Incorporating OAuth

How to integrate OAuth into your mobile app

By Travis Spencer, CEO

@travisspencer, @2botech

Copyright © 2013 Twobo Technologies AB. All rights reserved

Agenda

The security challenge in context

Neo-security stack

OAuth Basics

Overview of other layers

Copyright © 2013 Twobo Technologies AB. All rights reserved

Crucial Security Concerns

Copyright © 2013 Twobo Technologies AB. All rights reserved

Enterprise

Security

API

Security

Mobile

Security

Identity is Central

Copyright © 2013 Twobo Technologies AB. All rights reserved

MDM MAM

AuthZ

Mobile

Security

API

Security

Enterprise

Security

Identity

Venn diagram by Gunnar Peterson

Neo-security Stack

SCIM, SAML, OAuth, and JWT are the new

standards-based cloud security stack

OAuth 2 is the new meta-protocol defining how

tokens are handled

These address old requirements, solves new

problems & are composed

in useful ways

Copyright © 2013 Twobo Technologies AB. All rights reserved

Grandpa SAML

& junior

OpenID Connect

OAuth Actors

Client

Authorization Server (AS)

Resource Server (RS) (i.e., API)

Resource Owner (RO)

Copyright © 2013 Twobo Technologies AB. All rights reserved

Get

a t

oken

User a token

RS Client

AS

OAuth Mobile App Flow

Copyright © 2013 Twobo Technologies AB. All rights reserved

Request Authorization

Copyright © 2013 Twobo Technologies AB. All rights reserved

Authenticate & Authorize

Copyright © 2013 Twobo Technologies AB. All rights reserved

Register Custom Scheme in App

<activity android:name=".CallbackActivity“ …>

<intent-filter>

<data android:scheme="twobo" />

…

</intent-filter>

</activity>

Copyright © 2013 Twobo Technologies AB. All rights reserved

Callback to Custom Scheme

In OAuth Server, configure to callback to scheme

that was registered

Copyright © 2013 Twobo Technologies AB. All rights reserved

Exchange Code for Token

Copyright © 2013 Twobo Technologies AB. All rights reserved

AC

Calling the Token Endpoint

var data = {

"client_id" : clientId,

"client_secret" : clientSecret,

"code" : code,

"grant_type" : "authorization_code",

"response_type" : "token" };

$.post(tokenEndpoint, data,

processAccessToken, "json");

Copyright © 2013 Twobo Technologies AB. All rights reserved

AC AT, RT

Tokens are Often JWTs

Pronounced like the English word “jot”

Lightweight tokens passed in HTTP headers &

query strings

Akin to SAML tokens

Less expressive

Less security options

More compact

Encoded w/ JSON not XML

Copyright © 2013 Twobo Technologies AB. All rights reserved

Calling the API

Provide AT to API according to bearer token profile

$.ajax({

url: apiEndpoint,

dataType: 'json',

headers: {"Authorization":"Bearer "+accessToken},

success: processResults });

Copyright © 2013 Twobo Technologies AB. All rights reserved

API May Validate Token

def validateToken(self, tokenEndpoint, clientId,

clientSecret, accessToken):

values = { "client_id" : clientId,

"client_secret" : clientSecret,

"grant_type" : “…",

"token" : accessToken, }

request = urllib2.Request(tokenEndpoint,

urllib.urlencode(values))

return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved

• App should only present

AT to API

• Never send RT to API

• Use RT to get new AT if

AT expires

• App can’t use AT to

determine anything about

user

App Consumes API Data

Copyright © 2013 Twobo Technologies AB. All rights reserved

Overview of OpenID Connect

Builds on OAuth for profile sharing

Uses the flows optimized for user-consent

scenarios

Adds identity-based inputs/outputs to core OAuth

messages

Tokens are JWTs

Copyright © 2013 Twobo Technologies AB. All rights reserved

What OAuth is and is not for

Copyright © 2013 Twobo Technologies AB. All rights reserved

Not for authentication

Not really for authorization

For delegation

Questions & Thanks

@2botech

@travisspencer

www.2botech.com

travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved