1

Se

curin

g A

PIs u

sing

OA

uth

Adam Lewis – Motorola Solutions – Chief Technology Office

Securing APIs using OAuth 2.0

Se

curin

g A

PIs u

sing

OA

uth

2.0

Source: ProgrammableWeb.comhttp://www.programmableweb.com/news/which-apis-are-handling-billions-requests-day/2012/05/23

3

Se

curin

g A

PIs u

sing

OA

uth

Source: ProgrammableWeb.com

Growth of APIs

4

Se

curin

g A

PIs u

sing

OA

uth

Most of these APIs will need to know some very fundamental things: who is the user of the API, and what are they authorized to do?

5

Se

curin

g A

PIs u

sing

OA

uth

In the Beginning …

I have an API

I would like to use your API to get accessto my user’s protected resources

I cannot just give you that information.To prove that user really wants to you

To access their information, I need their

username & password

Please give me your username & passwordso that I can access your resources on your behalf

Here is my username & password

(Please be good with it)

webapp

6

Se

curin

g A

PIs u

sing

OA

uth

And that was bad. Bad. BAD.

(very bad!)

7

Se

curin

g A

PIs u

sing

OA

uth

The Password “anti-pattern”

Users became promiscuous with their passwords, handing them over directly to any API

client that asked for them

Client might not be trustworthy

Even if the client is trustworthy, it might not be secure and might inadvertently leak the user’s

password or be otherwise prone to attack If a password is

compromised, or if the client was rogue to begin with, then

the only way to revoke that client’s ability to access the

user’s resources would be for the user to change their

password

And because many other clients have also stored the user’s password to access other resource on behalf of

the user, those clients also lose their ability to access resources.

Finally, giving a third party client access to primary credentials enables the client to access ALL of user’s information, rather than just a scope of it. For

example, a user might wish to allow a third-party client to access their Facebook photos, but not to access their Facebook posts. Or they might allow the client to

read their posts, but not make posts on their behalf.

8

Se

curin

g A

PIs u

sing

OA

uth

9

Se

curin

g A

PIs u

sing

OA

uth

Defined by the IETF

There was a version 1.0 before it– But it required client-side crypto,

developers didn’t like it– 2.0 takes community feedback into account

(more on that later)

10

Se

curin

g A

PIs u

sing

OA

uth

OAuth gives the user the ability to delegate an authorization decision to an API client to access their protected resources without divulging their credentials to that API client

Upon granting the API client authorization, the API client is issued an access token, representing scope of that authorization

Both API clients and API servers are abstracted from requiring a password (really BIG deal!)

11

Se

curin

g A

PIs u

sing

OA

uth

Client

Resource Server

Authorization Endpoint

TokenEndpoint

UA

Authorization Server

End User(possibly RO)

12

Se

curin

g A

PIs u

sing

OA

uth

User logs into web page

Redirect user’s browser to authorization endpoint

OAuth Authorization Request (requested scope of authorization)

User Authentication Happens Here

Redirect user’s browser back to web app (API client) with authorization code

code

Token Request (authorization_code)

Token Response (access_token)

https://server.com?photos (access token)

“webapp” is requesting access to the following resources within your account: do you whish to grant this access?

Yes!

webapp

13

Se

curin

g A

PIs u

sing

OA

uth

User logs into web page

Redirect user’s browser to authorization endpoint

OAuth Authorization Request (response_type=code)

User Authentication Happens Here

Redirect user’s browser back to web app (API client) with authorization code

code

Token Request (authorization_code)

Token Response (access_token)

https://server.com?photos (access token)

GET https://server.example.com/authorize?response_type=code&client_id=s6BhdRkqt3&redirect_uri=https://client.example.com/cb &scope=calendar.read_only

HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache {

"access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value"

}

“webapp” is requesting access to the following resources within your account: do you whish to grant this access?

Yes!

webapp

14

Se

curin

g A

PIs u

sing

OA

uth DEMO

15

Se

curin

g A

PIs u

sing

OA

uth

About that Token

• Bearer – whoever holds it may use it– Original OAuth utilized client-side crypto, but developers didn’t

exactly flock to it– Bearer tokens were a compromise: better than giving passwords to

API clients, less secure than client-side signing

• Structure undefined, but in practice:– Opaque (requires introspection)– JWT

• kid, x5t

• Can be embedded in other protocols besides HTTP (SIP, RTSP, etc.)

16

Se

curin

g A

PIs u

sing

OA

uth

JSON Web Tokens

{

"alg": "RS256",

"x5t": "eZsobkgyfNGOyVpjEHgS2i8QhKQ"

}.

{

"Username": “alice@domain.com",

"exp": 1432744471,

"scope": [

“calendar_api.read_only“,

“contacts.read_only”,

“email.all”

],

"client_id": "s6BhdRkqt3"

}.

U4cL9RFKu_CwdqlpGReAVGA5sxw8d8tLXM4_1Cx7l49KQxeHYkV2ARlv6Qo7sdUSv7k50yhNPR80wFx0WqqtoLYAKSJ2sXhfqbVTEZrUdDFZUVVYeKOWEyZzZD1w3NCqRm6xhLWmOu05A4gLDUuC7jWagMYquZPywW06SFXFTa5MN0Nyol3V-QfrFf-XdXTBBUko00ooQf6SsyTcAP08kLuWIl9M2oRLPF_N_f5j1I4oAk5LUMFhdNyGeQ32K-aU_kLoGxzb20eUlsZVO82zm-94tEdeKZWtp6BtwLICc9wvR1DnMJje7O_dOql1L1DYXNrJ0s7rWRlLwAxthbytww

17

Se

curin

g A

PIs u

sing

OA

uth

User launches Native App

Redirect user’s browser to authorization endpoint

OAuth Authorization Request (response_type=code)

User Authentication Happens Here

Redirect user’s browser back to web app (API client) with authorization code

code

Token Request (authorization_code)

Token Response (access_token)

https://server.com?photos (access token)

Native App

18

Se

curin

g A

PIs u

sing

OA

uth

User launches Native App

Redirect user’s browser to authorization endpoint

OAuth Authorization Request (response_type=code)

User Authentication Happens Here

Redirect user’s browser back to API client with authorization code

code

Token Request (authorization_code)

Token Response (access_token)

https://server.com?photos (access token)

Native App

SAML request

SAML response

SAML assertion

19

Se

curin

g A

PIs u

sing

OA

uth

Other WG efforts

• Proof of Possession• New grant types (SAML, JWT)• Usage beyond REST• Building block for OpenID Connect, NAPPS

20

Se

curin

g A

PIs u

sing

OA

uth

But the grass isn’t all green

• 1.0 was a protocol, 2.0 is a “Framework”• Flexibility == Complicated• Interoperability issues• No standardized access token format• Not well understood• It’s NOT for authentication• Clients often ask for to broad

of a scope

21

Se

curin

g A

PIs u

sing

OA

uth

But it’s still really good

• Clients never see user credentials

• Resource owners can approve only a limited scope

• Very developer friendly

• Options underway for even higher security

22

Se

curin

g A

PIs u

sing

OA

uth

And in Closing …

• Questions? • Comments?• Scrutiny?

• Thank you! :-)adam.lewis@motorolasolutions.com