Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Paris 2023 - I Have an OAuth2 Access To...

apidays
December 18, 2023

Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it, Matthew Auburn, Morgan Stanley

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023

I Have an OAuth2 Access Token, Now what do I do with it
Matthew Auburn, VP and Tech Lead at Morgan Stanley | Co-author of Mastering API Architecture

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 18, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. I have an Access token, Now what! apidays Paris 2023

    - December 06, 07 & 08, 2023 Matthew Auburn, VP and Tech Lead at Morgan Stanley | Co-author of Mastering API Architecture Handling Access Tokens in your architecture
  2. • Work at Morgan Stanley • Working in Security Design

    • Previously API Platform Tech Lead • A Masters focused on Security • Co-Author of Mastering API Architecture Who am I
  3. Agenda • Why give this talk • What is an

    Access Token…. • How do you introspect them • Where should you introspect them in your architecture
  4. • Resource Owner - An entity capable of granting access

    to a protected resource (typically a human) • Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization • Client - An application making protected resource requests on behalf of the resource owner and with its authorization. • Resource server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access token OAuth2 Abstract Protocol An OAuth2 refresher
  5. https://www.rfc-editor.org/rfc/rfc6749#section-1.4 “Access tokens are credentials used to access protected resources.

    An access token is a string representing an authorization issued to the client”
  6. Access Tokens and usage • When OAuth2 was released there

    was no RFC explicitly de fi ning what an access token should look like • Di ff erent Auth servers (IDPs ), made their own choices for their Access Tokens…. • There is no single pattern how a Access Tokens should be used in an architecture
  7. JWT • JWT spec - https://datatracker.ietf.org/doc/html/rfc7519 • Has registered claims

    (de fi nitions are set) • Simple for processing and compact • Signed JWTs • Encrypted JWTs • NOTE: When someone says JWT what they typically mean is a Signed JWT
  8. • eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYS1p4MH lsb2U4bXFkTHJiX3VPaHI0M2FLNWxha3p6RXkyYTRpb0FoVXNNIn0.eyJl eHAiOjE3MDAyMzk4OTEsImlhdCI6MTcwMDIzOTU5MSwiYXV0aF90aW1lIj oxNzAwMjM5NTkxLCJqdGkiOiI0ZWYwOTZhNC1hYjkzLTQwMTctODkxNi00 OTUwZmY3OTU5YTQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcm VhbG1zL29hdXRoMi13b3Jrc2hvcCIsImF1ZCI6ImFjY291bnQiLCJzdWIi OiIyMDQ2MDJkNS04YjAzLTRkMTYtOGFhYi0zMTZjY2YyM2ZjNTEiLCJ0eX AiOiJCZWFyZXIiLCJhenAiOiJNb2JpbGVDbGllbnRBcHBsaWNhdGlvbiIs Im5vbmNlIjoidVNvTWVjdVkzT1B6TmpsZmE3bTE1aDF2U1UwdGtDa2FMVD

    BCNTQ3dkhBQSIsInNlc3Npb25fc3RhdGUiOiI2ODZlMDA5Mi04Y2U0LTRm ZjktOGM4NC0wNjJkMmI5MzEwMTciLCJhY3IiOiIxIiwiYWxsb3dlZC1vcm lnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NzA3MCJdLCJyZWFsbV9hY2Nl c3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vYXV0aDItd29ya3Nob3 AiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJy ZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2 UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9m aWxlIl19fSwic2NvcGUiOiJvcGVuaWQgQ29uZmVyZW5jZS1BUEkgcHJvZm lsZSBlbWFpbCIsInNpZCI6IjY4NmUwMDkyLThjZTQtNGZmOS04Yzg0LTA2 MmQyYjkzMTAxNyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycm VkX3VzZXJuYW1lIjoibWF0dHlhIn0.W4e-2EqmWrU7Mj0aAxFxksOlfbM4 vUumGAdpYWjjfwVnDOul5bTwOEX4YlIFE_HcjaUngmtzfdha_4WW025m8c h036sHISbzKZkvj7lorq1Qg5KmVMClfCxb-7J9enrDxky6usU4ETvIpBpo 1bcUL8ejscgivPAxWRXbr1rXwv_jAIknseUgGP572BrM3EwCmUv3aX0Ha5 7DlGHOxkRvxbbOIuzcfhfFcw8seq4zOATvypqmzfY1QcRl9uQVR3cphJ6H ROitta1ullpHGS6Yb3F3farU0r0hZIglgmjq6ehNj3AVBGOUkLW2HhIC- syJeJFAD5IjjuAWe3fJPpaO8g Signed JWT Example
  9. Opaque tokens • A long random value • No identi

    fi able information in the token - must be looked up • atfqI-QW3HXqF1hkot1e6hJDIj4qHnwTEUXiGJFf09k.SRHhlx6wlDz5GZncAr99HfM7FUbDQlUg73MapL0TJ2I Example token taken from Cloudentity https://cloudentity.com/developers/basics/tokens/opaque-token/
  10. ADR - Access Token Format • Context - As an

    organisation we are using OAuth2 for our API Access and need to process Access Tokens. The IDP we use o ff ers Access Tokens in various formats and we need to pick one. • Decision - The format of the Access Tokens issued will be to use X • Consequences - Using Access Tokens in the format of X will
  11. Inspecting an Access Token • JWTs are typically inspected in-process

    • An opaque token needs to be checked, You can also inspect a JWT. • JWTs can be introspected to see if they are are revoked, though not all Auth Servers provide this. • Token Introspection endpoint - RFC 7662 - https://www.rfc-editor.org/rfc/ rfc7662.html
  12. Inspecting - Access Tokens at the edge • Scope (scope)

    - what is the Client Application authorized to access • Audiance (aud) - Where the token should be used • Authentication Context Class Reference (acr) - Authentication strength • GET /conferences • scope: conference:READ • aud: api.conferences.com • acr: 1 (password) • POST /conferences • scope: conference:WRITE • aud: api.conferences.com • acr: 2 (MFA)