Date post: | 06-May-2015 |
Category: |
Education |
Upload: | nu-the-open-security-community |
View: | 449 times |
Download: | 1 times |
OAuth
Tokens
By
Vindhya N
Contents
Understanding REST
A Web service is a software system designed to support inter-
operable, machine-to-machine interaction over a network. In layman terms
they are the calls made by the application to a service present on the web
to perform the specified actions.
Two major web services:
1. REST compliant Web services, in which the primary purpose of the
service is to manipulate XML representations of Web
resources using a uniform set of stateless operations
2. Arbitrary Web services, in which the service may expose an
arbitrary set of operations
REST Web Service
Rest is a stateless architecture which uses a client-
server, cacheable communication protocol HTTP. It
is an Application Programming Interface (API) which
performs all the functions using HTTP methods.
Why OAuth is Required?
Consider a 3rd party application, like a gaming app in facebook.
To login to the app, you don’t want to give your facebook password.
Neither you can access the application directly
So in this case, there should be an authorisation process from facebook to
authorize the 3rd Party app.
The authorisation is done by oAuth
Types of authorisation
1. Open ID:
De-centralized Single Sign-on for the Web
2. Basic Authentication
3. Session based
4. OAuth
What is OAuth?
OAuth is a simple and secure delegation protocol to
access resources on behalf of a user without requiring
them to share passwords.
It is an authorization mechanism
Provides a single point of authentication for multiple
services
Helps in integrating an application with an existing
authentication service.
OAuth Jargons
Client -> 3rd Party Application
Resource owner -> User (You)
Authorisation Server -> Application you have
logged in (Facebook, twitter)
Resource Server -> Server that has data
OAuth Mechanisms
1.Authorisation
2. Implicit Grant
3.Resource owner password
credentials
4.Client Credentials Grant
Securing OAuth
1. Should be patched for all web application
security vulnerabilities
2. Encrypt all OAuth credentials
3. OAuth token should be random
4. Signed with HMAC
5. Short lived
6. Generate verifiable consumer keys
References
• https://developers.google.com/accounts/docs/OAuth2
• http://docs.oracle.com/cd/E39820_01/doc.11121/gatewa
y_docs/content/oauth_flows.html
• https://www.greendizer.com/docs/api/oauth/#flow_code
• https://www.youtube.com/watch?v=tFYrq3d54Dc
Thank You