intro to api security with oauth 2.0

Introduction to API security with OAUTH 2.0

Kevin Johnson

Basics

Authentication -> ID card

Authentication

Authorization -> Driver’s Licence

Delegated Authorization

Authorization

Authorization Code Grant

Implicit Grant For Browser-Based

Client-Side Applications

Resource Owner Password-Based

Grant

Client Credentials Grant

OAUTH Flows

Four Primary Grant Types

App Specific InfoRedirect URIclient_idclient_secret

Authorization Server Specific InfoAuthorization EndpointToken Endpoint

Registration Of Client App

Authorization Code Grant

Conse

nt Fo

rm

Creden

tials

Authorization Code Grant: Actors

Authorization Code Grant: Moving Parts

Conse

nt Fo

rm

Creden

tials

Authorization Code Grant:Step 1

Authorization Server:

3 Components

1. Authentication Component• Identity Provider(LDAP, Active

Directory)2. Consent Component

• Consent Server3. Token Infrastructure Provider

• Token Values:Access TokenRefresh Token

• Token Attributes:when created?, valid?, revoked?

Conse

nt Fo

rm

Creden

tials

Authorization Code Grant:Step 1

Conse

nt Fo

rm

Creden

tials

Authorization Code Grant:Step 2

Authorization Code:

Auth Endpoint

Authorization Code:

Auth Endpoint

HTTP GET Request

GET /authorize? response_type=code&

client_id=123456789&

redirect_uri=https%3A%2F%2Fclient

%2Eexample%2Ecom%2Fcb&

scope=followers%20tweet_feed&

state=aFodshfj(klMN

HTTP/1.1 Host: server.oauth_provider.com

Authorization Code:

Redirect Endpoint

HTTP Response

HTTP/1.1 302 FoundLocation: https://client.example.com/cb?

code=SplxrhJY654090l&state=aFodshfj(klMN

Authorization Code:Token Endpoint

Authorization Code:

Token Endpoint

HTTP POST RequestPOST /token HTTP/1.1 Host: server.oauth_provider.com Content-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

grant_type=authorization_code&code=SplxrhJY654090l&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Authorization Code:

Token Endpoint

NOT RECOMMENDED

POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw

Authorization Code:

Token Endpoint

HTTP ResponseHTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", “example_parameter":"example_value"}

Authorization Code Grant:Step 2

Conse

nt Fo

rm

Creden

tials

Authorization Code Grant:Step 3

Authorization Code Grant:Step 3

Authorization Code:Resource Server API Call

HTTP GET Request: Bearer Token

GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM

Authorization Code:Resource Server API Call

HTTP GET Request: MAC Token

GET /resource/1 HTTP/1.1Host: example.comAuthorization: MACid=“h480djs93hd8",nonce=“274312:dj83hs9s”,mac="kDZvddkndxvhGRXZhvuDjEWhGeE="

Authorization Code Grant:Step 3

Basics:Implicit Grant Type

Conse

nt Fo

rm

Creden

tials

Implicit Grant:

Get Request for auth token

GET /authorize?

response_type=token&

client_id=s6BhdRkqt3&state=xyz&

redirect_uri=https%3A%2F

%2Fclient%2Eexample%2Ecom%2Fcb

HTTP/1.1

Host: server.example.com

Implicit Grant:

Get Request for auth token

HTTP/1.1 302 Found

Location: http://example.com/cb#

access_token=2YotnFZFEjr1zCsicMWpAA&

state=xyz&

token_type=example&

expires_in=3600

Criticism

Criticism:

Lack Of Interoperability

Many Optional Components

Partially/Fully Undefined ComponentsClient RegistrationAuthorization Server CapabilitiesEndpoint Discovery

Future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

Framework <-> Protocol

Outdated

Designed for 2006Hosted Applications Centric

mobilenativejs

Bearer Tokens

Don’t put your eggs in one basket

Defense in Depth is the humble realization that, of all the security measures you implement, a few will fail because of your own stupidity. It’s good to have a few backups, just in case

Alternative

Oz

Three JS Modules:Iron: JavaScript object and turn it into a verifiable encoded blob.

Hawk: is a client-server authentication protocol providing a rich set of features for a wide range of security needs.

Oz: leverages the other two

Oz

Builds on top of experience of Oauth 1.0/2.0

Highly Opinionated Decisions

Client Side Cryptography: Hawk

Functional Imperative

functionalimperative.com(647) 405-8994@func_i