SlideShare ist ein Scribd-Unternehmen logo

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Als PPTX, PDF herunterladen
Brian Campbell
Brian Campbell

This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.

Technologie
1 von 26
Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
If All Goes well, HTTP/1.1 200 OK
And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind

Empfohlen

puk
pukpuk
puk
petraognjenovic
 
Uspješna komunikacija
Uspješna komunikacija Uspješna komunikacija
Uspješna komunikacija
petraognjenovic
 
Komunikacijski lanac
Komunikacijski lanacKomunikacijski lanac
Komunikacijski lanac
petraognjenovic
 
Banka pitanja windows- za 5 razred test
Banka pitanja windows- za 5 razred testBanka pitanja windows- za 5 razred test
Banka pitanja windows- za 5 razred test
Ivana Grujovic
 
Uvod u psihologiju
Uvod u psihologijuUvod u psihologiju
Uvod u psihologiju
petraognjenovic
 
Tolerancija-Mihael
Tolerancija-MihaelTolerancija-Mihael
Tolerancija-Mihael
Suzana Delic
 
у туђим ципелама, чос
у туђим ципелама, чосу туђим ципелама, чос
у туђим ципелама, чос
Основна школа "Миливоје Боровић" Мачкат
 
Komunikacija
KomunikacijaKomunikacija
Komunikacija
Obrazovno kreativni centar
 

Empfohlen

puk
pukpuk
puk
petraognjenovic
 
Uspješna komunikacija
Uspješna komunikacija Uspješna komunikacija
Uspješna komunikacija
petraognjenovic
 
Komunikacijski lanac
Komunikacijski lanacKomunikacijski lanac
Komunikacijski lanac
petraognjenovic
 
Banka pitanja windows- za 5 razred test
Banka pitanja windows- za 5 razred testBanka pitanja windows- za 5 razred test
Banka pitanja windows- za 5 razred test
Ivana Grujovic
 
Uvod u psihologiju
Uvod u psihologijuUvod u psihologiju
Uvod u psihologiju
petraognjenovic
 
Tolerancija-Mihael
Tolerancija-MihaelTolerancija-Mihael
Tolerancija-Mihael
Suzana Delic
 
у туђим ципелама, чос
у туђим ципелама, чосу туђим ципелама, чос
у туђим ципелама, чос
Основна школа "Миливоје Боровић" Мачкат
 
Komunikacija
KomunikacijaKomunikacija
Komunikacija
Obrazovno kreativni centar
 
Microbit prezentacija
Microbit prezentacijaMicrobit prezentacija
Microbit prezentacija
Mersiha Sahman
 
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
Eunseok Yi
 
Postanite uspešniji roditelj
Postanite uspešniji roditeljPostanite uspešniji roditelj
Postanite uspešniji roditelj
Suzana Kulja
 
Komunikacija
KomunikacijaKomunikacija
Komunikacija
AzBuki
 
vrste
vrstevrste
vrste
petraognjenovic
 
perceptivne varke
perceptivne varkeperceptivne varke
perceptivne varke
petraognjenovic
 
Nenasilna komunikacija 2
Nenasilna komunikacija 2Nenasilna komunikacija 2
Nenasilna komunikacija 2
Svetlana Čeko
 
Empatija
EmpatijaEmpatija
Empatija
Agencija za odgoj i obrazovanje - Education and Teacher Training Agency
 
sukobi
sukobisukobi
sukobi
petraognjenovic
 
Ortogonalno projiciranje
Ortogonalno projiciranjeOrtogonalno projiciranje
Ortogonalno projiciranje
psh-skola
 
Roditeljski sastanak Podrška učenicima prezentacija
Roditeljski sastanak Podrška učenicima prezentacijaRoditeljski sastanak Podrška učenicima prezentacija
Roditeljski sastanak Podrška učenicima prezentacija
Osnovna škola "Sveti Sava"
 
Preduvjeti uspješne komunikacije
Preduvjeti uspješne komunikacijePreduvjeti uspješne komunikacije
Preduvjeti uspješne komunikacije
petraognjenovic
 
Јединице мере за површину
Јединице мере за површинуЈединице мере за површину
Јединице мере за површину
Ивана Ћуковић
 
Predmet i grane psihologije
Predmet i grane psihologije Predmet i grane psihologije
Predmet i grane psihologije
snezanadjeric1
 
