uses Client Credential Grant
• Interoperability is a challenge
All contents © MuleSoft Inc.
References
20
• https://docs.mulesoft.com/api-manager/v/2.x/building-an-external-oauth-2.0-provider-application
• https://blogs.mulesoft.com/dev/api-dev/secure-api/
• https://blogs.perficient.com/2017/03/19/oauth-dance-with-mule-external-provider/
• https://blogs.perficient.com/2017/07/03/applying-mule-api-oauth2-security-policy/
Q & A
Thank you!
Yuan Meng – Sr. Solutions Architect, Perficient Inc.Email: [email protected]
https://blogs.perficient.com/author/ymeng/
Robin Walsh – Sr. Technical Architect, Ameren Corp.Email: [email protected]