Mobile authentication and authorisation: OpenID and OAuth

  • Published on
    20-Jun-2015

  • View
    470

  • Download
    4

Embed Size (px)

DESCRIPTION

A project presentation about the use of OpenID and OAuth with mobile devices.

Transcript

<ul><li> 1. Mobile authentication and authorisation: OpenID and OAuthSecureApps user group meeting27/05/2014 </li></ul> <p> 2. 2OverviewMotivationOpenIDOAuthOn the mobileoOpenIDoOAuthoGetting the user name and passwordConclusion: the difference 3. 3Knowing your useroAttribute-based access control (e.g. age verification)oPersonalisation (e.g. location-based services)Modern services and mobile apps:o blend different resources (pictures, social network posts, documents, geographical data,)o which are spread across providersCan our app access the users resourceso on his behalf?o without asking for his credentials!o with fine-grained permissions?Motivation 4. 4OpenID: what is it?Authentication and single sign-on protocol2009: &gt; 1 billion OpenID-enabled accountsMany identity providers Google, Yahoo, Paypal, AOL, Wordpress,Alternative: SAML-based setupsoBelgian eGov LoginoShibbolethIdentity providerService providersUser 5. 5OpenID: how does it work?UserUsers browserIdentity provider (IdP)Service provider1. Request service5. Prompt for authentication6. Authenticate4. Redirect to IdP7. Assert attributes and redirect8. Grant access2. Prompt for IdP URI3. Provide IdP URIIdP discovery step 6. 6OpenID: trust establishmentWhy?oIdP: who may request user data?oSP: which IdPs info can I rely on?SAMLoOffline mutual trust agreementoDigitally signed assertionsOpenIDoInitially: none (full user control)oNow: unilateral trust of SPs in major IdPshttps://www.google.com/account 7. 7OAuth 2.0: what is it?Authorisation protocolIETF RFC 6749Resource accessoon behalf of the userowith consent of the userolimited in time and scopeWidely-supported Amazon, Dropbox, Facebook, Flickr, Google, LinkedIn, Netflix, PayPal,Plain HTTP requests 8. 8Resource providerOAuth: protocol flow5: Authorisation code grant6: Access token7: Access token8: Protected resourceResource ownerAuthorisation serverResource serverClient 9. 9Resource providerOAuth: protocol flow5: Authorisation code grant6: Access token7: Access token8: Protected resourceResource ownerAuthorisation serverResource serverClientClient never sees user name and passwordAccess tokentransferred and stored securelylimited in time and scope 10. 10Resource providerOAuth: protocol flow5: Authorisation code grant6: Access token7: Access token8: Protected resourceResource ownerAuthorisation serverResource serverClient4 grant typesAuthorisation code grantResource owner password credentialsImplicit grantClient credentials grant 11. 11OpenID in a mobile appOnly few mobile uses:oBrowser-based single sign-on, same as non-mobileoCan be used to authenticate within OAuth, but most logins proprietaryHow to integrate (same flow as browser SSO):oas in-app libraryoas in-app Web Viewoin a centralised account repositoryAndroid: Account Management APIiOS: Accounts FrameworkProtocol deployment and implementation differences 12. 12OpenID in a mobile appOnly few mobile uses:oBrowser-based single sign-on, same as non-mobileoCan be used to authenticate within OAuth, but most logins proprietaryHow to integrate (same flow as browser SSO):oas in-app libraryoas in-app Web Viewoin a centralised account repositoryAndroid: Account Management APIiOS: Accounts FrameworkProtocol deployment and implementation differences 13. 13OpenID in a mobile appOnly few mobile uses:oBrowser-based single sign-on, same as non-mobileoCan be used to authenticate within OAuth, but most logins proprietaryHow to integrate (same flow as browser SSO):oas in-app libraryoas in-app Web Viewoin a centralised account repositoryAndroid: Account Management APIiOS: Accounts FrameworkProtocol deployment and implementation differences 14. 14Resource provider5: Authorisation code grant6: Access token7: Access token8: Protected resourceAuthentication componentAuthorisation serverResource serverOAuth in a mobile appClient appResource ownerMobile device 15. 15OAuth in a mobile appUse cases:oResource retrieval at own serviceoResource retrieval at 3rd party serviceoAuthentication to ClientNo proof of identity or account ownership!No standardised mechanism for attribute provisioningHow to integrate:ocentralised account repositoryolibs by resource providerso3rd-party libsoown implementation 16. 16Getting the user name and passwordAuthentication componentBrowser invocationWeb ViewIn-app credential inputCentralised account repoMinimises typing?Yes, if used with password managerNoYes, if used with secure storageYes, if used with secure storageCentralised, reusable component?YesNoNoYesTrust in client app for credential input?NoYesYesNoEavesdropping by malware/greyware?Yes (Android)NoNoNoTLS indicators (address bar, padlock)?YesNoNoNo, but component assumed trusted 17. 17Conclusion: the differenceOpenIDOAuthInvolved actorsUserIdentity providerService providerUser (resource owner)ClientResource providerWhat happens?User authentication to identity providerIdentity provider asserts user info to service providerUser authentication to resource providerClient retrieves resource from resource provider on behalf of userUsed forAuthenticationPersonalisationDelegation of resource accessResultAssertion of user infoAccess token, limited intimescope (accessible resource)Example scenariosGambling site with age verificationLocalised newsPost on Facebook from other websiteAccess Google+ Photos from mobile app 18. 18Q&amp;A 19. 19ReferencesOpenID and OAuthohttp://www.slideshare.net/rohitsghatol/oauth-20-in-depthohttp://openid.net/specs/openid-authentication-2_0.htmlohttp://tools.ietf.org/html/draft-ietf-oauth-v2-31ohttp://prezi.com/2uxj3_30cts1/oauth-20-2014/ohttp://www.slideshare.net/jcleblanc/securing-restful-apis- using-oauth-2-and-openid-connectohttp://www.slideshare.net/jreffell/oauth-openid-facebook- connect-authentication-design-best-practices 20. 20ReferencesAndroid Account Management APIsohttp://udinic.wordpress.com/2013/04/24/write-your-own- android-authenticator/ohttp://nelenkov.blogspot.be/2012/11/android-online- account-management.htmlohttp://developer.android.com/reference/android/accounts/AccountManager.htmlohttp://developer.android.com/reference/android/accounts/AbstractAccountAuthenticator.html 21. 21ReferencesiOS accounts framework https://developer.apple.com/library/ios/documentation/Accounts/Reference/AccountsFrameworkRef/_index.htmlOAuth and OpenID on the mobileohttp://www.slideshare.net/briandavidcampbell/is-that-a- token-in-your-phone-in-your-pocket-or-are-you-just- glad-to-see-me-oauth-20-and-mobile-devicesohttp://stuff.mit.edu/afs/sipb/project/android/docs/training/ id-auth/authenticate.html 22. 22ReferencesCriticismohttp://hueniverse.com/2012/07/26/oauth-2-0-and-the- road-to-hell/ohttp://www.tetraph.com/blog/2014/05/covert-redirect- vulnerability-related-oauth-2-0-openid-covert-redirect- vulnerability-related-oauth-2-0-openid-%E4%B8%8E- oauth-2-0-openid- %E6%9C%89%E5%85%B3%E7%9A%84-covert- redirect/ </p>

Recommended

View more >