intro to api security with oauth 2.0
TRANSCRIPT
Introduction to API security with OAUTH 2.0
Kevin Johnson
Basics
Authentication -> ID card
Authentication
Authorization -> Driver’s Licence
Delegated Authorization
Authorization
Authorization Code Grant
Implicit Grant For Browser-Based
Client-Side Applications
Resource Owner Password-Based
Grant
Client Credentials Grant
OAUTH Flows
Four Primary Grant Types
App Specific InfoRedirect URIclient_idclient_secret
Authorization Server Specific InfoAuthorization EndpointToken Endpoint
Registration Of Client App
Authorization Code Grant
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant: Actors
Authorization Code Grant: Moving Parts
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 1
Authorization Server:
3 Components
1. Authentication Component• Identity Provider(LDAP, Active
Directory)2. Consent Component
• Consent Server3. Token Infrastructure Provider
• Token Values:Access TokenRefresh Token
• Token Attributes:when created?, valid?, revoked?
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 1
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 2
Authorization Code:
Auth Endpoint
Authorization Code:
Auth Endpoint
HTTP GET Request
GET /authorize? response_type=code&
client_id=123456789&
redirect_uri=https%3A%2F%2Fclient
%2Eexample%2Ecom%2Fcb&
scope=followers%20tweet_feed&
state=aFodshfj(klMN
HTTP/1.1 Host: server.oauth_provider.com
Authorization Code:
Redirect Endpoint
HTTP Response
HTTP/1.1 302 FoundLocation: https://client.example.com/cb?
code=SplxrhJY654090l&state=aFodshfj(klMN
Authorization Code:Token Endpoint
Authorization Code:
Token Endpoint
HTTP POST RequestPOST /token HTTP/1.1 Host: server.oauth_provider.com Content-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxrhJY654090l&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Authorization Code:
Token Endpoint
NOT RECOMMENDED
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Authorization Code:
Token Endpoint
HTTP ResponseHTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", “example_parameter":"example_value"}
Authorization Code Grant:Step 2
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 3
Authorization Code Grant:Step 3
Authorization Code:Resource Server API Call
HTTP GET Request: Bearer Token
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM
Authorization Code:Resource Server API Call
HTTP GET Request: MAC Token
GET /resource/1 HTTP/1.1Host: example.comAuthorization: MACid=“h480djs93hd8",nonce=“274312:dj83hs9s”,mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
Authorization Code Grant:Step 3
Basics:Implicit Grant Type
Conse
nt Fo
rm
Creden
tials
Implicit Grant:
Get Request for auth token
GET /authorize?
response_type=token&
client_id=s6BhdRkqt3&state=xyz&
redirect_uri=https%3A%2F
%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1
Host: server.example.com
Implicit Grant:
Get Request for auth token
HTTP/1.1 302 Found
Location: http://example.com/cb#
access_token=2YotnFZFEjr1zCsicMWpAA&
state=xyz&
token_type=example&
expires_in=3600
Criticism
Criticism:
Lack Of Interoperability
Many Optional Components
Partially/Fully Undefined ComponentsClient RegistrationAuthorization Server CapabilitiesEndpoint Discovery
Future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.
Framework <-> Protocol
Outdated
Designed for 2006Hosted Applications Centric
mobilenativejs
Bearer Tokens
Don’t put your eggs in one basket
Defense in Depth is the humble realization that, of all the security measures you implement, a few will fail because of your own stupidity. It’s good to have a few backups, just in case
Alternative
Oz
Three JS Modules:Iron: JavaScript object and turn it into a verifiable encoded blob.
Hawk: is a client-server authentication protocol providing a rich set of features for a wide range of security needs.
Oz: leverages the other two
Oz
Builds on top of experience of Oauth 1.0/2.0
Highly Opinionated Decisions
Client Side Cryptography: Hawk
Functional Imperative
functionalimperative.com(647) 405-8994@func_i