Празници
ПразнициПразници
Празници
Srpska škola u inostranstvu
 
prepreke u komunikaciji
prepreke u komunikaciji prepreke u komunikaciji
prepreke u komunikaciji
petraognjenovic
 
Operativni sistemi
Operativni sistemiOperativni sistemi
Operativni sistemi
majapts
 
Shizofrenija
ShizofrenijaShizofrenija
Shizofrenija
Katarina Čamber
 
Intervju za posao
Intervju za posaoIntervju za posao
Intervju za posao
Pogled kroz prozor
 
Neverbalna komunikacija.pptx
Neverbalna komunikacija.pptxNeverbalna komunikacija.pptx
Neverbalna komunikacija.pptx
petraognjenovic
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
Paul Madsen
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 

Weitere ähnliche Inhalte

Was ist angesagt?

Postanite uspešniji roditelj
Postanite uspešniji roditeljPostanite uspešniji roditelj
Postanite uspešniji roditelj
Suzana Kulja
 
Nenasilna komunikacija 2
Nenasilna komunikacija 2Nenasilna komunikacija 2
Nenasilna komunikacija 2
Svetlana Čeko
 
Operativni sistemi
Operativni sistemiOperativni sistemi
Operativni sistemi
majapts
 

Was ist angesagt? (20)

Microbit prezentacija
Microbit prezentacijaMicrobit prezentacija
Microbit prezentacija
 
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
NDC 2012 이은석 - 게임회사 취업특강 (커리어세션)
 
Postanite uspešniji roditelj
Postanite uspešniji roditeljPostanite uspešniji roditelj
Postanite uspešniji roditelj
 
Komunikacija
KomunikacijaKomunikacija
Komunikacija
 
vrste
vrstevrste
vrste
 
perceptivne varke
perceptivne varkeperceptivne varke
perceptivne varke
 
Nenasilna komunikacija 2
Nenasilna komunikacija 2Nenasilna komunikacija 2
Nenasilna komunikacija 2
 
Empatija
EmpatijaEmpatija
Empatija
 
sukobi
sukobisukobi
sukobi
 
Ortogonalno projiciranje
Ortogonalno projiciranjeOrtogonalno projiciranje
Ortogonalno projiciranje
 
Roditeljski sastanak Podrška učenicima prezentacija
Roditeljski sastanak Podrška učenicima prezentacijaRoditeljski sastanak Podrška učenicima prezentacija
Roditeljski sastanak Podrška učenicima prezentacija
 
Preduvjeti uspješne komunikacije
Preduvjeti uspješne komunikacijePreduvjeti uspješne komunikacije
Preduvjeti uspješne komunikacije
 
Јединице мере за површину
Јединице мере за површинуЈединице мере за површину
Јединице мере за површину
 
Predmet i grane psihologije
Predmet i grane psihologije Predmet i grane psihologije
Predmet i grane psihologije
 
Празници
ПразнициПразници
Празници
 
prepreke u komunikaciji
prepreke u komunikaciji prepreke u komunikaciji
prepreke u komunikaciji
 
Operativni sistemi
Operativni sistemiOperativni sistemi
Operativni sistemi
 
Shizofrenija
ShizofrenijaShizofrenija
Shizofrenija
 
Intervju za posao
Intervju za posaoIntervju za posao
Intervju za posao
 
Neverbalna komunikacija.pptx
Neverbalna komunikacija.pptxNeverbalna komunikacija.pptx
Neverbalna komunikacija.pptx
 

Ähnlich wie OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
Paul Madsen
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 

Ähnlich wie OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me? (20)

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Api security
Api security Api security
Api security
 

Mehr von Brian Campbell

Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 

Mehr von Brian Campbell (17)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

  • 1. Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
  • 2. Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
  • 3. Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
  • 4. Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
  • 5. Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
  • 6. Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
  • 7. Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
  • 8. Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
  • 9. Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
  • 10. Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
  • 11. OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
  • 12. Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
  • 13. Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
  • 14. Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
  • 15. Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
  • 16. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
  • 17. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
  • 18. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
  • 19. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
  • 20. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
  • 21. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
  • 22. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
  • 23. Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
  • 24. If All Goes well, HTTP/1.1 200 OK
  • 25. And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
  • 26. Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind