Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating Services with OAuth2.0

Brent Shaffer
February 01, 2013
Technology
4
140

Integrating Services with OAuth2.0

Presentation at the Adobe Tech Summit, San Jose 2013.

Brent Shaffer

February 01, 2013
Tweet

More Decks by Brent Shaffer

See All by Brent Shaffer
If You Give a Developer a Computer
bshaffer
5
240
OAuth 2.0 (as a comic strip)
bshaffer
6
3.1k
Why OpenSource Is Better Than Your Homerolled Garbage (in a comic strip)
bshaffer
3
9k

Other Decks in Technology

See All in Technology
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
140
NgRx Signal Store
rainerhahnekamp
0
120
「手動オペレーションに定評がある」と言われた私が心がけていること / phpcon_odawara2024
blue_goheimochi
2
320
Oracle Cloud Infrastructure:2024年4月度サービス・アップデート
oracle4engineer
PRO
1
110
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
810
ユーザーストーリーのレビューを自動化したみたの
bun913
1
320
オブザーバビリティの Primary Signals
onk
PRO
0
550
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
200
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
1
380
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
110
[2024年3月版] Databricksのシステムアーキテクチャ
databricksjapan
8
1.9k
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
1
300

Featured

See All Featured
Facilitating Awesome Meetings
lara
41
5.6k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
12
1.5k
Automating Front-end Workflow
addyosmani
1355
200k
What's new in Ruby 2.0
geeforr
337
31k
Thoughts on Productivity
jonyablonski
57
3.8k
StorybookのUI Testing Handbookを読んだ
zakiyama
11
4.6k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Raft: Consensus for Rubyists
vanstee
132
6.2k
Done Done
chrislema
178
15k
What the flash - Photography Introduction
edds
64
11k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k

Transcript

  1. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. © 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Con dential. Integrating Services with OAuth2.0 Brent Shaffer | Web Services Thursday, January 31, 13

  2. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. § What is OAuth? § Why does OAuth exist? § What is so great about the 2.0 version? § What does it look like? 2 Why am I here? Thursday, January 31, 13

  3. Thursday, January 31, 13

  4. Thursday, January 31, 13

  5. Thursday, January 31, 13

  6. Thursday, January 31, 13

  7. Thursday, January 31, 13

  8. Thursday, January 31, 13

  9. Thursday, January 31, 13

  10. Thursday, January 31, 13

  11. Thursday, January 31, 13

  12. Thursday, January 31, 13

  13. Thursday, January 31, 13

  14. Thursday, January 31, 13

  15. Thursday, January 31, 13

  16. Thursday, January 31, 13

  17. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 17 Don’t require your users to authenticate with 3rd parties using plaintext passwords! e moral of the story Thursday, January 31, 13

  18. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 18 OAuth Thursday, January 31, 13

  19. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs Thursday, January 31, 13

  20. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs Thursday, January 31, 13

  21. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER Thursday, January 31, 13

  22. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER SERVICE Thursday, January 31, 13

  23. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER 3RD PARTY SERVICE Thursday, January 31, 13

  24. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 20 Tokens Thursday, January 31, 13

  25. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 21 § tokens are a representation of credentials § no trusting 3rd parties with passwords § can authorize only certain types of access (scope) § user can revoke access on client level § the user is driving this train Thursday, January 31, 13

  26. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 22 OAuth 1.0 - Pain Points Thursday, January 31, 13

  27. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 23 Signatures Thursday, January 31, 13

  28. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 24 Busted Libraries Thursday, January 31, 13

  29. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 25 Solution? Thursday, January 31, 13

  30. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 26 Refresh Tokens § Replaces encryption with expiration § Retrieves new tokens without requesting authorization § Relies on SSL for everything else Thursday, January 31, 13

  31. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 27 Extensibility § Grant Types § Return Types § Token Types § Assertion Types Thursday, January 31, 13

  32. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 28 Deep Dive Thursday, January 31, 13

  33. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 29 User Client Server Roles “3rd Party” “Resource and Authorization Provider” “Resource Owner” Thursday, January 31, 13

  34. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 30 Authorize Token Resource ree Endpoints e user authorizes the client e server returns a token to the client e server provides the resource Thursday, January 31, 13

  35. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 31 Choose Your Grant Type Thursday, January 31, 13

  36. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 32 Thursday, January 31, 13

  37. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Code Thursday, January 31, 13

  38. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Thursday, January 31, 13

  39. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorize Authorization Code Thursday, January 31, 13

  40. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorize Authorization Code Thursday, January 31, 13

  41. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Authorize Authorization Code Thursday, January 31, 13

  42. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Authorize Token Authorization Code Thursday, January 31, 13

  43. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Authorize Token Authorization Code Thursday, January 31, 13

  44. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Authorize Token Authorization Code Thursday, January 31, 13

  45. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Authorize Token Resource Authorization Code Thursday, January 31, 13

