81
Demystifying OAuth A standard for authorization

Demystifying OAuth

  • Upload
    others

  • View
    18

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Demystifying OAuth

Demystifying OAuth A standard for authorization

Page 2: Demystifying OAuth

24-3-2019Demystifying OAuth2

MENNO HOOGENDIJK

APEX Consultant

mennooo

mennooo

menn.ooo

Page 3: Demystifying OAuth

OAuth in APEX

Page 4: Demystifying OAuth
Page 5: Demystifying OAuth

https://www.slideshare.net/msewtz/oracle-apex-social-login

https://asktom.oracle.com/pls/apex/f?p=100:551:::NO:RP,551:P551_CLASS_ID:5861

Page 6: Demystifying OAuth
Page 7: Demystifying OAuth
Page 8: Demystifying OAuth
Page 9: Demystifying OAuth

https://asktom.oracle.com/pls/apex/f?p=100:551:::NO:RP,551:P551_CLASS_ID:4824

Page 10: Demystifying OAuth

APEX Packages for OAuth

Package OAuth functionality

APEX_AUTHENTICATION Social sign-in

APEX_CREDENTIAL Manage OAuth client credentials

APEX_EXEC Work with remote data sources via OAuth

APEX_JWT Work with OAuth tokens

APEX_WEB_SERVICES Work with OAuth protected web services

24-3-2019Demystifying OAuth10

Page 11: Demystifying OAuth

What is OAuth

Page 12: Demystifying OAuth

ScenarioA person stores pictures in the cloud

Page 13: Demystifying OAuth

24-3-2019Ruimte voor voettekst13

Pictures in the cloudUser

User has access to picturesUsername & password, two factor authentication or fingerprint?

No reason for OAuth

Page 14: Demystifying OAuth

24-3-2019Ruimte voor voettekst14

Application Pictures in the cloud

User

Third-party application

To edit the pictures

How to give this application access to the pictures?

Page 15: Demystifying OAuth

24-3-2019Ruimte voor voettekst15

Application Pictures in the cloud

User

Option 1: Ask user for credentials

Application impersonates the user

User credentials exposed to application

Same credentials might be used elsewhere

Full access for application

Page 16: Demystifying OAuth

24-3-2019Ruimte voor voettekst16

Application Pictures in the cloud

User

Option 2: Developer key

User creates a key in the cloud and adds it in the application

Cloud won't know who's using the key

Extra tasks for the user

Full access for application

Page 17: Demystifying OAuth

24-3-2019Ruimte voor voettekst17

Application Pictures in the cloud

User Authorization server

Solution is OAuth 2.0

To deligate authority on user resources to an application

Page 18: Demystifying OAuth

24-3-2019Ruimte voor voettekst18

Client Protected resource

Resource owner Authorization server

Access service

Access data

Issue token

Grant access

Validate token

Page 19: Demystifying OAuth

OAuth 2 is about tokens

How to get a token

How to use a token

Page 20: Demystifying OAuth

What is an authorization server

Page 21: Demystifying OAuth

Authorization Server

• Owner: the organization where the protected resource resides

• The central security authority

• Most complex component in OAuth ecosystem

Authorization server

Each organization with a REST API protected by OAuth has its own Authorization Server

24-3-2019Demystifying OAuth22

Page 22: Demystifying OAuth

Authorization Server implementations

• Proprietary solutions

• Open source solutions

• Hosted solutions

Authorization serverOracle REST Data Services is also an Authorization Server

24-3-2019Demystifying OAuth23

Page 23: Demystifying OAuth

Tasks for an Authorization Server

• Managing OAuth client registrations

• Authenticate users

• Authorizing clients

• Issuing Tokens

• Validating Tokens

Authorization server

24-3-2019Demystifying OAuth24

Page 24: Demystifying OAuth

Authorization Server: Register clients

The Authorization Server needs the following

information to register a client

• Grant type (flow type) which will be used

• A redirect URL to return to client after grant by

resource owner

• Scopes (rights on the protected resource)

