oauth - don’t throw the baby out with the bathwater
TRANSCRIPT
![Page 1: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/1.jpg)
OAuth 2.0 - Don’t Throw the Baby Out with the Bathwater
Apigee@apigee
Greg Brail@gbrail
Ed Anuff@edanuff
![Page 2: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/2.jpg)
groups.google.com/group/api-craft
![Page 3: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/3.jpg)
youtube.com/apigee
![Page 4: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/4.jpg)
slideshare.net/apigee
![Page 5: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/5.jpg)
@edanuffEd Anuff
@gbrailGreg Brail
![Page 6: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/6.jpg)
What happened?
OAuth 2.0 refresher course
OAuth in the world
Next steps and recommendations
Overview
![Page 7: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/7.jpg)
WHAT HAPPENED?
![Page 8: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/8.jpg)
Eran Hammer-Lahav, one of the spec leads, quit
He blogged about how screwed up OAuth 2.0 is
He got a lot of attention
Some other people blogged about his blog
What happened?
![Page 9: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/9.jpg)
One of the primary authors of OAuth 2.0 disowned it.
So is this an excuse to give up on OAuth?
We don’t think so
Why does it matter?
![Page 10: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/10.jpg)
OAUTH 1.0 & 2.0 RECAP
![Page 11: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/11.jpg)
Start with:Application credentials (ID and secret)Authenticate the userWeb browser redirectGet a token and secretSign with it on every request
OAuth 1.0a recap
![Page 12: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/12.jpg)
Signatures are hard
This may seem minor but ask the “developer on the street” about OAuth and you will get some version of this response
What was wrong with OAuth 1.0?
![Page 13: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/13.jpg)
A family of specs
The “authorization framework”
Bearer token spec
SAML, JWT, and other token specs
More specs
What is OAuth 2.0?
![Page 14: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/14.jpg)
Start with “client credentials”
These identify the application requesting authentication
Optionally authenticate the user
There are many “grant types” that define this
Get an “access token”
Uniquely identifies the user / application / device
Send the access token on every request
What does it really do?
![Page 15: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/15.jpg)
In OAuth 2.0, “app credentials” are essentially a username / password that identifies a single application
OAuth 2.0 grant types
Grant Type What You Need How You Authenticate User
Authorization Code App CredentialsEnd-user credentials
Web browser redirect. Web app determines what is required
Implicit Grant App CredentialsEnd-user credentials
Web browser redirect optimized for script-heavy web apps
Resource Owner App CredentialsEnd-user username / password
Send username / password in API call
Client Credentials App Credentials You don’t
Extensions SAML token, JSON web token Depends on the extension spec
![Page 16: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/16.jpg)
For reference: OAuth 1.0 only supported a “Mac” style of token
OAuth 2.0 token types
Token Type What it Is Signed? Spec Status
Bearer A big random number
N Proposed Standard
HTTP-MAC Signed request Y Very old
![Page 17: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/17.jpg)
Security considerations
Token Type On the Wire On the Disk
Bearer Totally open – requires SSL to prevent token theft or misuse
Hash it just like a password
“Mac” Secure – secret cannot be reverse engineered and “nonce” prevents replay. No SSL required.
Server must access it in clear text
![Page 18: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/18.jpg)
Three grant types require user authenticationMany people call these “three-legged”They involve the app, the API, and the user
One does not – it just uses the app credentialsMany people call this “two-legged”
Minor fact – the words “leg” and “legged” are not present in the spec
What about “legs?”
![Page 19: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/19.jpg)
Every OAuth 2.0 token can have “scopes”
Identify what the token can doFor instance:
READ, WRITE, DELETEor
SEND_SMS, SEND_MMS, GET_LOCATION, PAY
Scopes
![Page 20: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/20.jpg)
APIs may return two tokensAccess token with an expiration timeRefresh token with no expiration time
Refresh token used to get a new access tokenNo additional user authentication is required
Refresh tokens
![Page 21: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/21.jpg)
What if the access token is compromised?Harder to guess if it has an expiration timeHarder to use a stolen token from a device
So why is the refresh token harder to steal?It isn’tIt’s still stored on the device or web server
Why refresh tokens?
![Page 22: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/22.jpg)
It supports a two-tier architecture:Authorization grants, token generation,
and all that on a complex, slow serverAccess tokens in a scalable caching layerNo need for complex cache invalidation
What if the main OAuth system already scales?Then there is no reason to use refresh tokens
Why refresh tokens, really?
![Page 23: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/23.jpg)
OAUTH IN THE WORLD
![Page 24: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/24.jpg)
There are many more specs – check the IETF process:
http://tools.ietf.org/wg/oauth/
Status of key specs
Spec Revision Status
Authorization Framework 31 Proposed Standard
Bearer Token 23 Proposed Standard
JWT Token 3 Draft
JWT Bearer Token 1 Draft
SAML 2 Token 13 Draft
HTTP MAC Token 1 Draft; Last update February
How a spec grows up to become a “law:”1. Draft2. Proposed Standard3. Draft Standard4. Internet Standard
![Page 25: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/25.jpg)
Thanks to Aaron Parecki from Geoloqi for this table
Status of big APIs
Provider Spec Revision Reference
Foursquare 10 http://aaron.pk/2YS
Google 10 https://developers.google.com/accounts/docs/OAuth2
Facebook 10* https://developers.facebook.com/docs/authentication/
Windows Live 10 http://aaron.pk/2YV
Salesforce 10 http://aaron.pk/2YW
GitHub 7 http://developer.github.com/v3/oauth/
Geoloqi 10 https://developers.geoloqi.com/api
![Page 26: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/26.jpg)
31 Apigee Enterprise customers use OAuth 2.020 have “two-legged OAuth” aka “client credentials”19 have “three-legged OAuth”8 have both
6 Customers have OAuth 1.0a
Many customers have neither“API Key” authentication onlyUsername / passwordSSL, many other options
OAuth in production - versions
Thanks to Amit Chakraborty from Apigee for this data
![Page 27: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/27.jpg)
It’s not just about tokens
How is the user authenticated?All but two Apigee customers use existing web pages
or directory servers for user authentication
How is consent granted to issue the token?Usually done through the browserMany different ways to implement it
Two more steps to OAuth
![Page 28: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/28.jpg)
NEXT STEPS ANDRECOMMENDATIONS
![Page 29: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/29.jpg)
For web apps that use APIsOAuth is the most standard, secure choice
For mobile / native apps that use APIsOAuth has advantages over alternatives
Uniquely identifies the end user, device, and appCredentials may be revoked at any time
For server-to-server APIsUse OAuth if you use it for other things too
Why use OAuth?
![Page 30: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/30.jpg)
Stick with the basics:
Bearer tokens
No refresh tokens
No extensions
Keeping OAuth under control
![Page 31: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/31.jpg)
Questions
![Page 32: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/32.jpg)
groups.google.com/group/api-craft
![Page 33: OAuth - Don’t Throw the Baby Out with the Bathwater](https://reader036.vdocuments.mx/reader036/viewer/2022062307/55579a26d8b42a4a5d8b4628/html5/thumbnails/33.jpg)
THANK YOUQuestions and ideas to:
@gbrail@ edanuff
groups.google.com/group/api-craft