56
© Copyright Omegapoint AB 2011 2011-05-06 1 Who Are You? CSI @mjidhage 1 Saturday, September 22, 12
| Date post: | 20-Aug-2015 |
| Category: |
Technology |
| Upload: | mattias-jidhage |
| View: | 874 times |
| Download: | 1 times |
© Copyright Omegapoint AB 2011
2011-05-061
Who Are You?
CSI @mjidhage1Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Detour
2
2Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-063
REST
OAUTH
SUMAUTH
CASE?
start
stop
3Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-064
REST
• wiki:a style of software architecture for distributed systems• Client–server, Stateless, Cacheable, Layered system, Code on demand (optional), Uniform interface
“Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web”
4Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-065
REST
Richardson Maturity Model
• Level 0SOAP, XML RPC, POX – Single URI
• Level 1URI Tunnelling – Many URIs, Single verb
• Level 2Many URIs, many verbsCRUD services (e.g. Amazon S3)
• Level 3Level 2 + Hypermedia – RESTful Service, HATEOAS
5Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
What’s the problem?
6
“The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.”
6Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Authentication?
• Identification• Authentication• Authorization
7
7Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Authentication + REST
Basic Authenticationsend user+pass, base64 enc. in HTTP Header
Digest Authenticationhashed user+pass+other stuff in HTTP Header
Client Certificatessign content with the client private key
NTLM/SPNEGOdidn’t bother - no news since 2005
Session basedclassic form based login and a session id (cookie, URL, hidden)
Token basedOpenID, SAML, OAuth
8
8Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
What to choose?
9
9Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Scope cut
10
internal external
web
smartphone
Clie
nt
10Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Authentication + REST
Basic Authenticationsend user+pass, base64 enc. in HTTP Header
Digest Authenticationhashed user+pass+other stuff in HTTP Header
Client Certificatessign with the client private key
NTLM/SPNEGOdidn’t bother - no news since 2005
Session basedform based login
Token basedOpenID, SAML, OAuth
11
11Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Basic AuthenticationBenefits
SimpleLibraries available for every occasionTested
ProblemsPassword sharing anti-pattern• Users get trained to give the password away
The app or site store the password• Stolen device has user/pass locally stored - hacked site too
No access granularity• it’s all or nothing
Access revocation is a manual process• and universal
A mistake in HTTPS leaks user/pass forever and ever• Stored in browser until tab or browser closed• Automatic submission of BA header if MitM?
Changing password (which is sometimes neccessary...) revokes all access
12
HTTP HeaderAuthorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
12Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Token based
BenefitsNo user/pass disclosed GranularityRevocationSeparation of duties
ProblemsStandards under developmentNo complete solution stack
OAuth delivers authorizationOpenID or own solution for authentication
13
13Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0614
14Saturday, September 22, 12
What?
A simple, open standard for secure API authentication authorization.
Possible to share private information stored on one website with another website
15Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0616
� 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.
� 2007-04 A Google group started to write a draft protocol specification
� 2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification
When?
t
16Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0617
•2007-12 Initial version OAuth 1.0 ready•mainly based on the Flickr Auth API and Google AuthSub
•2009-06 Revised version 1.0a due to a security flaw•http://oauth.net/core/1.0a
•2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”
•OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31•New protocol, not backward compatible with OAuth1•Simplify and create a better user experience•Less secure due to no digital signature?
When?
t
17Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0618
Who?
18Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0619
Why?
19Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0620
Lisa
20Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0621
LisaInformation
21Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0622
Lisa
22Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0623
Lisa
Service Provider
23Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0624
Lisa
24Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0625
Lisa
Consumer
25Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0626
Lisa
26Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0627
: Hmm, don’t know - could it be, [email protected]?
: h4pp1n3ss
: Perfect! We’ll steal your paypal and facebook account through the hotmail account and print your photos right away. If we find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake
: Ok, great! What’s your password?fake
: Hi Lisa, what’s your username?fake
Why?
27Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0628
How?
Authorization in 5 easy steps
1. Intent2. Request Token3. Authorize Request Token4. Exchange Token5. Access Data
28Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0629
: Hi, ! I would like to order printouts of some of myon , they are marked as private. Could you please print them?
: Sure, we just need to ask permission from
Step 1: Intent
29Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0630
Hi ! This is speaking! Can I have a Request Token?HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd”
: Thanks!
Step 2: Request Token
30Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0631
Step 3: Authorize Request Token
: Sure, just redirect my browser and I will be done in a second!
: Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your .
31Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0632
Step 3, Continued
: , I would like to authorize 9iKot2y5UQTDlS2V
: Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side.
: Yes, that is correct!
: Ok, good. Now get back too and tell them it is ok to proceed.
32Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0633
Step 3, Optional Notify
: Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them.
: Perfect, thank you!
33Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0634
Step 4: Exchange Token
: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.)
: Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe”
: Perfect, thank you!
34Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0635
Step 5: Access Data
: Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.)
: Here they are , anything else?
35Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-0636
Take Away
No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is.
API independentthere are lots of different implementations on both client and server side
36Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Reality & Creativity
“OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.”
37
This is NOT the only way OAuth is used...
37Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Case 1
OAuth 1.0(a)
38
38Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Authentication & Authorization
REST API - OAuth signed or unauthenticated requestsSearch API - unauthenticated requestsStream API - OAuth signed or HTTP Basic authenticated requests
39
realtime firehose
query keyword
2 basic methods
39Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
REST APITweetsTimelines (set of tweets)Direct MessagesFriends&FollowersUsersSuggested UsersFavoritesListsAccountsNotifications
Saved searchesPlaces & GeoTrendsBlockSpamOAuthHelpLegalDeprecated
40
40Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
OAuth APIPOST oauth/request_token
GET oauth/authenticate
GET oauth/authorize
POST oauth/access_token
41
Server gets a request token (oauth_callback)
Client redirect “Sign in with Twitter” (oauth_token)
Client redirect “3-legged authentication” (oauth_token)
Server gets an access token (oauth_verifier)
41Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
OAuthWant to offer a "Sign in with Twitter" button on your website...
Want to read or post Twitter data on behalf of visitors to your website...
Have a mobile, desktop, or embedded app which can't access a browser...
Just want to access the API from your own account...
NEED to use usernames/passwords AND have been approved for xAuth...
Offer an API where clients send you data on behalf of Twitter users...
Have an iOS5-based integration and need access tokens for server-side integrations...
42
Sign in with Twitter
3-legged OAuth
PIN-based OAuth
dev.twitter.com
xAuth
OAuth Echo
Using Reverse Auth
authenticates
no redirect URL
N/A
authenticates
API delegate
local iOS account
authorize
42Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
MobilityNative application
Secure wayRedirect to browser, authorize/authenticate (NB! Not an embedded UI View!)Redirect back to appPossible without multitasking?
Not so secure wayxAuthworks if there is trust between app and api (internal enterprise solution)
Alternative?for 3rd party app that absolutely does not want to use external browserUse Twitter app?
43
43Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
MobilityHTML5 application
Redirect to auth-siteRedirect to app-site
44
44Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Case 2
Facebook Graph API - OAuth v2 draft 14 (January 2011)
45
45Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
OAuth
Authentication in native Android apps• Authentication in native iOS apps
• Authentication within a Page Tab on www.facebook.com• Authentication within a Canvas Page on apps.facebook.com
• Authentication for Websites & Mobile Web apps using Javascript (client-side flow)• Authentication for Websites & Mobile Web apps using a Server (server-side flow)
• Authentication for devices without access to a browser
46
authenticateauthorize
facebook app
facebook spec
PIN
46Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Mobility
Native application
Standard is using the Facebook appif not logged in - log in (app)if logged in but not authorized - pop authorization question (app)
If no Facebook appRedirect to web
HTML5 application
Redirect to auth-siteRedirect to app-site
47
Reflection
47Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Case 3
Home brew oauth-style authentication
48
48Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Anonymous TVM
49
49Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Identity TVM
50
50Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Mobility
Native application - identity TVMLogin towards TVM to collect tokenUse token towards API
51
51Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
OAuth 2.0
rev 31
52
52Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
OAuth 2.0
53
53Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
RFC 58496 Flows• User-Agent Flow – for clients running inside a user-agent (typically a web
browser).• Web Server Flow – for clients that are part of a web server application, accessible
via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.• Device Flow – suitable for clients executing on limited devices, but where the end-
user has separate access to a browser on another computer or device.• Username and Password Flow – used in cases where the user trusts the client
to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token.
54
54Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Conclusion
Tokens are great!Authentication is hard.
switch (scenario) {case 3rd party native client consumes your enterprise API:
Make sure the 3rd party uses an external browser for authentication;Alternative is to create own enterprise app on mobile device;
case own app consumes service api to access resource owner’s stuff:Pop an external browser - because it’s the good thing todo;
case you are the resource owner:Do not hand out your user & pass to untrusted parties;
case your app consumes your api:see 3rd party options;add xauth, Indentity TVM, Username and Password flow;
}
In comparison - Web is easy!55
How2 enforce?
55Saturday, September 22, 12
© Copyright Omegapoint AB 2011
2011-05-06
Thank You
@mjidhage
@weeUnquietMind - GLUE Conference - ‘Is that a token in your phone in your pocket or are you just glad to see me?”
@webtonull - JavaZone - ‘RESTful Security’
@rickardoberg - JFokus - ‘Road to REST’
@bebb00 - OPKoKo 2010 - ‘OAuth’
@jancalmered - OPKoKo 2010 - ‘OAuth’
56
?
56Saturday, September 22, 12
