SlideShare ist ein Scribd-Unternehmen logo

O auth2.0 guide

Dilip Mohapatra
Dilip Mohapatra

API Security and OAuth introducion

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
1 * E-mails: sales@nexright.com
OAuthisanopenprotocolstandardforWebAPIauthorization.OAuthprovidesamethodforuserstograntthird-partyaccesstotheirresourceswithoutsharingtheirpasswords. What is OAuth? OAuth is an open protocol standard for Web API authorization 2 Nasrin Sohrabi
Why using OAuth2.0 ? one way to address REST security issues is with the open source protocol OAuth 1) Lack of standards and support of RESTfulAPI Askingauserfortheirpasswordhasanumberofside-effectsuchas: Trust:ausermaynottrustprovidingtheirpasswordtoyourapplication. Expandedaccessandrisks:Whentheuserprovidestheirpasswordtoyourapplication,yougetaccesstonotonlythedatayourapplicationneeds,butallotherdataintheuser’saccount.Theapplicationhasanobligationtoitsuserstosecurelystorethesepasswordsandpreventthemfromleaking.Manydevelopersdonotwanttheriskexposureofhavingthisadditionalresponsibility. Decreasedusersensitivitytophishing:Eveniftheuseriscomfortableprovidingtheirpasswordtoyourapplication,makingtheusercomfortabledoingthisaroundtheWebcanhavenegativelong-termeffects,suchasmakingphishingscamsmoreeffective. Limitedreliability:Whenauserchangestheirpassword,yourapplicationnolongerhasaccesstotheirdata. Revocationchallenges:Theonlywayausercanrevokeaccesstoyourapplicationisbychangingtheirpassword,whichalsorevokesaccesstoallotherapps. Passwordsbecomerequired:WhenanAPIprovidersupportsfederatedauthenticationmechanismssuchasOpenIDorSAML,usersmaynothavepasswordsontheiraccounts.ThismakesitimpossibleforthoseuserstouseapplicationspoweredbytheAPI. Difficultyimplementingstrongerauthentication:IfanAPIproviderrequirespasswordsforAPIauthentication,itbecomeschallengingtoimproveaccountsecuritywithtechnologieslikeCAPTCHAsormultifactorauthentication(suchasone-timepasswordtokens). 2)PasswordAnti-Pattern Within move towards SaaS–trend towards API access to data/services to supplement/replace browser access. Clear trend for these APIs is towards REST. 3) Cloud APIs 4) Native Mobile Applications 3 Nasrin Sohrabi
Client Application User Agent How does OAuth2.0 work? OAuth 2.0 protocol uses a number of actors to achieve the main tasks of getting, validating, and using an access token 4 Nasrin Sohrabi Authorization Server Resource Server Resource Owner
The main Actors are: User or Resource Owner Theactualenduser,responsibleforauthenticationandtoprovideconsenttosharetheirresourceswiththerequestingclient User Agent Theuser’sbrowser.usedforredirect‐basedflowswheretheusermustauthenticateandoptionallyprovideconsenttosharetheirresources. Client Authorization Server (AS) Resource Server (RS) The Client Application that is requesting an access token on behalf of the end user. A server capable of issuing tokens, obtaining authorization, and authenticating resource owners. The target application or API that provides the requested resources. This actor will validate an access token to provide authorization for theaction. (The server hosting protected resources) 5 Nasrin Sohrabi
Oauth2.0 provides four standard grant typesandan extension grant type that can beusedto customize the authentication and authorization process depending on the application requirements: Server Side Web Application Flow (Authorization Code Flow) Client Side Web Application Flow (Implicit Grant Flow) Resource Owner Password Flow Client Credentials Extension Grant 6 Nasrin Sohrabi OAuth2.0 Grant Types
