protecting web apis with oauth 2.0

Protecting web APIs with

OAuth 2.0

Vladimir Dzhuvinov

Your cool web API

Bearer Token

HTTPS request with a bearer token

GET /client-reg HTTP/1.1Host: c2id.comAuthorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

type token value

Successful HTTP response

HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache

{ … }

On missing token

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Bearer

On invalid / expired token

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Bearer error=”invalid_token”

On token with insufficientprivileges

HTTP/1.1 403 ForbiddenWWW-Authenticate: Bearer error=”insufficient_scope”

See RFC 6750

[ http://tools.ietf.org/html/rfc6750 ]

To learn more about bearer token usage

Your Web API

How does your web APIdecode the access tokens?

Typical authorisation attributes associated with an access token

● Scope: e.g. read, write, admin...

● Expiration time● User ID● Client ID● Issuer

The 2 possible token encodings

● Self-contained:

– Require RSA signature verification, < 1 ms

– Scale extremely well

● Identifier-based:

– Require web API lookup, ~100+ ms

– Don't scale well, avoid

JSON Web Tokens (JWT)

eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2lkIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hope7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU

Syntax:

BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)

JSON Web Tokens (JWT)

Header

{ "alg": "RS256", "kid": "1" }

Claims

{ "sub": "alice",   "cid": "000123",   "iss": "https://connect2id.com",   "exp": 1414065134,   "iat": 1414064534,   "scp": [ "read", "write", "admin" ] }

Signature (RSA)

fBZW6U9r7M53fwh­oEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimlu­NkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo­3wDpGNM9UtOo8Cc

See draft-ietf-oauth-json-web-token-29

[ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]

To learn more about JWT

http://connect2id.com/products/nimbus-jose-jwt

Thousands of deployments, tens of reviewers and contributors

Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.

The ultimate Java library for JWT

Who issues the access tokens?

Your authorisation server

OAuth 2.0 server

Web API Web API Web API

Authenticatesusers and clients,

issues tokens

Web APIs service requests, need only understand access tokens

mobile app

web app

native app

The OAuth 2.0 grants

● Authorisation code – require browser for end-user interaction

● Implicit – for browser (JS) based apps● Password – for native apps● Client credentials – for clients acting on their own

behalf● Assertions:

– SAML 2.0 Bearer

– JWT Bearer

See RFC 6749

[ http://tools.ietf.org/html/rfc6749 ]

To learn more about OAuth 2.0

OpenID Connect

● Identity layer on top of the OAuth 2.0 framework● The server issues an ID token in addition to the

access token:– The ID token is a signed JWT with claims:

● Subject – the end-user ID● Issuer – the authority● Issue and expiration date● Audience – the intended recipients● Authentication strength and methods

ID token claims

{   "sub"        : "alice",    "iss"        : "https://connect2id.com",  "iat"        : 1414076589,  "exp"        : 1414077489,  "aud"        : [ "000123" ],    "ip_address" : "10.20.30.40",  "acr"        : "1",  "amr"        : [ "ldap" ]}

See OpenID Connect 1.0 Core

OpenID Connect 1.0 DiscoveryOpenID Connect 1.0 Dynamic RegistrationOpenID Connect 1.0 Session Management

[ http://openid.net/connect/ ]

To learn more about OpenID Connect