Weitere ähnliche Inhalte Ähnlich wie Incorporating OAuth: How to integrate OAuth into your mobile app (20) Mehr von Nordic APIs (20) Kürzlich hochgeladen (20) Incorporating OAuth: How to integrate OAuth into your mobile app1. Incorporating OAuth
How to integrate OAuth into your mobile app
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
2. Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
4. Identity is Central
Copyright © 2013 Twobo Technologies AB. All rights reserved
MDM MAM
A
u
t
h
Z
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
5. Neo-security Stack
SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
OAuth 2 is the new meta-protocol defining how
tokens are handled
These address old requirements, solves new
problems & are composed
in useful ways
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML
& junior
OpenID Connect
6. OAuth Actors
Client
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Resource Owner (RO)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Getatoken
User a token
RS Client
AS
7. OAuth Mobile App Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
10. Register Custom Scheme in App
<activity android:name=".CallbackActivity“ …>
<intent-filter>
<data android:scheme="twobo" />
…
</intent-filter>
</activity>
Copyright © 2013 Twobo Technologies AB. All rights reserved
11. Callback to Custom Scheme
In OAuth Server, configure to callback to scheme
that was registered
Copyright © 2013 Twobo Technologies AB. All rights reserved
12. Exchange Code for Token
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC
13. Calling the Token Endpoint
var data = {
"client_id" : clientId,
"client_secret" : clientSecret,
"code" : code,
"grant_type" : "authorization_code",
"response_type" : "token" };
$.post(tokenEndpoint, data,
processAccessToken, "json");
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC AT, RT
14. Tokens are Often JWTs
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
15. Calling the API
Provide AT to API according to bearer token profile
$.ajax({
url: apiEndpoint,
dataType: 'json',
headers: {"Authorization":"Bearer "+accessToken},
success: processResults });
Copyright © 2013 Twobo Technologies AB. All rights reserved
16. API May Validate Token
def validateToken(self, tokenEndpoint, clientId,
clientSecret, accessToken):
values = { "client_id" : clientId,
"client_secret" : clientSecret,
"grant_type" : “…",
"token" : accessToken, }
request = urllib2.Request(tokenEndpoint,
urllib.urlencode(values))
return urllib2.urlopen(request)Copyright © 2013 Twobo Technologies AB. All rights reserved
17. • App should only present
AT to API
• Never send RT to API
• Use RT to get new AT if
AT expires
• App can’t use AT to
determine anything about
user
App Consumes API Data
Copyright © 2013 Twobo Technologies AB. All rights reserved
18. Overview of OpenID Connect
Builds on OAuth for profile sharing
Uses the flows optimized for user-consent
scenarios
Adds identity-based inputs/outputs to core OAuth
messages
Tokens are JWTs
Copyright © 2013 Twobo Technologies AB. All rights reserved
19. What OAuth is and is not for
Copyright © 2013 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
For delegation