Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

18
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps Hermann Burgmeier Matthias Miltz JavaOne September 2013

Transcript of Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Page 1: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps

Hermann Burgmeier Matthias Miltz

JavaOne September 2013

Page 2: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Building an Ecosystem

● Co-Innovation with the community

Mobile platform support

SaaS model (Chaining of services)

● Provide (REST-)API for your service

● Ease of consumption for 3rd party developers

○ Many OAuth2 client libraries available

● Don’t worry about things that don’t deliver value:

○ Authentication

○ Authorization

Page 3: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Password Anti-Pattern

● Share your user/password directly

o Can you trust the site?

o Do you know if they store it?

o How to revoke access?

● Users get careless about sharing their

password

● No authorization of the requesting site

● No fine grained permissions

● Changing the password

frequently cuts off all sites

Page 4: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

OAuth 2.0

● Protocol for authorization - not authentication

● Delegated model

o Fix the password anti-pattern!

o Trust relationship between resource, identity server

and client app

● Official IETF standard since Oct-2012 (http://oauth.net/2/)

● Goal was simplicity:

o Nounces / Signing of requests, anyone?

o No verification code

● Relies heavily on TLS/SSL

Page 5: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

OAuth 2.0 - Implementations

● Early implementations by Google, Facebook, Github, etc.

● Java Open Source Server Implementations:

○ OAuth for Spring

○ Apis Authorization Server

○ Apache Oltu

○ Apache CXF

○ Restlet Framework

○ Jersey-OAuth2

■ Available on Github (github/hburgmeier/jerseyoauth2)

■ Based on dependency injection (Guice)

■ Variants for Jersey 1.x and 2.x

■ MIT License

Page 6: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

OAuth 2 – Supported Flows

● Authorization Code

○ Strong authentication of the client

○ Trade authorization code for token

● Implicit

○ For clients that can’t keep a secret

● Resource Owner Password Credentials

○ If you and your users trust the client app...

● Client Credentials

○ To replace the common API key / API secret pattern

○ Used by Twitter

Page 7: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

OAuth 2 for Mobile Native Apps

● Mobile applications can’t really keep a client secret

● Only two possible flows:

o Authorization Code

No client secret possible

o Implicit Grant

No refresh token

Based on “phony” Redirect-URL

● Standard proposes use of an internal/external browser

Page 8: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Our Demo

● Service to provide last coffee bean price

REST service returning JSON object

Implemented using JAX-RS 2.0 and Jersey 2.0

● What we want to do:

Enable OAuth 2.0 on the service

Javascript-based client as pure HTML application

• OAuth 2 Implicit Grant

Integrate external identity provider (Lenovo ID)

Hosted on OpenShift

Page 9: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Protocol Flow Implicit Grant

HTTP/1.1 302 Found Location: http://client.example.com/cb# access_token=mF_9.B5f-4.1JqM& expires_in=3600

GET /authorize? response_type=token& client_id=jsOnlyClientID& redirect_uri=https://client.example.com/cb

GET /resource/1 Authorization: Bearer mF_9.B5f-4.1JqM

Page 10: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Implementing Implicit Grant in

JavaScript

● Can’t keep a OAuth secret because JavaScript is

visible/debuggable in the browser

● Redirect URI is used for client authentication

● Access Token is transported as URL fragment

● Cross domain HTTP request to access

REST service

o Only works in modern browsers

o Requires a CORS enabled resource server

Page 11: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

How to Enable Your Service

@Path("/coffee")

public class CoffeePriceService {

@GET

@Produces({ MediaType.APPLICATION_JSON })

public CoffeePrice get() {

}

Page 12: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

How to Enable Your Service

@OAuth20

@AllowedScopes(scopes = {"espresso"})

@Path("/coffee")

public class CoffeePriceService {

@GET

@Produces({ MediaType.APPLICATION_JSON })

public CoffeePrice get() {

}

Page 13: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

JAX-RS / Jersey 2.0 in our Example public class RestApplication extends Application {

@Inject

public RestApplication(ServiceLocator serviceLocator) {

DynamicConfiguration dc = Injections.getConfiguration(serviceLocator);

Injections.addBinding(Injections.newBinder(DefaultConfiguration.class).to(IRSConfiguration.class), dc);

Injections.addBinding(Injections.newBinder(AccessTokenVerifier.class).to(IAccessTokenVerifier.class), dc);

Injections.addBinding(Injections.newBinder(RequestFactory.class).to(IRequestFactory.class), dc);

dc.commit();

}

@Override

public Set<Class<?>> getClasses() {

Set<Class<?>> clazzes = new HashSet<Class<?>>();

clazzes.add(CoffeePriceService.class);

clazzes.add(JacksonFeature.class);

clazzes.add(OAuth2FilterFeature.class);

return clazzes;

}

}

Page 14: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

JerseyOAuth2

DEMO

Page 15: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Authorization Server

● Web Application based on Guice / Dependency Injection

(Almost) everything is a service:

UserService, TokenService, ClientService, etc.

Use default or implement your own!

● Identity Provider:

Built-in (e.g. Container)

External (e.g. Lenovo ID)

● Contains user interface for approval/denial of

permissions (bring your own UI technology)

● Implements the authorization and token endpoint

Page 16: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Now It’s Your Turn...

Go enable your Jersey services:

● Maven:

○ <groupId> com.github.hburgmeier.jerseyoauth2 </groupId>

<artifactId> jersey-oauth2 </artifactId>

<version> 0.7 </version>

● GitHub:

○ https://github.com/hburgmeier/jerseyoauth2

● Sample Code:

○ https://github.com/hburgmeier/JavaOne2013

● Fork me!

Page 17: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Questions?

We are hiring in Freiburg, Germany!

[email protected]

We are hiring in Morrisville, NC!

[email protected]

Page 18: Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne 2013

Image Credits

Slide 2: By McKay Savage from London, UK [CC-BY-2.0], via Wikimedia Commons

Slide 4: By Hubert DENIES (Own work) [CC-BY-SA-3.0], via Wikimedia Commons

Slide 5: By Kweniston (Own work) [CC-BY-3.0], via Wikimedia Commons

Slide 6: By Ibonzer (Own work) [CC-BY-SA-3.0], via Wikimedia Commons

Slide 7: 2004 by Tomasz Sienicki [CC BY 2.5]

Slide 8: by Joe Shlabotnik [CC-BY 2.0] via Flickr

Slide 9: By Demilune [CC-BY-SA-2.5], via Wikimedia Commons

Slide 10: By David Bacon (Flickr: IMG_5126) [CC-BY-2.0], via Wikimedia Commons

Slide 11: By Andrés Nieto Porras from Palma de Mallorca, España ([C] Café Uploaded by russavia) [CC-BY-SA-2.0], via Wikimedia Commons

Slide 15: By Scott Schiller (Flickr: Master lock, "r00t" password) [CC-BY-2.0], via Wikimedia Commons

Slide 16: https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png