Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating Services with OAuth2.0

Brent Shaffer
February 01, 2013
Technology
4
160

Integrating Services with OAuth2.0

Presentation at the Adobe Tech Summit, San Jose 2013.

Brent Shaffer

February 01, 2013
Tweet

More Decks by Brent Shaffer

See All by Brent Shaffer
If You Give a Developer a Computer
bshaffer
5
250
OAuth 2.0 (as a comic strip)
bshaffer
6
3.1k
Why OpenSource Is Better Than Your Homerolled Garbage (in a comic strip)
bshaffer
3
9.1k

Other Decks in Technology

See All in Technology
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
190
いざ、BSC討伐の旅
nikinusu
2
780
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
750
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
990
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
310
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Building Your Own Lightsaber
phodgson
103
6.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Invisible Side of Design
smashingmag
298
50k
Six Lessons from altMBA
skipperchong
27
3.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Writing Fast Ruby
sferik
627
61k
Navigating Team Friction
lara
183
14k
The Pragmatic Product Professional
lauravandoore
31
6.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k

Transcript

  1. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. © 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Con dential. Integrating Services with OAuth2.0 Brent Shaffer | Web Services Thursday, January 31, 13

  2. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. § What is OAuth? § Why does OAuth exist? § What is so great about the 2.0 version? § What does it look like? 2 Why am I here? Thursday, January 31, 13

  3. Thursday, January 31, 13

  4. Thursday, January 31, 13

  5. Thursday, January 31, 13

  6. Thursday, January 31, 13

  7. Thursday, January 31, 13

  8. Thursday, January 31, 13

  9. Thursday, January 31, 13

  10. Thursday, January 31, 13

  11. Thursday, January 31, 13

  12. Thursday, January 31, 13

  13. Thursday, January 31, 13

  14. Thursday, January 31, 13

  15. Thursday, January 31, 13

  16. Thursday, January 31, 13

  17. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 17 Don’t require your users to authenticate with 3rd parties using plaintext passwords! e moral of the story Thursday, January 31, 13

  18. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 18 OAuth Thursday, January 31, 13

  19. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs Thursday, January 31, 13

  20. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs Thursday, January 31, 13

  21. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER Thursday, January 31, 13

  22. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER SERVICE Thursday, January 31, 13

  23. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 19 ree Legs USER 3RD PARTY SERVICE Thursday, January 31, 13

  24. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 20 Tokens Thursday, January 31, 13

  25. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 21 § tokens are a representation of credentials § no trusting 3rd parties with passwords § can authorize only certain types of access (scope) § user can revoke access on client level § the user is driving this train Thursday, January 31, 13

  26. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 22 OAuth 1.0 - Pain Points Thursday, January 31, 13

  27. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 23 Signatures Thursday, January 31, 13

  28. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 24 Busted Libraries Thursday, January 31, 13

  29. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 25 Solution? Thursday, January 31, 13

  30. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 26 Refresh Tokens § Replaces encryption with expiration § Retrieves new tokens without requesting authorization § Relies on SSL for everything else Thursday, January 31, 13

  31. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 27 Extensibility § Grant Types § Return Types § Token Types § Assertion Types Thursday, January 31, 13

  32. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 28 Deep Dive Thursday, January 31, 13

  33. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 29 User Client Server Roles “3rd Party” “Resource and Authorization Provider” “Resource Owner” Thursday, January 31, 13

  34. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 30 Authorize Token Resource ree Endpoints e user authorizes the client e server returns a token to the client e server provides the resource Thursday, January 31, 13

  35. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 31 Choose Your Grant Type Thursday, January 31, 13

  36. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 32 Thursday, January 31, 13

  37. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Code Thursday, January 31, 13

  38. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Thursday, January 31, 13

  39. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorize Authorization Code Thursday, January 31, 13

  40. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorize Authorization Code Thursday, January 31, 13

  41. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Authorize Authorization Code Thursday, January 31, 13

  42. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Authorize Token Authorization Code Thursday, January 31, 13

  43. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Authorize Token Authorization Code Thursday, January 31, 13

  44. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Authorize Token Authorization Code Thursday, January 31, 13

  45. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Authorize Token Resource Authorization Code Thursday, January 31, 13

  46. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 33 Client Authorization Request Authorization Code Authorization Code Access Token Access Token Protected Resource Authorize Token Resource Authorization Code Thursday, January 31, 13

  47. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 34 Client Authorize Authorization Code GET /authorize ?response_type=code &client_id=s6BhdRkqt3 HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  48. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 35 Client Authorize Authorization Code HTTP/1.1 302 Found Location: http://example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA Thursday, January 31, 13

