Embed Size (px)
Citation preview
OAuth and why you should use it?
Presented to you by Sergey Podgornyy
1
About me
Sergey Podgornyy
Sergey PodgornyyFull-Stack Web Developer
2
Agenda1. Authentication
2. Introduction to OAuth 2.0
3. OAuth roles
4. OAuth protocol flow
5. Grant types
6. Achieving statelessness with JWT
7. Stored token vs JWT vs OAuth
8. DEMO - Token Authentication With OAuth & JWT
9. OAuth/JWT Cookbook
3
AuthenticationAuthenticationverify the identity of the user given
the credentials received
Authorization
Authorizationdetermine if the user should be
granted access to a particular
resource
4
Are our applications secure?5
However, time went6
Introduction to OAuth 2.0
An open protocol to allow secure authentication in a
simple and standard method from web, mobile and a
desktop applications
7
Resource owner
the person or the application that holds the data to be shared
Resource server
the application that holds the protected resource
Authorization server
the application that verifies the identity of the users
Client
the application that makes request to RS on behalf of the RO
OAuth 2.0: roles8
OAuth 2.0: protocol flow
I want to get theDeath Star plans
9
OAuth 2.0: protocol flow
Hey, backend, could you please giveme a Death Star plans?
10
OAuth 2.0: protocol flow
Sorry mate, this is a protected resource. You willneed to present me an access token
11
OAuth 2.0: protocol flow
Hi, can I get an access token please?Backend is asking
12
OAuth 2.0: protocol flow
Sure thing sir! I just need to ask a fewdetails to the user first
13
OAuth 2.0: protocol flowHi, could you please provide me your
credentials? I need to verify your identity
14
OAuth 2.0: protocol flowThat's no problem at all. I am [email protected] my password is deathToJedi
15
OAuth 2.0: protocol flow
The user is who claims to be. Here is youraccess token:
qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
16
OAuth 2.0: protocol flow
Hey, backend, this is my token:qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
17
OAuth 2.0: protocol flow
Hi, I've been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa .Could you please tell me who it belongs to?
18
OAuth 2.0: protocol flow
Everything is allright. This is theDeath Star plans. Enjoy!
20
OAuth 2.0: protocol flow
Here you are the Death Star plans! Thank you for yourbussiness and have a good day!
21
OAuth 2.0: protocol flow
OAuth 2.0 is a delegation protocol, as this guy
has no idea about the credentials of this guy
22
OAuth 2.0: grant types
1. Authorization code: for web server applications
2. Implicit: for JS front-end and mobile apps
3. Resource owner password credentials: for trusted clients
4. Client credentials: for service authentication
23
Authorization code grant
Involves the user granting the client an authorization code, which can beexchanged for an Access Token
“
24
Implicit grant25
Password credentials grant26
Client credentials grant
This grant is suitable for machine-to-machine authentication where a specific
user’s permission to access data is not required
“
27
Responce example{
"access_token": "RsT5OjbzRn430zqMLgV3Ia",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "e1qoXg7Ik2RRua48lXIV"
}
Except Implicit grant, where authorization server returns only an access token
01.
02.
03.
04.
05.
06.
“
28
Which OAuth 2.0 grant should I use?Start
Client Credentials Grant
Authorization Code Grant
Implicit Grant
Password Grant
Access token owner?
Client type?
First party or third party client?
First party or third party client?
Machine
User
User-agent-based app
First party
First party
Third party
Third party
Web app
Native app
29
Tips for a front-end application
• Use the implicit grant
• Use HTML5's localStorage for access and refresh
tokens
30
RsT5OjbzRn430zqMLgV3Ia
Accessing the protected resourceOnce the client has an access token, it can request a protected resource
GET /death-star/plans HTTP/1.1
Host: api.example.org
Authorization: Bearer
31
More grants???
Token expiration and Refresh• If the Authorization server issues expiring tokens, they can be paired with
refresh tokens
• When the access token has expired, the refresh token can be used to get a
new access token
32
Stateful vs Stateless• Authorization Servers are often stateful services
• They stored issued access token for future checking
• How can we achieve statelessness?
• Using JWT tokens as access tokens
33
RsT5OjbzRn430zqMLg
JWT and when it can be useful?JWT (JSON Web Token) is a secure way to encapsulate arbitrary data that can be
sent over unsecure URL's
POST /transfer HTTP/1.1
from=acc1&to=acc2&amount=1000
vs
POST /transfer HTTP/1.1
{ "from": "acc1", "to": "acc2", "amount": 1000}
“01.02.03.04.05.
34
How does a JWT look like?eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InVzZXIiLCJzY29
wZSI6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV
9BRE1JTiIsIlJPTEVfVVNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhL
TRjNWUtYmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJteS1j
bGllbnQtd2l0aC1zZWNyZXQifQ.
AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY
Header Claims Signature
35
JWT Header{
"alg": "HS256",
"typ": "JWT"
}
01.
02.
03.
04.
36
JWT Claims{ "exp": 1416471934, "user_name": "user", "scope": [ "read", "write" ], "authorities": [ "ROLE_ADMIN", "ROLE_USER" ], "jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", "client_id": "my-client-with-secret"}
01.02.03.04.05.06.07.08.09.10.11.12.13.14.
37
JWT Signature
HMACSHA256(
base64(header) + "." + base64(payload),
"secret"
)
38
Sample access token response{ "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYTdjZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0aC1zZWNyZXQifQ.Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a"}
01.02.
03.04.05.06.07.
39
Achieving statelessness• Instead of storing access token / principal relationship in a stateful way, do
it on a JWT
• Access tokens with the JWT-encoded principal can be securely stored on the
client's browser
• That way you are achieving one of the basic principal of RE S T :
State Transfer
40
So why I should useOAuth?
41
Session IDs / CookiesPros
• Easy to code both the client and server
• Easy to destroy a session when someone logs out
Cons• The server side periodically needs to delete expired sessions where the
client didn't logout
• Every HTTP request requires a lookup to the data store
• Storage requirements grow as more users have active sessions
• Sometimes you need to have multiple server, and session data needs to be
accessible by all of them
42
JSON Web Tokens (JWT)Pros
• The server side storage issues are gone
• The client side code is easy
Cons• The JWT size could be larger than a session ID. It could affect network performance
• The data stored in the JWT is readable by the client
• The server side needs code to generate, validate, and read JWTs
• Anyone who gets a copy of the signing key can create JWTs. You might not know when this
happens
• There was (is?) a bug in some libraries that accepted any JWT signed with the "none" algorithm
• In order to revoke a JWT before it expires you need to use a revocation list. This gets you back to
the server side storage issues you were trying to avoid
43
OAuthPros
• No code for users to signup or reset their password
• No code to send an email with a validation link
• Users do not need to learn/write-down another username and password
Cons• If third party service goes down or they discontinue it then you need to figure something else out
how do you migrate the user's account data if their identity changes from "[email protected]" to "[email protected]"?
• Usually you have to write code for each provider
• You or your users might have privacy concerns on your system. The providers know which of their
users use your service
• You are trusting the provider. It is possible for a provider to issue tokens that are valid for one user
to someone else
44
DEMO45
Cookbook47
PHP Cookbook
composer require league/oauth2-client composer require league/oauth2-server
49
Useful links• The OAuth 2.0 Authorization
Framework
• OAuth 2.0 Threat Model and
Security Considerations
• JSON Web Token (JWT)
• Alex Bilbie blog
• OAuthLib documentation (.py lib)
50
End of presentation this is!Any question do you have?
51