Authorization server

24-3-2019Demystifying OAuth25

Page 25: Demystifying OAuth

The client gets its credentials by the authorization server

The client is assigned the following

Attribute Purpose Security remarks

client_id Like a username Client may expose this

client_secret Like a password A secret must not be exposed

Only if client has a back-end

24-3-2019Demystifying OAuth26

Page 26: Demystifying OAuth

Authorization Server: authenticate users

How to authenticate is not part of OAuth. Could be:

• Username / password

• Two factor

• HTTP Header

• Biometric

• LDAP

• …

Authorization server

24-3-2019Demystifying OAuth27

Page 27: Demystifying OAuth

Authorization Server: authorize clients

Fine-grained rights via scopes

• Create, read, update and delete pictures

• Accessible scopes defined on client creation

• Client may ask resource owner to grant on subset

• Resource owner can revoke rights

Authorization server

24-3-2019Demystifying OAuth28

Page 28: Demystifying OAuth

Authorization Server: issuing tokens

• Format is not part of OAuth 2.0 specification

• Represents requested client access, resource

owner & scope

• A weak spot of OAuth 2.0

Authorization server

24-3-2019Demystifying OAuth29

Page 29: Demystifying OAuth

Authorization Server: validating tokens

• Correct scope to access resource?

• Token not expired?

• No check if token belongs to clientAuthorization server

Protected resource

Validate token

24-3-2019Demystifying OAuth30

Page 30: Demystifying OAuth

OAuth 2.0 is designed to work in

different situations

Page 31: Demystifying OAuth

24-3-2019Ruimte voor voettekst32

Client Protected resource

Resource owner

Access service

Access data

Client - Server

Page 32: Demystifying OAuth

24-3-2019Ruimte voor voettekst33

System B

Access data

Server - Server

System A

Page 33: Demystifying OAuth

The client chooses the OAuth flow it wants to use

Am I requesting an access token for the protected resource:

• On behalf of a user? (client – server)

• On behalf of myself as application? (server – server)

Client

24-3-2019Demystifying OAuth34

Page 34: Demystifying OAuth

How the user and client communicate

with the authorization server

Page 35: Demystifying OAuth

Resource owner Authorization server

Front channel communication

via user agent (browser) of resource owner

Page 36: Demystifying OAuth

Client Authorization server

Back channel communication

via back-end of the client

All requests are authenticated using the client_id and client_secret

Page 37: Demystifying OAuth

Flow 1: Authorization Code

Page 38: Demystifying OAuth

Authorization code flow

The client wants to access protected resources on behalf of the user

24-3-2019Demystifying OAuth39

Page 39: Demystifying OAuth

Authorization code flow

• Most complex flow

• Requires a client back-end

• Variable scope

• Tree-legged process

Authenticate user

Obtain authorization

code

Obtain access token

front channel front channel back channel

24-3-2019Demystifying OAuth40

Page 40: Demystifying OAuth

Resource owner

Starts application

Client

Front channel

Page 41: Demystifying OAuth

Do I have an unexpired access

token for the user?

Client

Back channel

Page 42: Demystifying OAuth

Yes, I have a valid access token

Back channel

Client Protected resource

Access data

Access token is send as Bearer Authorization header

Page 43: Demystifying OAuth

Do I have refresh token for the user?

Client

Back channel

No, I don't have a token

A refresh token can be used to get a new access token when the old one is expired