Authorization Code Resource Owner Cridential Implicit Client Credentials Used for most Web and mobile application scenarios that want to call REST Web services. uses the user agent to transport an intermediate code, which is then exchanged for the OAuth2 tokens. Scenariowhereclientisnotabletosafelyhidetheclientsecret(e.g. clientsideJavaScriptapplication).UsestheuseragenttotransportTheOAuth2tokens. Whenapplicationneedstocontroltheloginform(e.g.NativeMobileapp). Exchangesausername/passwordcombinationfortheOAuth2tokens. Whenauserisnotinvolved.AccesstokenonlyrequiredforaservicetocallaRESTwebservice.ExchangestheclientcredentialsforanOAuth2Accesstoken. Extension Grant Type Used To Extend The Oauth2.0 Grant Types For specific Scenarios (e.g. the SAML bearer extension grant). 7 Nasrin Sohrabi
Some of the important terminologies that use during work with OAuth: Client key: Client Secret: Authorization Code: Access Token: Refresh Token: AvalueusedbytheconsumertoidentifyitselftotheServiceProvider. A secret used by the consumer to establish ownership of the consumer key. Avalueusedbytheconsumertoobtainauthorizationfromtheuser,andexchangedforanAccessToken Atokenusedbytheclienttomakeauthenticatedrequestsonbehalfoftheresourceowner. Atokenusedbytheclienttoobtainanewaccesstokenwithouthavingtoinvolvetheresourceowner. 8 Nasrin Sohrabi
9 AS Enpoint Authorization Endpoints: • used, via user-agent redirection, to authenticate and obtain authorization from the resource owner. • End user on the front channel. Token Endpoints • Used to exchange an authorization grant for an access token. • Client on the back channel. Client Endpoint Redirection URI • After completing its interaction with the resource owner, the AS directs the resource owner's user-agent back to the client at the client’s redirection URI. • Front channel callback. Nasrin Sohrabi Endpoints
The application developer will be responsible for the user-facing Elements Of theprocess. They will needto authenticate the user and interface with the back-end APIs. There are three main actions an application developer needs to handle to implement OAuth2: 1) Get an access token. 2) Use an access token. 3) Refresh an access token(optional). 10 Nasrin Sohrabi In the following slides, I will explained how to get an OAuth access token from PingFederate infrastructure, based on Authorization code grant type.
Authorizationgrantisaclientredirectbasedflow.Inthisscenario,theuserwillberedirectedtothePingFederateauthorizationendpointviatheuseragent(i.e.webbrowser).ThisuseragentwillbeUsedtoauthenticatetheenduserandallowthemtograntaccesstotheclient.Oncetheuserhasbeenauthorized,anintermediatecodewillbegrantedbytheauthorizationserverandreturnedTotheclientapplicationviatheuseragent.Lastly,theclientwillswapthiscodeforanOauthaccesstoken. 11 Nasrin Sohrabi
Authorization code grant process Request Authorization Obtain User Authorization Exchange Code for Access Token Validate and Perform Actions There are 4 main steps to the authorization code grant type process: The client redirects the user to the Authorization Endpoint (Ping Federate)to request an authorization code. The Resource Owner (User) grants permissions for the client to access resource data. The authorization code is given to the client (callback from auth. server). The authorization code is exchanged for an access token given to the client by the Token Endpoint (Ping Federate) . The Resource Server validates the Access Token and gives access to the client if validation is successful 12 Nasrin Sohrabi
