OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
-
Upload
codemotion -
Category
Technology
-
view
670 -
download
1
description
Transcript of OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
![Page 2: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/2.jpg)
Uwe Friedrichsen
@ufried
![Page 3: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/3.jpg)
<session>
<no-code> <motivation />
<history />
<solution /> <extensions />
<criticism />
<tips />
</no-code>
<code> <authzorization />
<token />
<resource />
</code> <wrap-up />
</session>
![Page 4: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/4.jpg)
{ „session“ : {
„no-code“ : [ „motivation“,
„history“,
„solution“, „extensions“,
„criticism“,
„tips“
],
„code“ : [ „authorization“,
„token“,
„resource“
], „wrap-up“ : true
}
![Page 5: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/5.jpg)
Players
You
Application with
protected resources
Another
application
![Page 6: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/6.jpg)
Assignment
You
Application with
protected resources
Another
application
Access your resources
![Page 7: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/7.jpg)
Problem
You
Application with
protected resources
Another
application
Access your resources
![Page 8: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/8.jpg)
Challenge
You
Application with
protected resources
Another
application
Access your resources
Secure
? Easy to use
![Page 9: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/9.jpg)
OAuth 1.0
• Started by Twitter in 2006
• 1st Draft Standard in 10/2007
• IETF RFC 5849 in 4/2010
• Widespread
• Complex Client Security Handling
• Limited Scope
• Not extendable
• Not „Enterprise-ready“
![Page 10: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/10.jpg)
OAuth 2.0
• Working Group started 4/2010
• 31 Draft Versions
• Eran Hammer-Laval left 7/2012 *
• IETF RFC 6749 in 10/2012
* http://hueniverse.com/2012/07/
oauth-2-0-and-the-road-to-hell/
![Page 11: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/11.jpg)
You
Application with
protected resources
Another
application
Players revisited
![Page 12: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/12.jpg)
Players revisited
You Authorization
Server
Client
Application Resource
Server
![Page 13: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/13.jpg)
Solution (Step 1)
You Authorization
Server
Client
Application Resource
Server
1. I want an
authorization
code
4. Here is an authorization code for client XYZ
3. User: „Yes, it‘s okay“
2.Client XYZ wants an authorization code
5. Here you are
![Page 14: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/14.jpg)
Solution (Step 2)
You Authorization
Server
Client
Application Resource
Server
7. Here you are
6. I want to trade my
authorization code
for an access token
![Page 15: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/15.jpg)
Solution (Step 3)
You Authorization
Server
Client
Application Resource
Server
Give me some resources.
Here is my access token, btw.
…
![Page 16: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/16.jpg)
A few more
Details
• TLS/SSL
• Endpoints
• Client Types
• Client Identifier
• Client Authentication
• Redirect URI
• Access Token Scope
• Refresh Token
• Client State
![Page 17: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/17.jpg)
You Authorization
Server
Client
Application Resource
Server
1. I want an
authorization
code
4. Here is an authorization code for client XYZ
3. User: „Yes, it‘s okay“
2.Client XYZ wants an authorization code
5. Here you are GET /authorize?
response_type=code&
client_id=s6BhdRkqt3&
state=xyz&
redirect_uri=https%3A%2F%2Fclient%2E
example%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
![Page 18: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/18.jpg)
You Authorization
Server
Client
Application Resource
Server
1. I want an
authorization
code
4. Here is an authorization code for client XYZ
3. User: „Yes, it‘s okay“
2.Client XYZ wants an authorization code
5. Here you are HTTP/1.1 302 Found
Location:
https://client.example.com/cb?
code=SplxlOBeZQQYbYS6WxSbIA&
state=xyz
![Page 19: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/19.jpg)
You Authorization
Server
Client
Application Resource
Server
7. Here you are
6. I want to trade my
authorization code
for an access token
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=SplxlOBeZQQYbYS6WxSbIA&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
![Page 20: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/20.jpg)
You Authorization
Server
Client
Application Resource
Server
7. Here you are
6. I want to trade my
authorization code
for an access token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
![Page 21: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/21.jpg)
You Authorization
Server
Client
Application Resource
Server
Give me some resources.
Here is my access token, btw.
