OAuth and third party authentication in Granite

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Antonio Sanso | Software Engineer

OAuth and third party authentication in Granite


Agenda

2


Who is this guy, BTW?

3

{ Software Engineer – Adobe Basel

{ VP (Chair) Apache Oltu (OAuth protocol implementation in

Java)

{ Committer for Apache Sling


Why OAuth?

4

Several web sites offer you the chance to import the list of your contacts.

It ONLY requires you giving your username and password. HOW NICE


A bit of history – OAuth 1.0a

5


A bit of history – OAuth 2.0

6

2 years

X


The good

7

{ OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)

{ Wide spread and continuing growing

{ Short lived Tokens

{ Encapsulated Tokens

* Image taken from the movie ‘The Good, the Bad and the Ugly’

https://twitter.com/search?q=


The bad

8

{ No signature (relies solely on SSL ), Bearer Tokens

{ No built-in security

{ Can be dangerous if used from not experienced people

{ Burden on the client



The ugly

9

{ Too many compromises. Working group did not take clear decisions

{ OAuth 2.0 spec is not a protocol, it is rather a framework - RFC 6749

:The OAuth 2.0 Authorization Framework

{ Not interoperable - from the spec: “…this specification is likely to produce

a wide range of non-interoperable implementations.” !!

{ Mobile integration (web views)

{ A lot of FUD




So what should I use?

10

{ No many alternatives

{ OAuth 1.0 does not scale (and it is complicated)


OAuth Actors

11

{ Resource Owner (Alice)

{ Client (Bob, worker at www.printondemand.biz )

{ Server (Carol Mark, from Facebook)

www.printondemand.biz


OAuth flows

12

{ Authorization Code Grant (aka server side flow) ✓

{ Implicit Grant (aka Client side flow)

{ Resource Owner Password Credentials Grant

{ Client Credentials Grant


Traditional OAuth “dance” #1 - server side flow

13

www.printondemand.biz

1. I

want

an

Authz

Code

2. Printondemand wants an Authz Code

3. Login and authorize

4. Here the Authz Code

5.

Here

we go


OAuth entication orization

{ OAuth is NOT an authentication protocol. It is an access delegation

protocol.

{ It is/can-be-used as an authentication protocol

{ BUT HANDLE WITH CARE

14



Authentication in Granite

1. The client sends request with username and password

2. SlingAuthenticator calls the AuthenticationHandler (the CQ default is

TokenAuthenticationHandler )

3. The AuthenticationHandler returns AuthenticationInfo with username

and password

4. SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to get

resource resolver and validate the credentials (JackRabbit LoginModule)

5. SlingAuthenticator calls

AuthenticationFeedbackHandler#authenticationSucceeded which may

set cookies

6. request continues to be processed (or is redirected)

15


Third party Authentication in Granite – OAuth

16


Third party Authentication in Granite - LDAP, SAML, OAuth

{ The client sends request with username and password

{ In the case of OAuth no username and password are sent

{ SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to get

resource resolver and validate the credentials (JackRabbit LoginModule)

{ Which credentials?

17

1. Login to

Facebook

?


Third party authentication in Granite

{ Trusted Credentials

{ Custom (companion) LoginModule

{ com.day.crx.security.token.TokenUtil#createCredentials

18

DEPRECATED

. . .

SimpleCredentials sc = new SimpleCredentials(userId, new char[0]);

sc.setAttribute(TOKEN_ATTRIBUTE, "");

userSession = adminSession.impersonate(sc)

TokenCredentials tc = new TokenCredentials((String) sc.getAttribute

(TOKEN_ATTRIBUTE));

. . .

TokenCookie.update(request, response, repositoryId, tc.getToken(),

adminSession.getWorkspace().getName(), httpOnly);


Third party authentication in Granite

19

public AuthenticationInfo extractCredentials(final HttpServletRequest request, final HttpServletResponse

response) {

. . .

final SimpleCredentials credentials =

new SimpleCredentials(customerEmail,

"no_password_needed".toCharArray() );

credentials.setAttribute("TrustedInfo", ”SSO");

authInfo = new AuthenticationInfo(”SSO", customerEmail);

authInfo.put("user.jcr.credentials", credentials);

. . .

final User cqUser = userManager.createUser(authInfo.getUser(), StringUtils.EMPTY,

authInfo.getUser());

. . .

}


References

{ Oauth 2 web site - http://oauth.net/2/

{ Granite OAuth API -

http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/auth/oa

uth/package-summary.html

{ Social Login -

http://dev.day.com/docs/en/cq/current/administering/social_communities/s

ocial_connect.html

{ Some OAuth 2 attacks -

http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-

devil-wears.html

{ Apache Oltu - http://oltu.apache.org/

20

http://oauth.net/2/

http://oauth.net/2/

http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/auth/oauth/package-summary.html





http://dev.day.com/docs/en/cq/current/administering/social_communities/social_connect.html




http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-devil-wears.html











http://oltu.apache.org/

http://oltu.apache.org/


Business

OAuth and third party authentication in Granite