authentication & api access for native/mobile applications · •pros –client app has full...
TRANSCRIPT
![Page 1: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/1.jpg)
Authentication & API accessfor native/mobile applications
Brock Allen
http://brockallen.com
@BrockLAllen
![Page 2: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/2.jpg)
2@BrockLAllen
tl;dr
• Implementing authentication and API access for native/mobile applications
– applications that have access to native platform APIs
– desktop or mobile
• Following the guidance of "OAuth 2.0 for Native Apps"
– https://tools.ietf.org/html/draft-ietf-oauth-native-apps-04
![Page 3: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/3.jpg)
3@BrockLAllen
The big picture
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
Security Token Service
![Page 4: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/4.jpg)
4@BrockLAllen
Security protocols (I)
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
OpenID Connect
Security Token Service
OpenID Connect
OpenID Connect
![Page 5: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/5.jpg)
5@BrockLAllen
Security protocols (II)
Browser
Native App
Server App"Thing"
Web App
Web API Web API
Web API
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
Security Token Service
OpenID Connect
OpenID Connect
OpenID Connect
![Page 6: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/6.jpg)
6@BrockLAllen
So many options…
• Low hanging fruit
– OAuth 2.0 resource owner password credential flow
• Better, but is missing out on some advanced features
– OAuth 2.0 implicit flow
• Recommended
– OAuth 2.0 authorization code flow (with PKCE)
• …and my favourite
– OpenID Connect Hybrid Flow (with PKCE)
![Page 7: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/7.jpg)
7@BrockLAllen
Native login dialogs
UsernamePassword
Login
username/password
token
token
trust
Token service
API
![Page 8: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/8.jpg)
8@BrockLAllen
OAuth 2.0 Resource Owner Password Flow
• Pros
– client app has full control over login UI
– support for long lived API access without having to store a password
• Cons
– user is encouraged to type in his master secret into "external" applications
• especially problematic once applications also come from 3rd parties
– no cross application single sign-on or shared logon sessions
– no federation with external identity providers/business partners
– every change in logon workflow requires versioning the application
![Page 9: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/9.jpg)
9@BrockLAllen
Using a browser for driving the authentication workflow
authentication request
render UI & workflow
![Page 10: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/10.jpg)
10@BrockLAllen
Using a browser for driving the authentication workflow
• Centralize authentication logic– consistent look and feel
– implement once, all applications get it for free
– allows changing the workflow without having to update the applications• e.g. consent, updated EULA, 2FA
• Enable external identity providers and federation– federation protocols are browser based only
• Depending on browser, authentication sessions can be shared between apps and OS
![Page 11: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/11.jpg)
11@BrockLAllen
Browser types
• Embedded web view
– private browser & private cookie container
– e.g. WinForms or WPF browser control
• Authentication broker
– "special" browsers (look private but share some cookies)
– e.g. Win8 & UWP WebAuthenticationBroker
• In-app browser tab
– full blown system browser (including address bar & add-ins)
– shared cookie container
– e.g. SafariViewController (iOS9) & Chrome Custom Tabs (Android 5)
![Page 12: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/12.jpg)
12@BrockLAllen
How to implement?
