Upload
wso2
View
1.241
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Senior Architect, WSO2 API Manager Team
Sumedha Rubasinghe
OAuth 2.0 Reference Model for
API Management
* *
About WSO2 ๏ Global enterprise, founded in
2005 by acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source pla:orm-‐as-‐a-‐service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an AcIve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID FoundaIon and W3C.
๏ Driven by InnovaIon
๏ Launched first open source API Management soluIon in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile soluIon in 4Q 2013
* *
What we Deliver
* *
What we will cover...
● Main concepts in OAuth 2.0 model ● How WSO2 supports OAuth 2.0 based API Management? ● OAuth 2.0 based extensions in WSO2 API Management soluIon
* *
Web (based) APIs
● hXps://www.facebook.com/sam.jason/photos ● hXp://api-‐public.ne:lix.com/catalog/Itles/movies/60021896 ● many more..
* *
Pre OAuth Era ..
How do I know for sure?
* *
Pre OAuth Era ..
* *
Pre OAuth Era .. No Control over password storage.
Complete access to user account.
Requires password reset to revoke.
ApplicaIons can be compromised.
Changing password can break many apps.
* *
OAuth 2.0 -‐ in a nutshell..
“The OAuth 2.0 authorizaIon framework enables a third-‐party applica2on to obtain limited access to an HTTP service…” -‐OAuth 2.0 SpecificaKon, hLp://tools.ieO.org/html/rfc6749
* *
WSO2 API Manager
● Complete API Management Pla:orm ○ API Publishing ○ API Store ○ SubscripIon Mgt ○ Token Management ○ ThroXling ○ StaIsIcs ○ Scalable Deployment ○ OAuth 2.0 based
● Apache v2 Licensed ● Build on top of proven WSO2 components
○ Enterprise Service Bus ○ IdenIty Server ○ Governance Registry
● hXp://docs.wso2.org/display/AM160/WSO2+API+Manager+DocumentaIon
* *
OAuth 2.0 -‐ DefiniKons
● Resource Owner ○ EnIty(end user) capable of granIng access to a resource ○ FB user (enIty) -‐> hXps://www.facebook.com/search/me/friends (resource)
● Resource Server (hXps://www.facebook.com) ○ Server hosIng protected resources ○ Capable of accepIng and responding to resource requests
● Client (FB applicaIon) ○ ApplicaIon making requests to access protected resources
● Authoriza2on Server (can be same as Resource Server) ○ Server issuing access tokens to the client
* *
OAuth 2.0 Protocol Flow
hLp://tools.ieO.org/html/rfc6749
* *
AuthorizaKon Grants
* *
AuthorizaKon Code
● End user visits auth page ○ response_type=code
● End user is redirected to your site with auth code ○ http://yoursite.com/?code=xxxxxx
● Web Server exchanges Auth Code for an Access Token ○ POST /token code=xxxxxx&grant_type=authorization_code
Web Server Apps
* *
AuthorizaKon Code
* *
AuthorizaKon Code
* *
Access Token from Auth Code
hLp://docs.wso2.org/display/AM160/Token+API
* *
Access Token Response
* *
Implicit Grant
● Browser based apps ■ no server side code ■ browser makes API requests directly
● User visits a page ○ response_type=token
● User is redirected to your site with access token ○ http://yoursite.com/#token=xxxxxx
● Token is only available to browser (only in fragment)
Browser based Apps
* *
Implicit Grant -‐ Syntax Browser based Apps
hLp://docs.wso2.org/display/AM160/Token+API
* *
Password Grant
● Only by trusted clients ○ Apps & APIs -‐ by same enterprise /First party Apps
Trusted ApplicaKons
hLp://docs.wso2.org/display/AM160/Token+API
* *
Client CredenKals
● ApplicaIon level access ● ApplicaIon has ○ client_id (consumer key) ○ client_secret (consumer secret)
● Server uses client_id & client_secret to obtain access token ○ POST /token grant_type=client_credenIals&client_id=XXXX&client_secret=YYYY
ApplicaKons
* *
Client CredenKals
hLp://docs.wso2.org/display/AM160/Token+API
* *
Mobile ApplicaKons
● Use ‘implicit’ grant type ○ (similar to browser based apps)
● Mobile App directly does API calls ● No client (mobile app) secret ● NaIve App -‐> Browser based call
Mobile Apps
* *
Facebook Login hXps://developers.facebook.com/docs/facebook-‐login/
* *
Grant Type Summary
● authorizaKon_code ○ Web Server based applicaIons
● implicit ○ Browser based applicaIons, Mobile Apps
● password ○ username/password based access
● client _credenKals ○ ApplicaIons (with no need of user level authorizaIon)
* *
Extensions to Grant Types
● SAML2 Bearer Tokens -‐> OAuth2
* *
Accessing APIs
Access token in HTTP Header
Query Parameter
* *
Access Token Lifecycle
● AcIve ● Revoked ● Expired ● In-‐AcIve
* *
Refreshing an expired token
hLp://docs.wso2.org/display/AM160/Token+API
* *
Bearer Tokens
● Security ConsideraIons ○ Replies on transport level security (HTTPS) ○ No cryptographic verificaIon
● Security RecommendaIons ○ Use HTTPs (always) & verify SSL CerIficates ○ Protect Bearer tokens ○ Choose token lifeIme wisely ○ Do not persist tokens unnecessarily
* *
MAC Tokens
● Provides cryptographic verificaIon of request
* *
LimiKng Access through ‘scope'
● ‘scope’ -‐> specifies what needs be done with the access token ● Specified @ the point of obtaining access token ● space delimited, comma delimited string ● eg: Facebook Extended Permissions ○ hXps://developers.facebook.com/docs/reference/login/extended-‐permissions/
* *
“scope” -‐ Facebook Example hXps://developers.facebook.com/docs/reference/login/extended-‐permissions/
* *
“scope” -‐ Facebook Example
* *
“scope” -‐ Facebook Example
* *
“scope” -‐ Token Request Syntax hXps://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=APP_URL&scope=read_friendlists,read_mailbox
* *
Extensions based on OAuth Model
● API InvocaIon StaIsIcs CollecIon ● Access ThroXling
* *
WSO2 API Manager
* *
SubscripKon Management
* *
Token Management
* *
Resource Level AuthorizaKon
* *
Tier based ThroLling
* *
StaKsKcs
* *
Business Model
Contact us !