Client Authorization EndPoint (PingFederate) Token EndPoint (PingFederate) Resource Server Grant Authorization Code Direct user To Resource Provider User Authentication Grant permissions Request Authorization Code Request Access Token Grant Access Token Direct users To the client with authcode 1 Obtain Authorization code 2 Obtain Authorization to use code Access Protected Resources Validate Token Use Access Token 3 Exchange Code for Access Token 4 Client Uses Resources 13 Nasrin Sohrabi
Phases in detail: Theclientrequestsresourcedata,whichredirectstheuserthroughanauthorizationprocessinordertoobtainanauthorizationcode.AftertheuserauthenticatesandauthorizesaccessatPingFederate,acallback(viaanHTTP redirect)willbemadebacktotheclientapplicationwiththeauthorizationcodeinthequeryStringlike(https://localhost:9031/OAuthPlayground/case1callback.jsp?state=&code=5qJvl5hWL20KS6ZKzQ- eZAYBjF0coxe3YhPaAhM2).Now,theclientsitesendsanhttprequesttoexchangetheauthorizationcodeobtainedinthecallbackforthedesiredtokens(typicallyanaccesstokenandarefreshtoken).TheprocessofexchangingrequirestheclienttocommunicatewiththePingFederateTokenEndpoint(https://<pf>/as/token.oauth2)withthefollowingparameters:client_id,granttype=authorizationcodeandtheauthorizationcodereceivedinthepreviousstep.Forsecurityreasonsthecodecanonlybeusedonce.TheresultisanHTTP200responsetotheclientindicatingsuccessfromtheTokenendpoint.TheresponseisreturnedformattedinJSON(JavaScriptObjectotation) containingtheOAuthAccessToken.Theclientcannowusetheaccesstokentoperformactionsusingthedataitrequiresontheresourceserverbeforethetokenisexpired.TheresourceserverreceivestheaccesstokenandperformsavalidationcheckwiththeTokenendpointtomakesurethetokenisvalidbeforeperformingtherequiredaction. 14 Nasrin Sohrabi
Authorization Endpoint Web Client (Our application) Browser Token Endpoint 1 4 3 2 1 Request query string includes the OAuth client ID, response type and requested scopes and redirect uri. Request Redirect to Authorization Server 3 5 15 Nasrin Sohrabi PingFederate Server
WebapplicationredirectsusertoAuthorizationServer(AS),whichisPingFederate,atitsauthorizationendpoint(https://<pf>/as/authorization.oauth2).RequestquerystringincludestheOAuthclientID,responsetype(inthiscaseauthorizationcode)andrequestedscopesandstate. UserauthenticatestoASviaIdPadapterorIdPconnection.Afterauthentication,userseesconfirmationpagewithrequestedscopesfromtheOAuthclientredirect,andclicks"Approve” ASredirectsuserbacktoclientsitewithAuthorizationCodeinquerystring. WebsiteresolvesAuthorizationCodetoanOAuthtoken(AccessToken[andRefreshToken])viaAPIcalltotheASTokenEndpoint(https://<pf>/as/token.oauth2) TheresultisanHTTP200responsetotheclientindicatingsuccessfromtheTokenEndpoint.TheresponseisreturnedformattedinJSON(JavaScriptObjectNotation) containingtheOAuthAccessToken 2 4 5 1 3 16 Nasrin Sohrabi
An example of authorization request from user and retrieve authorization code https://localhost:9031/as/authorization.oauth2? client_id=ac_client& response_type=code& scope=edit& redirect_uri=sample%3A%2F%2Foauth2%2Fcode%2Fcb 17 Nasrin Sohrabi
18 References: 1. Ryan Boyd, Getting Started with OAuth2.0, published by O’REILLY, February 2012. 2. OAuth2 Developers Guide, PingIdentity, 07/09/2014. 3. PingFederate Administrator’s Manual, June 27, 2014 . 4. Ryan Boyd, OAuth2 Identity and Data Access, 2012. 5. John DaSilva, Ping Identity and OAuth and OpenIDConnect In Action with PingFederate Hands-On, 7/8/2013. 6. OAuth2 Tutorial, Ping Identity, July 2014. Nasrin Sohrabi
19 Nasrin Sohrabi