  49. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 36 Client Token Authorization Code POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA Thursday, January 31, 13

  50. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 37 Client Token Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600 } Thursday, January 31, 13

  51. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 38 Client Resource Authorization Code GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA Thursday, January 31, 13

  52. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 39 Client Resource Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "resource":"foo", "value":"bar", "success":true } Thursday, January 31, 13

  53. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 40 Thursday, January 31, 13

  54. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 41 Thursday, January 31, 13

  55. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 42 Client Resource Owner Username / Password Access Token Access Token Protected Resource Token Resource Resource Owner Password Credentials Thursday, January 31, 13

  56. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 43 Client Resource Owner Username / Password Token Authorization Code POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=password &username=foo &password=bar Thursday, January 31, 13

  57. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 44 Thursday, January 31, 13

  58. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 45 Client Client Credentials Access Token Access Token Protected Resource Token Resource Client Credentials Thursday, January 31, 13

  59. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 46 Client Token Client Credentials POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=client_credentials Client Credentials Thursday, January 31, 13

  60. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 47 Thursday, January 31, 13

  61. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 48 § When your Access Token expires, get another one! § When your Refresh Token expires, start over Refresh Token Thursday, January 31, 13

  62. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 49 Client Token Authorization Code HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, “refresh_token”: “tGzv3JOkF0XG5Qx2TlKWIA“ } Thursday, January 31, 13

  63. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 50 Client Refresh Token Access Token Access Token Protected Resource Token Resource Refresh Token Thursday, January 31, 13

  64. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 51 Client Token Refresh Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA Refresh Token Thursday, January 31, 13

  65. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 52 Thursday, January 31, 13

  66. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 53 Redirects a. registered by the client b. provided by the client in the redirect_uri querystring parameter to the authorize endpoint c. both* *Server validates the querystring redirect URI against the registered redirect URI A redirect URI is... Thursday, January 31, 13

  67. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 54 Client Authorize Redirects GET /authorize ?response_type=token &client_id=s6BhdRkqt3 &redirect_uri=https://example.com/cb HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  68. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 55 Redirects If sent in the querystring, the redirect_uri must also be supplied to the token endpoint Thursday, January 31, 13

  69. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 56 Client Token Redirects POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzp Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https://example.com/cb Thursday, January 31, 13

  70. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 57 Thursday, January 31, 13

  71. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 58 Scope § scope is what the user has authorized the client to do § sent as part of the authorize request § granted as part of the token request § validated as part of the resource request Thursday, January 31, 13

  72. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 59 Client Authorize Scope GET /authorize ?response_type=token &client_id=s6BhdRkqt3&state=xyz &redirect_uri=https://example.com/cb &scope=somescope HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  73. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 60 Thursday, January 31, 13

  74. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 61 State § Q: What happens if UserA grants an authorization code to ClientA, and tricks UserB to follow the redirection? § A: UserB would be associated with UserA’s resources! § state is a querystring parameter consisting of a CSRF token, which is passed back to the client for validation Thursday, January 31, 13

  75. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 62 Client Authorize State GET /authorize ?response_type=token &client_id=s6BhdRkqt3&state=xyz &redirect_uri=https://example.com/cb &state=xyz HTTP/1.1 Host: server.example.com Thursday, January 31, 13

  76. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 63 Client Authorize State HTTP/1.1 302 Found Location: http://example.com/cb ?code=2YotnFZFEjr1zCsicMWpAA &state=xyz Thursday, January 31, 13

  77. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 64 Criticism Thursday, January 31, 13

  78. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 65 OAuth2.0 Protocol Framework Thursday, January 31, 13

  79. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 66 Interoperability “this speci cation is likely to produce a wide range of non-interoperable implementations.” Thursday, January 31, 13

  80. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 67 Refresh Tokens § Requires extra round trip to authorization server § Additional client-side implementation logic Thursday, January 31, 13

  81. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 68 Security § Depends on SSL for encryption § Outsources security to the Client § Less Secure than OAuth 1.0 Thursday, January 31, 13

  82. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 69 Security “Every security expert will tell you to layer your security” Eran Hammer Thursday, January 31, 13

  83. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 70 Defense Thursday, January 31, 13

  84. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 71 Defense Thursday, January 31, 13

  85. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 72 Defense § Built for the Enterprise § Implement only the Grant Types needed § Complicated for server, simple for client “It’s a Framework, not a Protocol! It’s Too Complicated!” Thursday, January 31, 13

  86. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 73 Defense § Framework is extensible § We can implement MAC Tokens, JWT tokens, etc “It’s not secure!” Thursday, January 31, 13

  87. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. 74 Thursday, January 31, 13

  88. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Con

    dential. Thursday, January 31, 13