Is that a token in your phone in your pocket or are you just glad to see

me?(the presentation formerly known as Securing Your Pocket to the Cloud)

OAuth 2.0 and Mobile Devices

Brian Campbell

@weeUnquietMind

Agenda Intro Quick overview of OAuth Social logins, mobile apps, the problem and how OAuth can

help An abstract OAuth exchange and some terminology A detailed OAuth flow with a mobile client

HTTP exchanges Code and configuration snippets for Android and iOS

Q&A

Who the hell is this guy anyway?

As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping’s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF.  He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.

@weeUnquietMind

Disclaimer & Credits I primarily do server side development Some content and jokes were “borrowed” from my esteemed

colleague, Dr. Paul Madsen Because “plagiarism” is such a nasty word

Quick Reference Any content you find humorous or insightful is mine If you think something’s dumb and/or you’re offended by it, it’s Paul’s

Hate mail to @paulmadsen

Also thanks to Scott Tomilson for many examples He needs more followers @scotttomilson As do I…

Bad Idea Jeans ESPN and Facebook are offering to import your friends' email addresses

from your web email provider. How nice! And all you have to give them is your username and password.

•What could possibly go wrong?

Why so bad? (The Password Sharing Anti-Pattern)

Requesting sites and apps store the passwords Hosting sites get locked into password authentication Users get trained to be indiscriminate with their passwords The hosting site is not involved in the authorization step No support for granular permissions No easy way to revoke access Changing password (good security hygiene) revokes access

to all

Enter OAuth Delegated authorization protocol

Mitigates password anti-pattern Web and Native

OAuth is your valet key to the Interwebs (Anyone actually drive a car with a valet key?)

Standard way to provide a ‘key’ to a third-party which allows only limited access to perform specific functions Without divulging credentials to the third-party Access grant is revocable Scope of the access grant can be constrained

An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.

An authorization & authentication framework for RESTful APIs (& more)

Some Historical Context Proprietary Solutions

Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more

OAuth 1.0 in late 2007 Informational RFC 5849 in mid 2010 OAuth WRAP (Web Resource Authorization Profiles) also in 2010 OAuth 2.0 in the final stages of IETF standardization

Premise: All the Cool Sites are Doing It

• Social Logins • Less friction • Better conversion rates• Outsources authentication

and (some) security• Starting to become a user

expectation

• Mobile Apps• You’re at Gluecon so you

may have already gotten the memo that mobility is a thing

• Anyone heard of this Instagram thing?

• Damn kids today!• No distinction: computing

is mobile• BYMODD

Social & Mobile - So What? Back in the day, your mobile app could collect a username

and password and then access protected APIs using HTTP Basic Authentication

But what if you’re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?

You could… or not…

OAuth Can Help OAuth offers a standard way to use social logins with mobile

applications Leverage existing (and future) investment in browser based

authentication for use with mobile applications

Aside: Mobile Application Continuum

Web ServerWeb Server

Web App

Mobile Device

Browser

Mobile WebPage

Web Applications

Mobile Device

Native Applications

Native App

HTML/JS/CSS JSON/XMLHybrid Approaches

Skinning the Cat Open source libraries Commercial solutions Android Account Manager Do It Yourself

Examples herein are DIY and native Completeness, timeliness, neutrality One stated design goal for OAuth v2.0 was simplification of the

client

Basic Abstract Flow

client: An application obtaining authorization and making protected resource requests. Native app on mobile device

resource server (RS): A server capable of accepting and responding to protected resource requests. Protected APIs

authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization.

Client

ResourceServer

Get a token

Use a tokenA few other protocol terms

• Access token (AT) – Presented by client when accessed protected resources at the RS

• Refresh token (RT) - Allows clients to obtain a fresh access token without re-obtaining authorization

• Scope – A permission (or set of permissions) defined by the AS/RS

• Authorization endpoint – used by the client to obtain authorization from the resource owner via user-agent redirection

• Token endpoint – used for direct client to AS communication

• Authorization Code – One time code issued by an AS to be exchanged for an AT.

AuthorizationServer

Concrete Flow

Device

NativeApp

Browser

1

Cloud!

12

3

Authorization Endpoint

Token Endpoint

3

45

① Client app initiates authorization request

② End-user authenticates and approves the requested access

③ Server returns control to the app and includes an authorization code

④ The authorization code is traded for access token (and refresh token)

⑤ Protected APIs invoked using the access token

Request Authorization

When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint

Device

NativeApp

Browser

1

Cloud!

1

Authorization Endpoint

Token Endpoint

Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status");

Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);

startActivity(launchBrowser);

NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status";

[[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];

https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status

http://

Authenticate and Approve The AS authenticates the user

Directly Indirectly via Facebook, Twitter, Google, Yahoo, etc.

Device

NativeApp

Browser

Cloud!

2

Authorization Endpoint

Token Endpoint

Approve

Device

NativeApp

Browser

Cloud!

2

Authorization Endpoint

Token Endpoint

User approves the requested access

Handle Callback

Server returns control to the app via HTTP redirection and includes an authorization code

HTTP/1.1 302 Found

Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAhttp://

Device

NativeApp

Browser

Cloud!

3

Authorization Endpoint

Token Endpoint

<activity android:name=".MyAppCallback” … >

<intent-filter>

<action android:name="android.intent.action.VIEW"/>

<category android:name="android.intent.category.DEFAULT"/>

<category android:name="android.intent.category.BROWSABLE"/>

<data android:scheme="x-com.mycorp.myapp" />

</intent-filter>

</activity>

Handle Callback (cont’d)Registering a custom URI scheme

String authzCode = getIntent().getData().getQueryParameter("code");

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

3

In AndroidManifest.xml file:

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url

{

NSString *queryString = [url query];

NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init];

for (NSString *param in [queryString componentsSeparatedByString:@"&"]) {

NSArray *elts = [param componentsSeparatedByString:@"="];

if([elts count] < 2) continue;

[qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]];

};

NSString *code = [qsParms objectForKey:@"code"];

...

Handle Callback (cont’d)Registering a custom URI scheme

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

3

In app info plist file:

POST /as/token.oauth2 HTTP/1.1

Host: as.example.com

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA

Trade Code for Token(s)

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

4

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"token_type":"Bearer",

"expires_in":3600,

"access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”,

"refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8”

}

http://

http://

Token Endpoint Request

Token Endpoint Response

POST /api/update-status HTTP/1.1

Host: rs.example.com

Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

status=Almost%20done.

Using an Access Token

http://

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

5

NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken];

NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];

[request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]];

[request setValue:authzHeader forHTTPHeaderField:@"Authorization"];

DefaultHttpClient httpClient = new DefaultHttpClient();

HttpPost post = new HttpPost("https://rs.example.com/api/update-status");

post.setHeader("Authorization", "Bearer " + accessToken);

Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header

HTTP/1.1 200 OKhttp://

If All Goes well,

And If not, HTTP 401/403 Use refresh token to get a new access token

POST /as/token.oauth2 HTTP/1.1

Host: as.example.com

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"token_type":"Bearer",

"expires_in":3600,

"access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”,

}

http://

http://

And if that doesn’t work, initiate the authorization request flow again

Thanks!(and time permitting)

Questions? (there are no stupid questions, only stupid answers and I’m

tremendously qualified to deliver such answers)

Brian Campbell@weeUnquietMind