Empfohlen

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 

Empfohlen

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API 안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API Gosu Ok
 
Open api개발을 위한 자료1
Open api개발을 위한 자료1Open api개발을 위한 자료1
Open api개발을 위한 자료1도성 김
 

Weitere ähnliche Inhalte

Was ist angesagt?

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 

Was ist angesagt? (20)

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 

Andere mochten auch

안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API 안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API Gosu Ok
 
Open api개발을 위한 자료1
Open api개발을 위한 자료1Open api개발을 위한 자료1
Open api개발을 위한 자료1도성 김
 
Daum OAuth 2.0
Daum OAuth 2.0Daum OAuth 2.0
Daum OAuth 2.0Daum DNA
 
기획자를 위한 OAuth
기획자를 위한 OAuth기획자를 위한 OAuth
기획자를 위한 OAuthMinwoo Park
 
OAuth2 - API 인증을 위한 만능도구상자
OAuth2 - API 인증을 위한 만능도구상자OAuth2 - API 인증을 위한 만능도구상자
OAuth2 - API 인증을 위한 만능도구상자Minwoo Park
 

Andere mochten auch (6)

안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API 안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
안드로이드 OAuth 1.0a, 2.0 구현 - Naver, Google API
 
Open api개발을 위한 자료1
Open api개발을 위한 자료1Open api개발을 위한 자료1
Open api개발을 위한 자료1
 
Daum OAuth 2.0
Daum OAuth 2.0Daum OAuth 2.0
Daum OAuth 2.0
 
기획자를 위한 OAuth
기획자를 위한 OAuth기획자를 위한 OAuth
기획자를 위한 OAuth
 
OAuth2 - API 인증을 위한 만능도구상자
OAuth2 - API 인증을 위한 만능도구상자OAuth2 - API 인증을 위한 만능도구상자
OAuth2 - API 인증을 위한 만능도구상자
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
 

Ähnlich wie O auth2.0 guide

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 

Ähnlich wie O auth2.0 guide (20)

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

O auth2.0 guide

  • 1. 1 * E-mails: sales@nexright.com
  • 3. Why using OAuth2.0 ? one way to address REST security issues is with the open source protocol OAuth 1) Lack of standards and support of RESTfulAPI Askingauserfortheirpasswordhasanumberofside-effectsuchas: Trust:ausermaynottrustprovidingtheirpasswordtoyourapplication. Expandedaccessandrisks:Whentheuserprovidestheirpasswordtoyourapplication,yougetaccesstonotonlythedatayourapplicationneeds,butallotherdataintheuser’saccount.Theapplicationhasanobligationtoitsuserstosecurelystorethesepasswordsandpreventthemfromleaking.Manydevelopersdonotwanttheriskexposureofhavingthisadditionalresponsibility. Decreasedusersensitivitytophishing:Eveniftheuseriscomfortableprovidingtheirpasswordtoyourapplication,makingtheusercomfortabledoingthisaroundtheWebcanhavenegativelong-termeffects,suchasmakingphishingscamsmoreeffective. Limitedreliability:Whenauserchangestheirpassword,yourapplicationnolongerhasaccesstotheirdata. Revocationchallenges:Theonlywayausercanrevokeaccesstoyourapplicationisbychangingtheirpassword,whichalsorevokesaccesstoallotherapps. Passwordsbecomerequired:WhenanAPIprovidersupportsfederatedauthenticationmechanismssuchasOpenIDorSAML,usersmaynothavepasswordsontheiraccounts.ThismakesitimpossibleforthoseuserstouseapplicationspoweredbytheAPI. Difficultyimplementingstrongerauthentication:IfanAPIproviderrequirespasswordsforAPIauthentication,itbecomeschallengingtoimproveaccountsecuritywithtechnologieslikeCAPTCHAsormultifactorauthentication(suchasone-timepasswordtokens). 2)PasswordAnti-Pattern Within move towards SaaS–trend towards API access to data/services to supplement/replace browser access. Clear trend for these APIs is towards REST. 3) Cloud APIs 4) Native Mobile Applications 3 Nasrin Sohrabi
  • 4. Client Application User Agent How does OAuth2.0 work? OAuth 2.0 protocol uses a number of actors to achieve the main tasks of getting, validating, and using an access token 4 Nasrin Sohrabi Authorization Server Resource Server Resource Owner
  • 5. The main Actors are: User or Resource Owner Theactualenduser,responsibleforauthenticationandtoprovideconsenttosharetheirresourceswiththerequestingclient User Agent Theuser’sbrowser.usedforredirect‐basedflowswheretheusermustauthenticateandoptionallyprovideconsenttosharetheirresources. Client Authorization Server (AS) Resource Server (RS) The Client Application that is requesting an access token on behalf of the end user. A server capable of issuing tokens, obtaining authorization, and authenticating resource owners. The target application or API that provides the requested resources. This actor will validate an access token to provide authorization for theaction. (The server hosting protected resources) 5 Nasrin Sohrabi
  • 6. Oauth2.0 provides four standard grant typesandan extension grant type that can beusedto customize the authentication and authorization process depending on the application requirements: Server Side Web Application Flow (Authorization Code Flow) Client Side Web Application Flow (Implicit Grant Flow) Resource Owner Password Flow Client Credentials Extension Grant 6 Nasrin Sohrabi OAuth2.0 Grant Types
  • 7. Authorization Code Resource Owner Cridential Implicit Client Credentials Used for most Web and mobile application scenarios that want to call REST Web services. uses the user agent to transport an intermediate code, which is then exchanged for the OAuth2 tokens. Scenariowhereclientisnotabletosafelyhidetheclientsecret(e.g. clientsideJavaScriptapplication).UsestheuseragenttotransportTheOAuth2tokens. Whenapplicationneedstocontroltheloginform(e.g.NativeMobileapp). Exchangesausername/passwordcombinationfortheOAuth2tokens. Whenauserisnotinvolved.AccesstokenonlyrequiredforaservicetocallaRESTwebservice.ExchangestheclientcredentialsforanOAuth2Accesstoken. Extension Grant Type Used To Extend The Oauth2.0 Grant Types For specific Scenarios (e.g. the SAML bearer extension grant). 7 Nasrin Sohrabi
  • 8. Some of the important terminologies that use during work with OAuth: Client key: Client Secret: Authorization Code: Access Token: Refresh Token: AvalueusedbytheconsumertoidentifyitselftotheServiceProvider. A secret used by the consumer to establish ownership of the consumer key. Avalueusedbytheconsumertoobtainauthorizationfromtheuser,andexchangedforanAccessToken Atokenusedbytheclienttomakeauthenticatedrequestsonbehalfoftheresourceowner. Atokenusedbytheclienttoobtainanewaccesstokenwithouthavingtoinvolvetheresourceowner. 8 Nasrin Sohrabi
  • 9. 9 AS Enpoint Authorization Endpoints: • used, via user-agent redirection, to authenticate and obtain authorization from the resource owner. • End user on the front channel. Token Endpoints • Used to exchange an authorization grant for an access token. • Client on the back channel. Client Endpoint Redirection URI • After completing its interaction with the resource owner, the AS directs the resource owner's user-agent back to the client at the client’s redirection URI. • Front channel callback. Nasrin Sohrabi Endpoints