…
GET /resource/1 HTTP/1.1
Host: example.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
![Page 22: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/22.jpg)
More flows &
Extensions
• Implicit Grant
• Resource Owner Password
Credentials Grant
• Client Credentials Grant
• Refresh Token Grant
• Standard & custom Extensions
• Standards based on OAuth 2.0
![Page 23: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/23.jpg)
Criticism
• Too many compromises
• No built-in security
• Relies solely on SSL
• Bearer Token
• Self-encrypted token
![Page 24: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/24.jpg)
Tips
• Turn MAY into MUST
• Use HMAC Tokens
• Use HMAC to sign Content
• No self-encrypted token
• Always check the SSL Certificate
![Page 25: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/25.jpg)
How does the
code feel like?
using Apache Amber 0.22
![Page 26: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/26.jpg)
You Authorization
Server
Client
Application Resource
Server
1. I want an
authorization
code
4. Here is an authorization code for client XYZ
3. User: „Yes, it‘s okay“
2.Client XYZ wants an authorization code
5. Here you are GET /authorize?
response_type=code&
client_id=s6BhdRkqt3&
state=xyz&
redirect_uri=https%3A%2F%2Fclient%2E
example%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
![Page 27: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/27.jpg)
Authorization Endpoint (1)
@Path("/authorize")
public class AuthorizationEndpoint {
@Context
private SecurityDataStore securityDataStore;
@GET
@Consumes(OAuth.ContentType.URL_ENCODED)
public Response authorize(@Context HttpServletRequest request) {
// Do the required validations
OAuthAuthzRequest oauthRequest = wrapAndValidate(request);
validateRedirectionURI(oauthRequest);
// Actual authentication not defined by OAuth 2.0
// Here a forward to a login page is used
String loginURI = buildLoginURI(oauthRequest);
return Response.status(HttpServletResponse.SC_FOUND)
.location(new URI(loginUri)).build();
}
...
![Page 28: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/28.jpg)
Authorization Endpoint (2)
...
private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) {
// Implicitly validates the request locally
return new OAuthAuthzRequest(req);
}
...
![Page 29: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/29.jpg)
Authorization Endpoint (3)
...
private void validateRedirectionURI(OAuthAuthzRequest oauthReq) {
String redirectionURISent = oauthReq.getRedirectURI();
String redirectionURIStored = securityDataStore
.getRedirectUriForClient(oauthReq.getClientId());
if (!redirectionURIStored
.equalsIgnoreCase(redirectionURISent)) {
OAuthProblemException oAuthProblem =
OAuthProblemException
.error(OAuthError.CodeResponse.ACCESS_DENIED,
"Invalid Redirection URI");
oAuthProblem.setRedirectUri(redirectionURISent);
throw oAuthProblem;
}
}
...
![Page 30: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/30.jpg)
Authorization Endpoint (4)
...
private String buildLoginURI(OAuthAuthzRequest oauthRequest) {
String loginURI = getBaseLoginURI(); // As an example
loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“
+ oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);
loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“
+ oauthRequest.getClientId();
loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“
+ oauthRequest.getRedirectUri;
loginURI += "&" + OAuth.OAUTH_SCOPE + "=“
+ oauthRequest.getScopes();
loginURI += "&" + OAuth.OAUTH_STATE + "=“
+ oauthRequest.getParam(OAuth.OAUTH_STATE);
return loginURI;
}
}
![Page 31: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/31.jpg)
You Authorization
Server
Client
Application Resource
Server
1. I want an
authorization
code
4. Here is an authorization code for client XYZ
3. User: „Yes, it‘s okay“
2.Client XYZ wants an authorization code
5. Here you are HTTP/1.1 302 Found
Location:
https://client.example.com/cb?
