Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API authentication with OAuth2 and Apigility

API authentication with OAuth2 and Apigility

OAuth has become the de-facto standard to authenticate web API. In this talk we will present the OAuth2 framework, showing the different use cases and how to implement it in PHP, using Apigility. We will cover the following scenarios: web-server applications, browser-based applications, mobile apps, username and password access, application access. This talk has been presented at ZendCon 2014 in Santa Clara (California).

Enrico Zimuel

October 28, 2014
Tweet

More Decks by Enrico Zimuel

Other Decks in Programming

Transcript

  1. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    1
    Confidential - © All rights reserved. Zend Technologies, Inc
    .
    API Authentication with
    OAuth2 and Apigility
    Enrico Zimuel – [email protected]
    Senior Software Engineer
    Zend Technologies Inc.

    View full-size slide

  2. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    2
    OAuth2

    Authorization framework (RFC 6749)

    OAuth 2.0 focuses on client developer simplicity

    Provides specific authorization flows for web
    applications, desktop applications, mobile phones,
    and living room devices

    OAuth1 was complicated, from a client perspective

    View full-size slide

  3. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    3
    OAuth2 definitions

    Resource Owner: the User

    Resource Server: the API

    Authorization Server: often the same as the API
    server

    Client: the Third-Party Application

    View full-size slide

  4. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    4
    OAuth2 access workflow

    The client requests access to the server

    The server checks the client credentials

    If the client is authorized the server returns an
    access token
    – 907c762e069589c2cd2a229cdae7b8778caa9f07

    The client uses the token to access APIs
    – Authorization: Bearer
    907c762e069589c2cd2a229cdae7b8778caa9f07

    A token can have limited scope

    View full-size slide

  5. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    5
    OAuth2 scenarios

    Web-server applications

    Browser-based applications

    Mobile apps

    Username and password access

    Application access

    View full-size slide

  6. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    6
    OAuth2 security

    In OAuth2 we send sensitive data such as
    client_secret or user's password in plaintext

    Moreover, the access_token is always the same, if
    not expired or revoked (it's not generated with the
    specific HTTP request, eavesdropping is possible)

    For this reason, use always HTTPS with OAuth2!

    View full-size slide

  7. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    7
    OAUTH2 IN APIGILITY

    View full-size slide

  8. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    8
    OAuth2 in Apigility

    OAuth2 Server implementation (using
    bshaffer/oauth2-server-php project)

    DB as data storage for tokens, users, clients, etc

    PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL),
    MongoDB adapters

    Client secret and user's password protected using
    bcrypt

    View full-size slide

  9. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    9
    OAuth2 database

    View full-size slide

  10. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    10
    WEB-SERVER APPLICATIONS

    View full-size slide

  11. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    11
    Web server applications

    Use case: authenticate a web application with a third-
    party service

    Example: social login (e.g. Twitter, Facebook)

    3-step flow authentication:
    1. Request the permission to access the application
    (return an authorization code)
    2. Send the authorization code to the server
    (return the access token)
    3. Send the access token to consume the API

    View full-size slide

  12. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    12
    Diagram

    View full-size slide

  13. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    13
    Example using Apigility
    http://localhost:8888/oauth/authorize?
    response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz
    Send the authentication_code
    to request the access_token

    View full-size slide

  14. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    14
    Request the access_token
    REQUEST
    RESPONSE

    View full-size slide

  15. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    15
    BROWSER-BASED APPLICATIONS

    View full-size slide

  16. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    16
    Browser-based applications

    Common when using a Javascript client (e.g., a Single
    Page Application) that requests access to the API of a
    third-party server

    In a browser-based application, you cannot store the
    client_secret in a secure way (we cannot use the
    previous scenario)

    Similar to the authorization code, but rather than an
    authorization code being returned from the
    authorization request, a token is returned

    View full-size slide

  17. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    17
    Diagram

    View full-size slide

  18. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    18
    Browser-based applications

    The access_token is specified using a fragment
    identifier (#hash):
    – redirect_uri#access_token=xxx

    Using #hash, the access_token is not transmitted to
    the server pointed by redirect_uri, it can be accessed
    only by the client (browser)

    Access the #hash in Javascript:
    window.location.hash

    View full-size slide

  19. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    19
    MOBILE APPS

    View full-size slide

  20. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    20
    Mobile apps

    Similar to browser-based applications

    The only difference is the redirect_uri which, in the
    mobile world, can be a custom URI scheme

    This allow native mobile apps to interact with a web
    browser application, opening a URL from a native app
    and going back to the app with a custom URI (e.g.
    facebook://)

    View full-size slide

  21. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    21
    Diagram

    View full-size slide

  22. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    22
    USERNAME AND PASSWORD
    ACCESS

    View full-size slide

  23. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    23
    Username and password access

    Used to authenticate an API with user based grants
    (also known as a password grant)

    The typical scenario includes a login web page with
    username and password that is used to
    authenticate against a first-party API

    Password grant is only appropriate for trusted
    clients. If you build your own website as a client of
    your API, then this is a great way to handle logging in

    View full-size slide

  24. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    24
    Diagram

    View full-size slide

  25. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    25
    Client type

    Confidential
    – Clients capable of maintaining the confidentiality of
    their credentials (e.g. client implemented on a secure
    server with restricted access to the client credentials)

    Public
    – Clients incapable of maintaining the confidentiality of
    their credentials (e.g. clients executing on the device
    used by the resource owner such as an installed native
    application or a web browser-based application)

    View full-size slide

  26. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    26
    Sending client info

    With confidential clients you must specify client_id
    and client_secret to request the access_token
    – POST /oauth
    { grant_type:password, username:x, password:y,
    client_id:z, client_secret:w }

    With public clients you omit the client_secret to
    request requesting the access_token
    – POST /oauth
    { grant_type:password, username:x, password:y,
    client_id:z }

    View full-size slide

  27. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    27
    APPLICATION ACCESS

    View full-size slide

  28. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    28
    Application access

    Authenticate against applications, machine to
    machine scenarios

    The OAuth2 grant type for this use case is called
    client_credentials

    The usage is similar to public client password access
    – POST /oauth { grant_type:client_credentials,
    client_id:z, client_secret:w }

    The OAuth2 server replies with the token, if the client
    credentials are valid

    View full-size slide

  29. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    29
    To summarize

    Introduction to OAuth2

    Security consideration: always use HTTPS!

    OAuth2 in Apigility

    Different scenarios:
    – web-server applications (e.g. social login)
    – browser-based applications
    – mobile apps
    – username and password
    – application access

    View full-size slide

  30. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    30
    THANKS!
    More information:
    http://apigility.org
    Please rate this talk: https://joind.in/12059

    View full-size slide