  • 10. The application developer will be responsible for the user-facing Elements Of theprocess. They will needto authenticate the user and interface with the back-end APIs. There are three main actions an application developer needs to handle to implement OAuth2: 1) Get an access token. 2) Use an access token. 3) Refresh an access token(optional). 10 Nasrin Sohrabi In the following slides, I will explained how to get an OAuth access token from PingFederate infrastructure, based on Authorization code grant type.
  • 12. Authorization code grant process Request Authorization Obtain User Authorization Exchange Code for Access Token Validate and Perform Actions There are 4 main steps to the authorization code grant type process: The client redirects the user to the Authorization Endpoint (Ping Federate)to request an authorization code. The Resource Owner (User) grants permissions for the client to access resource data. The authorization code is given to the client (callback from auth. server). The authorization code is exchanged for an access token given to the client by the Token Endpoint (Ping Federate) . The Resource Server validates the Access Token and gives access to the client if validation is successful 12 Nasrin Sohrabi
  • 13. Client Authorization EndPoint (PingFederate) Token EndPoint (PingFederate) Resource Server Grant Authorization Code Direct user To Resource Provider User Authentication Grant permissions Request Authorization Code Request Access Token Grant Access Token Direct users To the client with authcode 1 Obtain Authorization code 2 Obtain Authorization to use code Access Protected Resources Validate Token Use Access Token 3 Exchange Code for Access Token 4 Client Uses Resources 13 Nasrin Sohrabi
  • 14. Phases in detail: Theclientrequestsresourcedata,whichredirectstheuserthroughanauthorizationprocessinordertoobtainanauthorizationcode.AftertheuserauthenticatesandauthorizesaccessatPingFederate,acallback(viaanHTTP redirect)willbemadebacktotheclientapplicationwiththeauthorizationcodeinthequeryStringlike(https://localhost:9031/OAuthPlayground/case1callback.jsp?state=&code=5qJvl5hWL20KS6ZKzQ- eZAYBjF0coxe3YhPaAhM2).Now,theclientsitesendsanhttprequesttoexchangetheauthorizationcodeobtainedinthecallbackforthedesiredtokens(typicallyanaccesstokenandarefreshtoken).TheprocessofexchangingrequirestheclienttocommunicatewiththePingFederateTokenEndpoint(https://<pf>/as/token.oauth2)withthefollowingparameters:client_id,granttype=authorizationcodeandtheauthorizationcodereceivedinthepreviousstep.Forsecurityreasonsthecodecanonlybeusedonce.TheresultisanHTTP200responsetotheclientindicatingsuccessfromtheTokenendpoint.TheresponseisreturnedformattedinJSON(JavaScriptObjectotation) containingtheOAuthAccessToken.Theclientcannowusetheaccesstokentoperformactionsusingthedataitrequiresontheresourceserverbeforethetokenisexpired.TheresourceserverreceivestheaccesstokenandperformsavalidationcheckwiththeTokenendpointtomakesurethetokenisvalidbeforeperformingtherequiredaction. 14 Nasrin Sohrabi
  • 15. Authorization Endpoint Web Client (Our application) Browser Token Endpoint 1 4 3 2 1 Request query string includes the OAuth client ID, response type and requested scopes and redirect uri. Request Redirect to Authorization Server 3 5 15 Nasrin Sohrabi PingFederate Server
  • 16. WebapplicationredirectsusertoAuthorizationServer(AS),whichisPingFederate,atitsauthorizationendpoint(https://<pf>/as/authorization.oauth2).RequestquerystringincludestheOAuthclientID,responsetype(inthiscaseauthorizationcode)andrequestedscopesandstate. UserauthenticatestoASviaIdPadapterorIdPconnection.Afterauthentication,userseesconfirmationpagewithrequestedscopesfromtheOAuthclientredirect,andclicks"Approve” ASredirectsuserbacktoclientsitewithAuthorizationCodeinquerystring. WebsiteresolvesAuthorizationCodetoanOAuthtoken(AccessToken[andRefreshToken])viaAPIcalltotheASTokenEndpoint(https://<pf>/as/token.oauth2) TheresultisanHTTP200responsetotheclientindicatingsuccessfromtheTokenEndpoint.TheresponseisreturnedformattedinJSON(JavaScriptObjectNotation) containingtheOAuthAccessToken 2 4 5 1 3 16 Nasrin Sohrabi
  • 17. An example of authorization request from user and retrieve authorization code https://localhost:9031/as/authorization.oauth2? client_id=ac_client& response_type=code& scope=edit& redirect_uri=sample%3A%2F%2Foauth2%2Fcode%2Fcb 17 Nasrin Sohrabi
  • 18. 18 References: 1. Ryan Boyd, Getting Started with OAuth2.0, published by O’REILLY, February 2012. 2. OAuth2 Developers Guide, PingIdentity, 07/09/2014. 3. PingFederate Administrator’s Manual, June 27, 2014 . 4. Ryan Boyd, OAuth2 Identity and Data Access, 2012. 5. John DaSilva, Ping Identity and OAuth and OpenIDConnect In Action with PingFederate Hands-On, 7/8/2013. 6. OAuth2 Tutorial, Ping Identity, July 2014. Nasrin Sohrabi