protecting web apis with oauth 2.0
DESCRIPTION
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.TRANSCRIPT
Protecting web APIs with
OAuth 2.0
Vladimir Dzhuvinov
Your cool web API
Bearer Token
HTTPS request with a bearer token
GET /client-reg HTTP/1.1Host: c2id.comAuthorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
type token value
Successful HTTP response
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ … }
On missing token
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Bearer
On invalid / expired token
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Bearer error=”invalid_token”
On token with insufficientprivileges
HTTP/1.1 403 ForbiddenWWW-Authenticate: Bearer error=”insufficient_scope”
See RFC 6750
[ http://tools.ietf.org/html/rfc6750 ]
To learn more about bearer token usage
Your Web API
How does your web APIdecode the access tokens?
Typical authorisation attributes associated with an access token
● Scope: e.g. read, write, admin...
● Expiration time● User ID● Client ID● Issuer
The 2 possible token encodings
● Self-contained:
– Require RSA signature verification, < 1 ms
– Scale extremely well
● Identifier-based:
– Require web API lookup, ~100+ ms
– Don't scale well, avoid
JSON Web Tokens (JWT)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2lkIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hope7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU
Syntax:
BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)
JSON Web Tokens (JWT)
Header
{ "alg": "RS256", "kid": "1" }
Claims
{ "sub": "alice", "cid": "000123", "iss": "https://connect2id.com", "exp": 1414065134, "iat": 1414064534, "scp": [ "read", "write", "admin" ] }
Signature (RSA)
fBZW6U9r7M53fwhoEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimluNkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Cc
See draft-ietf-oauth-json-web-token-29
[ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]
To learn more about JWT
http://connect2id.com/products/nimbus-jose-jwt
Thousands of deployments, tens of reviewers and contributors
Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.
The ultimate Java library for JWT
Who issues the access tokens?
Your authorisation server
OAuth 2.0 server
Web API Web API Web API
Authenticatesusers and clients,
issues tokens
Web APIs service requests, need only understand access tokens
mobile app
web app
native app
The OAuth 2.0 grants
● Authorisation code – require browser for end-user interaction
● Implicit – for browser (JS) based apps● Password – for native apps● Client credentials – for clients acting on their own
behalf● Assertions:
– SAML 2.0 Bearer
– JWT Bearer
See RFC 6749
[ http://tools.ietf.org/html/rfc6749 ]
To learn more about OAuth 2.0
OpenID Connect
● Identity layer on top of the OAuth 2.0 framework● The server issues an ID token in addition to the
access token:– The ID token is a signed JWT with claims:
● Subject – the end-user ID● Issuer – the authority● Issue and expiration date● Audience – the intended recipients● Authentication strength and methods
ID token claims
{ "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ]}
See OpenID Connect 1.0 Core
OpenID Connect 1.0 DiscoveryOpenID Connect 1.0 Dynamic RegistrationOpenID Connect 1.0 Session Management
[ http://openid.net/connect/ ]
To learn more about OpenID Connect