Page 44: Demystifying OAuth

Yes, I have a valid refresh token

Back channel

Client Authorization server

Refresh token

client_id + client_secret are send as basic authentication header

Page 45: Demystifying OAuth

The authorization server validates the refresh token and returns an access token

Back channel

Access token

Authorization server Client

Page 46: Demystifying OAuth

Client uses the valid access token

Back channel

Client Protected resource

Access data

Access token is send as Bearer Authorization header

Page 47: Demystifying OAuth

Redirect resource owner

Client

Front channel

No, I don't have an refresh token

Authorization server

The client_id and scopes are part of the redirect URL

Page 48: Demystifying OAuth

Provide credentials

Front channel

Resource owner authenticates

Authorization serverResource owner

Page 49: Demystifying OAuth

Front channel

Resource owner authenticates

Page 50: Demystifying OAuth

Approval for client

Front channel

Resource owner grants permission to protected resource

Authorization serverResource owner

Page 51: Demystifying OAuth

Front channel

Resource owner grants permission to protected resource

Page 52: Demystifying OAuth

Authorization code

Front channel

Authorization server redirects back to client with authorization code

Authorization server Client

Page 53: Demystifying OAuth

Client uses authorization code to request access token

Back channel

Client

Authorizationcode

Authorization server

client_id + client_secret are send as basic authentication header

Page 54: Demystifying OAuth

Authorization server validates authorization code and returns access token

Back channel

Client

Access token+

Refresh token

Authorization server

Page 55: Demystifying OAuth

Client uses the valid access token

Back channel

Client Protected resource

Access data

Access token is send as Bearer Authorization header

Page 56: Demystifying OAuth

Flow 2: Client credentials

Page 57: Demystifying OAuth

Client credentials flow

The client uses its own credentials to authenticate on the authorization

server.

System B

Access data

System A

24-3-2019Demystifying OAuth58

Page 58: Demystifying OAuth

Client credentials flow

• Most simple flow

• Requires a client back-end

• Only back channel communication

• Predefined scope

• Two-legged process

Authenticate client

Obtain access token

24-3-2019Demystifying OAuth59

Page 59: Demystifying OAuth

Do I have an unexpired access

token for the myself?

Back channel

System A

Page 60: Demystifying OAuth

Yes, I have a valid access token

Back channel

System B

Access data

System A

Access token is send as Bearer Authorization header

Page 61: Demystifying OAuth

No I don't have an access token

Back channel

credentials

Authorization serverSystem A

client_id + client_secret are send as basic authentication header

Page 62: Demystifying OAuth

Authorization server validates credentials and returns access token

Back channel

Access token

Authorization server System A

Page 63: Demystifying OAuth

Client uses the valid access token

Back channel

System B

Access data

System A

Access token is send as Bearer Authorization header

Page 64: Demystifying OAuth

Why use the client credentials flow instead of basic

authentication?

Because OAuth adds these benefits:

• Access tokens a short lived

• Central security authority

• Standardization

24-3-2019Demystifying OAuth65

Page 65: Demystifying OAuth

Flow 3: implicit

Page 66: Demystifying OAuth

Implicit flow

The client wants to access protected resources on behalf of the user

24-3-2019Demystifying OAuth67

Page 67: Demystifying OAuth

Implicit flow

• Specific flow for front-end only apps (like Oracle JET)

• Client doesn't get a client_secret

• Only front channel communication

• Variable scope

• Two-legged process

Authenticate user

Obtain access token

24-3-2019Demystifying OAuth68

Page 68: Demystifying OAuth

Resource owner

Starts application

Client

Front channel

Page 69: Demystifying OAuth

Do I have an unexpired access

token for the user?

Client

Front channel

Page 70: Demystifying OAuth

Yes, I have a valid access token

Front channel

Client Protected resource

Access data

Access token is send as Bearer Authorization header

Page 71: Demystifying OAuth

Redirect resource owner

Client

Front channel

No, I don't have an access token

Authorization server

The client_id and scopes are part of the redirect URL

Page 72: Demystifying OAuth

Provide credentials

Front channel

Resource owner authenticates

Authorization serverResource owner

Page 73: Demystifying OAuth

Approval for client

Front channel

Resource owner grants permission to protected resource

Authorization serverResource owner

Page 74: Demystifying OAuth

Access token

Front channel

Authorization server redirects back to client with access token

Authorization server Client

Page 75: Demystifying OAuth

Client uses the valid access token

Front channel

Client Protected resource

Access data

Access token is send as Bearer Authorization header

Page 76: Demystifying OAuth

Oauth 2.0 is demystified

Page 77: Demystifying OAuth

If you want to

know more

24-3-2019Demystifying OAuth78

Page 78: Demystifying OAuth

Thank you

Page 79: Demystifying OAuth

Using an external authorization server with ORDS..

Page 80: Demystifying OAuth

24-3-2019Ruimte voor voettekst81

Client Protected resource

Resource owner Authorization server

Access service

Access data

Issue token

Grant access

Validate tokenMissing

link

Page 81: Demystifying OAuth

24-3-2019Ruimte voor voettekst82Client Protected resource

Resource owner Authorization server

Access service

Access data

Issue token

Grant access

Validate token

Authorization server