  46. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Protected Resource Authorize Token Resource Authorization Code Thursday, January 31, 13

  47. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 34 Client Authorize Authorization Code GET /authorize ?response_type=code &client_id=s6BhdRkqt3 HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  48. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 35 Client Authorize Authorization Code HTTP/1.1 302 Found Location: http://example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA Thursday, January 31, 13

  49. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 36 Client Token Authorization Code POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA Thursday, January 31, 13

  50. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 37 Client Token Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600 } Thursday, January 31, 13

  51. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 38 Client Resource Authorization Code GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA Thursday, January 31, 13

  52. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 39 Client Resource Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "resource":"foo", "value":"bar", "success":true } Thursday, January 31, 13

  53. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 40 Thursday, January 31, 13

  54. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 41 Thursday, January 31, 13

  55. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 42 Client Resource Owner Username / Password Access Token Access Token Protected Resource Token Resource Resource Owner Password Credentials Thursday, January 31, 13

  56. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 43 Client Resource Owner Username / Password Token Authorization Code POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=password &username=foo &password=bar Thursday, January 31, 13

  57. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 44 Thursday, January 31, 13

  58. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 45 Client Client Credentials Access Token Access Token Protected Resource Token Resource Client Credentials Thursday, January 31, 13

  59. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 46 Client Token Client Credentials POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=client_credentials Client Credentials Thursday, January 31, 13

  60. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 47 Thursday, January 31, 13

  61. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 48 § When your Access Token expires, get another one! § When your Refresh Token expires, start over Refresh Token Thursday, January 31, 13

  62. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 49 Client Token Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, “refresh_token”: “tGzv3JOkF0XG5Qx2TlKWIA“ } Thursday, January 31, 13

  63. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 50 Client Refresh Token Access Token Access Token Protected Resource Token Resource Refresh Token Thursday, January 31, 13

  64. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 51 Client Token Refresh Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA Refresh Token Thursday, January 31, 13

  65. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 52 Thursday, January 31, 13

  66. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 53 Redirects a. registered by the client b. provided by the client in the redirect_uri querystring parameter to the authorize endpoint c. both* *Server validates the querystring redirect URI against the registered redirect URI A redirect URI is... Thursday, January 31, 13

  67. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 54 Client Authorize Redirects GET /authorize ?response_type=token &client_id=s6BhdRkqt3 &redirect_uri=https://example.com/cb HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  68. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 55 Redirects If sent in the querystring, the redirect_uri must also be supplied to the token endpoint Thursday, January 31, 13

  69. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 56 Client Token Redirects POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https://example.com/cb Thursday, January 31, 13

  70. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 57 Thursday, January 31, 13

  71. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 58 Scope § scope is what the user has authorized the client to do § sent as part of the authorize request § granted as part of the token request § validated as part of the resource request Thursday, January 31, 13

  72. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 59 Client Authorize Scope GET /authorize ?response_type=token &client_id=s6BhdRkqt3&state=xyz &redirect_uri=https://example.com/cb &scope=somescope HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  73. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 60 Thursday, January 31, 13

  74. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 61 State § Q: What happens if UserA grants an authorization code to ClientA, and tricks UserB to follow the redirection? § A: UserB would be associated with UserA’s resources! § state is a querystring parameter consisting of a CSRF token, which is passed back to the client for validation Thursday, January 31, 13

  75. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 62 Client Authorize State GET /authorize ?response_type=token &client_id=s6BhdRkqt3&state=xyz &redirect_uri=https://example.com/cb &state=xyz HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  76. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 63 Client Authorize State HTTP/1.1 302 Found Location: http://example.com/cb ?code=2YotnFZFEjr1zCsicMWpAA &state=xyz Thursday, January 31, 13

  77. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 64 Criticism Thursday, January 31, 13

  78. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 65 OAuth2.0 Protocol Framework Thursday, January 31, 13

  79. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 66 Interoperability “this speci cation is likely to produce a wide range of non-interoperable implementations.” Thursday, January 31, 13

  80. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 67 Refresh Tokens § Requires extra round trip to authorization server § Additional client-side implementation logic Thursday, January 31, 13

  81. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 68 Security § Depends on SSL for encryption § Outsources security to the Client § Less Secure than OAuth 1.0 Thursday, January 31, 13

  82. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 69 Security “Every security expert will tell you to layer your security” Eran Hammer Thursday, January 31, 13

  83. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 70 Defense Thursday, January 31, 13

  84. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 71 Defense Thursday, January 31, 13

  85. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 72 Defense § Built for the Enterprise § Implement only the Grant Types needed § Complicated for server, simple for client “It’s a Framework, not a Protocol! It’s Too Complicated!” Thursday, January 31, 13

  86. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 73 Defense § Framework is extensible § We can implement MAC Tokens, JWT tokens, etc “It’s not secure!” Thursday, January 31, 13

  87. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 74 Thursday, January 31, 13

  88. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. Thursday, January 31, 13