© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Antonio Sanso | Software Engineer
OAuth and third party authentication in Granite
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Agenda
2
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Who is this guy, BTW?
3
{ Software Engineer – Adobe Basel
{ VP (Chair) Apache Oltu (OAuth protocol implementation in
Java)
{ Committer for Apache Sling
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Why OAuth?
4
Several web sites offer you the chance to import the list of your contacts.
It ONLY requires you giving your username and password. HOW NICE
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A bit of history – OAuth 1.0a
5
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
A bit of history – OAuth 2.0
6
2 years
X
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
The good
7
{ OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
{ Wide spread and continuing growing
{ Short lived Tokens
{ Encapsulated Tokens
* Image taken from the movie ‘The Good, the Bad and the Ugly’
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
The bad
8
{ No signature (relies solely on SSL ), Bearer Tokens
{ No built-in security
{ Can be dangerous if used from not experienced people
{ Burden on the client
* Image taken from the movie ‘The Good, the Bad and the Ugly’
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
The ugly
9
{ Too many compromises. Working group did not take clear decisions
{ OAuth 2.0 spec is not a protocol, it is rather a framework - RFC 6749
:The OAuth 2.0 Authorization Framework
{ Not interoperable - from the spec: “…this specification is likely to produce
a wide range of non-interoperable implementations.” !!
{ Mobile integration (web views)
{ A lot of FUD
* Image taken from the movie ‘The Good, the Bad and the Ugly’
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
So what should I use?
10
{ No many alternatives
{ OAuth 1.0 does not scale (and it is complicated)
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
OAuth Actors
11
{ Resource Owner (Alice)
{ Client (Bob, worker at www.printondemand.biz )
{ Server (Carol Mark, from Facebook)
www.printondemand.biz
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
OAuth flows
12
{ Authorization Code Grant (aka server side flow) ✓
{ Implicit Grant (aka Client side flow)
{ Resource Owner Password Credentials Grant
{ Client Credentials Grant
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Traditional OAuth “dance” #1 - server side flow
13
www.printondemand.biz
1. I
want
an
Authz
Code
2. Printondemand wants an Authz Code
3. Login and authorize
4. Here the Authz Code
5.
Here
we go
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
OAuth entication orization
{ OAuth is NOT an authentication protocol. It is an access delegation
protocol.
{ It is/can-be-used as an authentication protocol
{ BUT HANDLE WITH CARE
14
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Authentication in Granite
1. The client sends request with username and password
2. SlingAuthenticator calls the AuthenticationHandler (the CQ default is
TokenAuthenticationHandler )
3. The AuthenticationHandler returns AuthenticationInfo with username
and password
4. SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to get
resource resolver and validate the credentials (JackRabbit LoginModule)
5. SlingAuthenticator calls
AuthenticationFeedbackHandler#authenticationSucceeded which may
set cookies
6. request continues to be processed (or is redirected)
15
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Third party Authentication in Granite – OAuth
16
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Third party Authentication in Granite - LDAP, SAML, OAuth
{ The client sends request with username and password
{ In the case of OAuth no username and password are sent
{ SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to get
resource resolver and validate the credentials (JackRabbit LoginModule)
{ Which credentials?
17
1. Login to
?
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Third party authentication in Granite
{ Trusted Credentials
{ Custom (companion) LoginModule
{ com.day.crx.security.token.TokenUtil#createCredentials
18
DEPRECATED
. . .
SimpleCredentials sc = new SimpleCredentials(userId, new char[0]);
sc.setAttribute(TOKEN_ATTRIBUTE, "");
userSession = adminSession.impersonate(sc)
TokenCredentials tc = new TokenCredentials((String) sc.getAttribute
(TOKEN_ATTRIBUTE));
. . .
TokenCookie.update(request, response, repositoryId, tc.getToken(),
adminSession.getWorkspace().getName(), httpOnly);
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Third party authentication in Granite
19
public AuthenticationInfo extractCredentials(final HttpServletRequest request, final HttpServletResponse
response) {
. . .
final SimpleCredentials credentials =
new SimpleCredentials(customerEmail,
"no_password_needed".toCharArray() );
credentials.setAttribute("TrustedInfo", ”SSO");
authInfo = new AuthenticationInfo(”SSO", customerEmail);
authInfo.put("user.jcr.credentials", credentials);
. . .
final User cqUser = userManager.createUser(authInfo.getUser(), StringUtils.EMPTY,
authInfo.getUser());
. . .
}
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
References
{ Oauth 2 web site - http://oauth.net/2/
{ Granite OAuth API -
http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/auth/oa
uth/package-summary.html
{ Social Login -
http://dev.day.com/docs/en/cq/current/administering/social_communities/s
ocial_connect.html
{ Some OAuth 2 attacks -
http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-
devil-wears.html
{ Apache Oltu - http://oltu.apache.org/
20
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.