mobile authentication and authorisation: openid and oauth
DESCRIPTION
A project presentation about the use of OpenID and OAuth with mobile devices.TRANSCRIPT
Mobile authentication
and authorisation:
OpenID and OAuth
SecureApps user group meeting
27/05/2014
2
Overview
• Motivation
• OpenID
• OAuth
• On the mobile
o OpenID
o OAuth
o Getting the user name and password
• Conclusion: the difference
3
• Knowing your user
o Attribute-based access control (e.g. age verification)
o Personalisation (e.g. location-based services)
• Modern services and mobile apps:
o … blend different resources (pictures, social network posts, documents, geographical
data,…)
o … which are spread across providers
• Can our app access the user’s resources
o … on his behalf?
o … without asking for his credentials!
o … with fine-grained permissions?
Motivation
4
OpenID: what is it?
• Authentication and single sign-on protocol
• 2009: > 1 billion
OpenID-enabled accounts
• Many identity providers Google, Yahoo, Paypal,
AOL, Wordpress,…
• Alternative: SAML-based
setups
o Belgian eGov Login
o Shibboleth
4
Identity
provider Service
providers
User
5
OpenID: how does it work?
User User’s browser Identity provider (IdP) Service provider
1. Request
service
5. Prompt for authentication
6. Authenticate
4. Redirect to IdP
7. Assert attributes
and redirect
8. Grant access
2. Prompt for IdP URI
3. Provide IdP URI
IdP discovery step
6
OpenID: trust establishment
• Why?
o IdP: who may request user data?
o SP: which IdP’s info can I rely on?
• SAML
o Offline mutual trust agreement
o Digitally signed assertions
• OpenID
o Initially: none (full user control)
o Now: unilateral trust of SPs
in major IdPs
https://www.google.com/account
7
OAuth 2.0: what is it?
• Authorisation protocol
• IETF RFC 6749
• Resource access
o on behalf of the user
o with consent of the user
o limited in time and scope
• Widely-supported Amazon, Dropbox, Facebook, Flickr,
Google, LinkedIn, Netflix, PayPal,…
• Plain HTTP requests
7
8
Resource provider
OAuth: protocol flow
5: Authorisation code grant
6: Access token
7: Access token
8: Protected resource
Resource owner
Authorisation
server
Resource
server
Client
9
Resource provider
OAuth: protocol flow
5: Authorisation code grant
6: Access token
7: Access token
8: Protected resource
Resource owner
Authorisation
server
Resource
server
Client
• Client never sees user name and
password
• Access token
• transferred and stored securely
• limited in time and scope
10
Resource provider
OAuth: protocol flow
5: Authorisation code grant
6: Access token
7: Access token
8: Protected resource
Resource owner
Authorisation
server
Resource
server
Client
4 grant types
• Authorisation code grant
• Resource owner password credentials
• Implicit grant
• Client credentials grant
11
OpenID in a mobile app
• Only few mobile uses:
o Browser-based single sign-on, same as non-mobile
o Can be used to authenticate within OAuth, but most
logins proprietary
• How to integrate (same flow as browser SSO):
o as in-app library
o as in-app Web View
o in a centralised account repository
• Android: Account Management API
• iOS: Accounts Framework
Protocol deployment and implementation differences
12
OpenID in a mobile app
• Only few mobile uses:
o Browser-based single sign-on, same as non-mobile
o Can be used to authenticate within OAuth, but most
logins proprietary
• How to integrate (same flow as browser SSO):
o as in-app library
o as in-app Web View
o in a centralised account repository
• Android: Account Management API
• iOS: Accounts Framework
Protocol deployment and implementation differences
13
OpenID in a mobile app
• Only few mobile uses:
o Browser-based single sign-on, same as non-mobile
o Can be used to authenticate within OAuth, but most
logins proprietary
• How to integrate (same flow as browser SSO):
o as in-app library
o as in-app Web View
o in a centralised account repository
• Android: Account Management API
• iOS: Accounts Framework
Protocol deployment and implementation differences
14
Resource provider
5: Authorisation code grant
6: Access token
7: Access token
8: Protected resource
Authentication
component
Authorisation
server
Resource server
OAuth in a mobile app
Client app
Resource owner
Mobile device
15
OAuth in a mobile app
• Use cases:
o Resource retrieval at own service
o Resource retrieval at 3rd party service
o Authentication to Client
• No proof of identity or account ownership!
• No standardised mechanism for attribute provisioning
• How to integrate:
o centralised account repository
o libs by resource providers
o 3rd-party libs
o own implementation
16
Getting the user name and password
Authentication
component
Browser
invocation
Web View In-app
credential input
Centralised
account repo
Minimises typing? Yes, if used
with password
manager
No Yes, if used with
secure storage
Yes, if used with
secure storage
Centralised, reusable
component?
Yes No No Yes
Trust in client app for
credential input?
No Yes Yes No
Eavesdropping by
malware/greyware?
Yes (Android) No No No
TLS indicators
(address bar,
padlock)?
Yes No No No, but
component
assumed trusted
17
Conclusion: the difference
OpenID OAuth
Involved actors • User
• Identity provider
• Service provider
• User (resource owner)
• Client
• Resource provider
What happens? • User authentication to identity
provider
• Identity provider asserts user info to
service provider
• User authentication to resource
provider
• Client retrieves resource from
resource provider on behalf of user
Used for • Authentication
• Personalisation
Delegation of resource access
Result Assertion of user info Access token, limited in
• time
• scope (accessible resource)
Example
scenarios
• Gambling site with age verification
• Localised news
• Post on Facebook from other website
• Access Google+ Photos from mobile
app
18
Q&A
19
References
• OpenID and OAuth
o http://www.slideshare.net/rohitsghatol/oauth-20-in-depth
o http://openid.net/specs/openid-authentication-2_0.html
o http://tools.ietf.org/html/draft-ietf-oauth-v2-31
o http://prezi.com/2uxj3_30cts1/oauth-20-2014/
o http://www.slideshare.net/jcleblanc/securing-restful-apis-
using-oauth-2-and-openid-connect
o http://www.slideshare.net/jreffell/oauth-openid-facebook-
connect-authentication-design-best-practices
19
20
References
• Android Account Management APIs
o http://udinic.wordpress.com/2013/04/24/write-your-own-
android-authenticator/
o http://nelenkov.blogspot.be/2012/11/android-online-
account-management.html
o http://developer.android.com/reference/android/account
s/AccountManager.html
o http://developer.android.com/reference/android/account
s/AbstractAccountAuthenticator.html
20
21
References
• iOS accounts framework
https://developer.apple.com/library/ios/documentation/Acco
unts/Reference/AccountsFrameworkRef/_index.html
• OAuth and OpenID on the mobile
o http://www.slideshare.net/briandavidcampbell/is-that-a-
token-in-your-phone-in-your-pocket-or-are-you-just-
glad-to-see-me-oauth-20-and-mobile-devices
o http://stuff.mit.edu/afs/sipb/project/android/docs/training/
id-auth/authenticate.html
21
22
References
• Criticism
o http://hueniverse.com/2012/07/26/oauth-2-0-and-the-
road-to-hell/
o http://www.tetraph.com/blog/2014/05/covert-redirect-
vulnerability-related-oauth-2-0-openid-covert-redirect-
vulnerability-related-oauth-2-0-openid-%E4%B8%8E-
oauth-2-0-openid-
%E6%9C%89%E5%85%B3%E7%9A%84-covert-
redirect/
22