• Implicit flow– really designed for JS apps
– access tokens transmitted over browser (and potentially cross process)
– no refresh tokens
• Authorization code-based flows– access tokens only over back-channel communication
– slightly more secure due to client secret
– allows long lived API access via refresh tokens
– authorization code itself needs to be protected though• cut'n paste attack
• man in the middle
![Page 13: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/13.jpg)
13@BrockLAllen
Starting the authentication request
GET /authorize
?client_id=nativeapp&scope=openid profile api1 api2 offline_access&redirect_uri=com.mycompany.nativeapp://cb&response_type=code id_token&nonce=j1y…a23&code_challenge=x929..1921
nonce = random_numbercode_verifier = random_numbercode_challenge = hash(code_verifier)
![Page 14: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/14.jpg)
14@BrockLAllen
Receiving the response
GET com.mycompany.nativeapp://cb
#id_token=x12f…zsz&code=818…1299
callback
![Page 15: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/15.jpg)
15@BrockLAllen
Identity token{
"typ": "JWT","alg": "RS256","kid": "mj399j…"
}
{"iss": "https://idsrv","exp": 1340819380,"aud": "nativeapp","nonce": "j1y…a23","amr": [ "password", "sms" ],"auth_time": 12340819300
"sub": "182jmm199"}
Header
Payload
eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Payload Signature
base64url
![Page 16: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/16.jpg)
16@BrockLAllen
Validating the response
• Identity token validation (section 3.1.3.7)
– validate signature
• key material available via discovery endpoint
– validate iss claim
– validate exp (and nbf)
– validate aud claim
• Authorization code validation (section 3.3.2.10)
– hash authorization code and compare with c_hash claim
https://openid.net/specs/openid-connect-core-1_0.html
![Page 17: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/17.jpg)
17@BrockLAllen
Requesting the access token
• Exchange code for access token
– using client id and secret
code & code verifier
(client_id:client_secret)
{access_token: "xyz…123",refresh_token: "dxy…103"expires_in: 3600,token_type: "Bearer"
}
![Page 18: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/18.jpg)
18@BrockLAllen
Optional: download more claims
• OpenID Connect UserInfo endpoint provides claims as JSON object
access token
{"given_name": "Kendall","preferred_username": "FluffyBunnySlippers""profile_picture": " "
}
![Page 19: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/19.jpg)
19@BrockLAllen
Next steps
• Persist the data in protected storage
– claims
– access token
– refresh token
• Use access token to communicate with APIs
• Use refresh token to get new access tokens when necessary
![Page 20: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/20.jpg)
20@BrockLAllen
That's a lot of work!
• Native libraries
– https://github.com/openid/AppAuth-iOS
– https://github.com/openid/AppAuth-Android
• C# portable class library (desktop .NET, UWP, mobile, iOS, Android)
– https://github.com/IdentityModel/IdentityModel.OidcClient
– https://github.com/IdentityModel/IdentityModel.OidcClient.Samples
![Page 21: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/21.jpg)
21@BrockLAllen
OSS FTW!
IdentityModel.OidcClient- OidcClient- Browser coordination- Discovery document support
IdentityModel Jose-Pcl
PCLCrypto
- JWT validation- JWK handling
- voodoo
- OpenID Connect &OAuth 2.0 protocol
- Refresh token handling
![Page 22: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/22.jpg)
22@BrockLAllen
Setup
var options = new OidcClientOptions(authority: authority,clientId: "native",clientSecret: "secret",scope: "openid profile api offline_access",redirectUri: "com.mycompany.myapp://callback",webView: webView);
var client = new OidcClient(options);
![Page 23: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/23.jpg)
23@BrockLAllen
Authentication & requesting tokens
var result = await client.LoginAsync();
var claims = result.Claims;var accessToken = result.AccessToken;var refreshToken = result.RefreshToken;
![Page 24: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/24.jpg)
24@BrockLAllen
Calling APIs and keeping tokens fresh
var apiClient = new HttpClient(result.Handler);apiClient.BaseAddress = new Uri("https://www.mycompany.com/api/");
var tokenClient = new TokenClient(address: "https://demo.identityserver.io/connect/token",clientId: "client",clientSecret: "secret");
var handler = new RefreshTokenHandler(tokenClient, refreshToken);
or…
![Page 25: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/25.jpg)
25@BrockLAllen
Stepping up security: bearer vs pop tokens
<bearer token>
<bearer token>
![Page 26: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/26.jpg)
26@BrockLAllen
Adding a proof key & signature
1) client generates pub/priv key pair
2) sends public key to STSduring token request
4) client uses private key to sign HTTP request
3) STS embeds pub key inaccess token
5) API validates access token
6) extracts proof key &validates the HTTP signature
pubkey
token incl. pub key
token incl.pub key
signature
![Page 27: Authentication & API access for native/mobile applications · •Pros –client app has full control over login UI –support for long lived API access without having to store a password](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d12e67e708231d4388c9e/html5/thumbnails/27.jpg)
27@BrockLAllen
That's even more work!!!
• Helper libraries
– https://github.com/IdentityModel/IdentityModel.Owin.PopAuthentication
– https://github.com/IdentityModel/IdentityModel.HttpSigning
• The specs (not done yet)
– https://tools.ietf.org/wg/oauth/draft-ietf-oauth-pop-architecture/
– https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-exchange/
– https://tools.ietf.org/wg/oauth/draft-ietf-oauth-signed-http-request/