© 2014. Allen I. Holub
Allen I. Holub Holub Associates
www.holub.com [email protected] @allenholub
1
© 2014. Allen I. Holub www.holub.com
Give an app access to a resource managed by someone else, without giving the app your
password.
!2
why?2
© 2014. Allen I. Holub www.holub.com
A valet key for the web
Access the ignition, but not the trunk. !
Access for a short time.
!3
3
© 2014. Allen I. Holub www.holub.com
Resource Owner
!4
Client
Authorization Server
tells the
to allow the
to access data on
Access token.
by presenting
Resource Server
4 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com !5
1
5
© 2014. Allen I. Holub www.holub.com
Normal Flow (preserved in
OAuth 2)
!6
Digitally signed (by you)
6
© 2014. Allen I. Holub www.holub.com !7
redirect
7
© 2014. Allen I. Holub www.holub.com !8
8 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
Access tokens have a limited lifetime
!9
Good for 1Access Token
Client gets a replacement by presenting a Refresh Token to the Authorization Server
9
© 2014. Allen I. Holub www.holub.com
No digital signing required
Not backwards compatible
But, similar architecture
!10
OAuth 2 ≈ OAuth 1 + TLS
10
© 2014. Allen I. Holub www.holub.com
Houston, We have a problem.
Insecure •IETF Draft: “OAuth 2.0 Threat model and Security Considerations” (http://goo.gl/y0BVLN)
Diffuse •Many parts deliberately open to interpretation •Enterprise (not web) focused
Interoperability is impossible •All vendors have proprietary variants.
!11
Google requires
it!52 Threats documented
11
© 2014. Allen I. Holub www.holub.com
Eran Lehav-Hammer (invented OAuth):
!12
He withdrew his name from the standard after 31 drafts got nowhere.
”“
http://goo.gl/f5g9U
12 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
Use a vendor-supplied
implementation
!13
13
© 2014. Allen I. Holub www.holub.com
Flows
Web Server (next slide) User-Agent clients inside a web browser/JavaScript Username/Password really defeats the purpose! Assertion via SAML assertion Client Credentials when client owns the resource
!14
14
© 2014. Allen I. Holub www.holub.com !15
Client
Auth Server
authorization code
Exchange code for tokens
Request access
Request resource
ResourceServer
Refresh Access Token
{dataType: contents}
op that needs resource
Web-server flow
authorization
Authenticate & authorize client
15
© 2014. Allen I. Holub www.holub.com
Typical authenticate/authorize request:
!16
Client ID
Go here after permission from Resource Owner granted.
16 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
On success, auth server responds to:
!17
with authorization code:
17
© 2014. Allen I. Holub www.holub.com
Use the auth code to request tokens
!18
Auth code from previous step.
which returns
18
© 2014. Allen I. Holub www.holub.com
Request data from Request Server
!19
ya29.AHES6ZRTj1GNxAby81Es- p_YPWWNBAFRvBYVsYj2HZJfJHU'
$ curl https://www.googleapis.com/blogger/v3/blogs/5223788876950011016 -H ‘Authorization: OAuth
Access token.
19
© 2014. Allen I. Holub www.holub.com
Request Server returns data
!20
20 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
If request refused, refresh access token
!21
21
© 2014. Allen I. Holub www.holub.com
NONE OF THIS IS SECURE IF YOU DON’T USE TLS (HTTPS).
!22
22
© 2014. Allen I. Holub www.holub.com
https://developers.google.com/oauthplayground/!23
23
© 2014. Allen I. Holub www.holub.com
Installed-app flow (same as web application)
!24
24 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
Client-side (Javascript) app
!25
25
© 2014. Allen I. Holub www.holub.com
Limited-input device
!26
26
© 2014. Allen I. Holub www.holub.com
Service accounts (owned by client app)
!27
27
© 2014. Allen I. Holub www.holub.com
Set up to test
!28
Static IP required!
