introduction to oauth 2.0 - part 1
Post on 13-Apr-2017
111 Views
Preview:
TRANSCRIPT
@nabeelxy
10/26/2014
Wouldn’t it be cool when I tweet, it automatically gets
posted in my FB wall?
Tweet
Bob Twitter App
Automatically post in Bob’s FB wall
How does the Twitter App writes in Bob’s FB wall? I mean how does it get
write access to Bob’s FB wall?
Tom, Twitter App Manager Jim, Twitter App Dev
Let’s store Bob’s FB username and password in his Twitter App account. Then the app can login and post in his FB wall. The problem solved!
It works. But it is not a good idea to store username and password
as it involves a lot of risks. Besides, Bob won’t like to give his username/password to our app
considering the fact that it takes a while for users to trust our app.
Jill, App Dev
I totally agree. This is actually called Password Anti-Pattern! At all cost, we should avoid it.
Sam, App Dev
We get more access than we want with username/password as well. Users will not like it. Further, this is bad from the point of view of liability when things go wrong.
Sam, App Dev
Further, if users change their FB password, it
breaks our app.
If users want to stop cross posting in FB, they will always
have to come to our app or change their FB password.
Alright, asking for username and password is not good for Bob as well as
us. So, what can we do about it?
Tom, Twitter App Manager
Basically the problem is that we need a way for our users to give us write authorization to their FB walls?
Ali, App Dev
I was thinking that this problem is strikingly similar to the valet parking
situation. I want to get my new car valet parked but I am at the same time hesitant
to give my car key to them.
The car industry came with this idea of valet keys that has limited capabilities. For example, that valet key allows to drive a car only a short distance and most of the add-on functions in
the car are disabled for that special key.
So, now I can give my valet key (instead of the original key) to valet park without
worrying too much about it.
So, this sounds like a valet key
would map to a short-lived token just like those in Kerberos
protocol, even though Kerberos is for authentication?
Jim, Twitter App Dev
Yes, indeed. There is in fact a token based delegated
authorization mechanism called OAuth.
Good news is that FB is actually supporting
OAuth for such access.
Sam, App Dev
OAuth sounds great. Sam, could you give us some details of it?
Tom, Twitter App Manager Sam, App Dev
Sure.
Password Anti-Pattern Give resource owner’s (Bob’s) username and password to
client (Twitter App) in order to access the resource server (FB account) on behalf of the resource owner
Dangers of using this pattern Expanded access and risk (exposure of
username/password to third-party client) Limited reliability when passwords are changed Revocation challenges
First Solutions Google’s AuthSub Yahoo’s BBAuth
A delegated authorization protocol
Provides the ability for these applications to access a user’s data securely, without requiring the user to take the scary step of handing over an account password
Introduced in 2007
Increased developer experience and increased confidence in security due to a common protocol for handling API authorization
Not backward compatible with OAuth 1.0
New flows
Signatures are replaced by HTTPS (bearer tokens)
Simplified signatures
Short-lived tokens
Separation of roles for authorization server and resource server
Resource server The server that hosts user owned resources protected by
OAuth An API provider such as Google, Facebook, etc.
Resource owner An application user Has the ability to grant access to their own data hosted on a
resource server
Client An application making API calls to perform certain action on
protected resources on behalf of the resource owner with resource owner’s authorization
Authentication server Often, it is same as the resource server
Tweet
Bob Twitter App
Automatically post in Bob’s FB wall
CLIENT
RESOURCE SERVER
RESOURCE OWNER
AUTHORIZATION SERVER
Server-side web application
Client side web application running in the web browser
Native application
Most OAuth 2.0 APIs uses bearer tokens to let clients make authorized requests
Access Token lets a client access a protected resource
How to send your access token with an API request? Preferred method is to use HTTP Authorization header GET /tasks/v1/lists/@default/tasks HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer ya29.AHES6ZSzX
Authorization code For apps with backend servers
Implicit grant for browser based client side applications (no backend server)
Resource owner password based grants Only for very trusted applications (usually for first-party
applications only)
Client credentials For application access (i.e. client is an application)
Implementing authorization code flow for service
Authorization flow diagrams
OAuth 2.0 Authorization Framework (RFC 6749)
Getting Started with OAuth 2.0
top related