code=SplxlOBeZQQYbYS6WxSbIA&
state=xyz
![Page 32: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/32.jpg)
Login page handler
private void getAndSendAuthorizationCode(HttpServletRequest req,
HttpServletResponse resp) {
// Assuming login was successful and forwarded
// parameters can be found in the request
String userId = (String) request.getAttribute("userId");
String clientId =
(String) request.getAttribute(OAuth.OAUTH_CLIENT_ID);
// Create a new authorization code and store it in the database
String authzCode =
securityDataStore.getAuthorizationCode(userId, clientId);
// Redirect back to client
String redirectUri =
(String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI);
redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode);
redirectUri += "&" + OAuth.OAUTH_STATE + "=“
+ request.getAttribute(OAuth.OAUTH_STATE);
resp.sendRedirect(redirectUri);
}
![Page 33: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/33.jpg)
You Authorization
Server
Client
Application Resource
Server
7. Here you are
6. I want to trade my
authorization code
for an access token
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=SplxlOBeZQQYbYS6WxSbIA&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
![Page 34: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/34.jpg)
Token Endpoint (1)
@Path("/token")
public class TokenEndpoint {
...
@POST
public Response token(@Context HttpServletRequest request,
@HeaderParam(AUTHORIZATION) String authorizationHeader) {
// Do the required validations
validateClient(authorizationHeader);
OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
validateRedirectionURI(oauthRequest);
OAuthToken token = securityDataStore
.exchangeAuthorizationCodeForAccessToken(oauthRequest);
OAuthResponse oauthResponse = buildOAuthResponse(token);
return Response.status(oAuthResponse.getResponseStatus())
.entity(oAuthResponse.getBody()).build();
}
...
![Page 35: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/35.jpg)
Token Endpoint (2)
...
private void validateClient(String authorizationHeader) {
Pattern headerPattern = Pattern.compile("\\s+");
String[] headerParts = headerPattern.split(authorizationHeader);
byte[] encoded = headerParts[1].getBytes();
String decoded = new String(Base64.decode(encoded),
Charset.forName("UTF-8"));
String[] clientParts = StringUtils.split(decoded, ":", 2);
String clientId = clientParts[0];
String clientSecret = clientParts[1];
if (!securityDataStore.isValidClient(clientId, clientSecret)) {
... // Create and throw an OAuthProblemException
}
}
...
![Page 36: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/36.jpg)
You Authorization
Server
Client
Application Resource
Server
7. Here you are
6. I want to trade my
authorization code
for an access token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
![Page 37: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/37.jpg)
Token Endpoint (3)
...
private OAuthResponse buildOAuthResponse(OAuthToken token) {
return OAuthASResponse
.tokenResponse(HttpServletResponse.SC_OK)
.setAccessToken(token.getAccessToken())
.setTokenType(TokenType.BEARER)
.setExpiresIn(token.getExpiresIn())
.setRefreshToken(token.getRefreshToken())
.setScope(token.getScope())
.buildJSONMessage();
}
}
![Page 38: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/38.jpg)
You Authorization
Server
Client
Application Resource
Server
Give me some resources.
Here is my access token, btw.
…
GET /resource/1 HTTP/1.1
Host: example.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
![Page 39: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/39.jpg)
Resource Filter (1)
public class AuthorizationFilter implements ContainerRequestFilter {
@Context
private SecurityDataStore securityDataStore;
@Context
private HttpServletRequest httpServletRequest;
@Override
public ContainerRequest filter(ContainerRequest request) {
String accessToken = extractAccessToken();
validateAccessToken(accessToken);
return request;
}
...
![Page 40: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/40.jpg)
Resource Filter (2)
...
private String extractAccessToken() {
OAuthAccessResourceRequest oauthRequest =
new OAuthAccessResourceRequest(httpServletRequest);
return oauthRequest.getAccessToken();
}
...
![Page 41: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/41.jpg)
Resource Filter (3)
...
private void validateAccessToken(String accessToken) {
if (!securityDataStore.isValidAccessToken(accessToken)) {
throw new AuthorizationFailedException(
"Unknown or expired token!");
}
}
}
![Page 42: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/42.jpg)
Summary
• OAuth 2.0 is ready for use
• Quite easy to use
• Don‘t go for least security
![Page 43: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/43.jpg)
Uwe Friedrichsen
@ufried
http://www.slideshare.net/ufried/
http://blog.codecentric.de/author/ufr
![Page 44: OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen](https://reader034.fdocuments.us/reader034/viewer/2022052321/54b4ee404a79598f728b461f/html5/thumbnails/44.jpg)