28 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
Set up to test (2)
!29
29
© 2014. Allen I. Holub www.holub.com
https://developers.google.com/ accounts/docs/OAuth2
!30
30
© 2014. Allen I. Holub www.holub.com !31JavaScript
Cocoa
31
© 2014. Allen I. Holub www.holub.com !32
Developer’s Console
!
https://console.developers.google.com
32 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com !33
33
© 2014. Allen I. Holub www.holub.com
public class CalendarServletSample extends AbstractAuthorizationCodeServlet {!! @Override! protected void doGet(HttpServletRequest request, HttpServletResponse response)! throws IOException {! // do stuff! }!! @Override! protected String getRedirectUri(HttpServletRequest req) ! ! ! ! ! throws ServletException, IOException {! GenericUrl url = new GenericUrl(req.getRequestURL().toString());! url.setRawPath("/oauth2callback");! return url.build();! }!! @Override! protected AuthorizationCodeFlow initializeFlow() throws IOException {! return new GoogleAuthorizationCodeFlow.Builder(new NetHttpTransport(), ! new JacksonFactory(),! "[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",! Collections.singleton(CalendarScopes.CALENDAR)).setCredentialStore(! !! new JdoCredentialStore( ! ! JDOHelper.getPersistenceManagerFactory("transactions-optional")))! !! .build();! }!! @Override! protected String getUserId(HttpServletRequest req) throws ServletException, ! ! ! ! ! ! ! IOException| {! // return user ID! }!
34
© 2014. Allen I. Holub www.holub.com
! @Override! protected String getUserId(HttpServletRequest req) throws ServletException, ! ! ! ! ! ! ! IOException| {! // return user ID! }!}!!public class CalendarServletCallbackSample extends ! ! ! ! AbstractAuthorizationCodeCallbackServlet {!! @Override! protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, ! ! ! ! ! ! ! Credential credential)! throws ServletException, IOException {! resp.sendRedirect("/");! }!! @Override! protected void onError(! HttpServletRequest req, HttpServletResponse resp, ! ! ! ! AuthorizationCodeResponseUrl errorResponse)! throws ServletException, IOException {! // handle error! }!! @Override! protected String getRedirectUri(HttpServletRequest req) ! ! ! ! ! throws ServletException, IOException {! GenericUrl url = new GenericUrl(req.getRequestURL().toString());! url.setRawPath("/oauth2callback");! return url.build();!
35
© 2014. Allen I. Holub www.holub.com
}!! @Override! protected String getRedirectUri(HttpServletRequest req) ! ! ! ! ! throws ServletException, IOException {! GenericUrl url = new GenericUrl(req.getRequestURL().toString());! url.setRawPath("/oauth2callback");! return url.build();! }!! @Override! protected AuthorizationCodeFlow initializeFlow() throws IOException {! return new GoogleAuthorizationCodeFlow.Builder( ! new NetHttpTransport(), new JacksonFactory(),! "[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",! Collections.singleton(CalendarScopes.CALENDAR)).setCredentialStore(! new JdoCredentialStore( ! ! JDOHelper.getPersistenceManagerFactory("transactions-optional")))! .build();! }!! @Override! protected String getUserId(HttpServletRequest req) ! ! ! ! ! throws ServletException, IOException {! // return user ID! }!}!
36 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com !37
https://www.dropbox.com/developers/core/start/java
37
© 2014. Allen I. Holub www.holub.com !38
get from: https://dropbox.com/developers/apps/create
38
© 2014. Allen I. Holub www.holub.com !39
39
© 2014. Allen I. Holub www.holub.com !40
40 Oauth2.key - March 28, 2014
© 2014. Allen I. Holub www.holub.com
OAUTH 1.0 (RFC 5849) http://tools.ietf.org/html/rfc5849 !
OAUTH 2.0 (RFC 6749) http://tools.ietf.org/html/rfc6749 !
OAUTH 2.0 Threat Model http://goo.gl/y0BVLN !
Various implementations: http://oauth.net/2/
!41
41
© 2014. Allen I. Holub www.holub.com© 2013. Allen I. Holub www.holub.com !42
Allen Holub www.holub.com [email protected]
@allenholub
?42
Oauth2.key - March 28, 2014