API authentication with OAuth2 and Apigility

API authentication with OAuth2 and Apigility

OAuth has become the de-facto standard to authenticate web API. In this talk we will present the OAuth2 framework, showing the different use cases and how to implement it in PHP, using Apigility. We will cover the following scenarios: web-server applications, browser-based applications, mobile apps, username and password access, application access. This talk has been presented at ZendCon 2014 in Santa Clara (California).

D3a1203bb9b132944427746ec3eae323?s=128

Enrico Zimuel

October 28, 2014
Tweet

Transcript

  1. 1.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    1 Confidential - © All rights reserved. Zend Technologies, Inc . API Authentication with OAuth2 and Apigility Enrico Zimuel – enrico@zend.com Senior Software Engineer Zend Technologies Inc.
  2. 2.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    2 OAuth2 • Authorization framework (RFC 6749) • OAuth 2.0 focuses on client developer simplicity • Provides specific authorization flows for web applications, desktop applications, mobile phones, and living room devices • OAuth1 was complicated, from a client perspective
  3. 3.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    3 OAuth2 definitions • Resource Owner: the User • Resource Server: the API • Authorization Server: often the same as the API server • Client: the Third-Party Application
  4. 4.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    4 OAuth2 access workflow • The client requests access to the server • The server checks the client credentials • If the client is authorized the server returns an access token – 907c762e069589c2cd2a229cdae7b8778caa9f07 • The client uses the token to access APIs – Authorization: Bearer 907c762e069589c2cd2a229cdae7b8778caa9f07 • A token can have limited scope
  5. 5.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    5 OAuth2 scenarios • Web-server applications • Browser-based applications • Mobile apps • Username and password access • Application access
  6. 6.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    6 OAuth2 security • In OAuth2 we send sensitive data such as client_secret or user's password in plaintext • Moreover, the access_token is always the same, if not expired or revoked (it's not generated with the specific HTTP request, eavesdropping is possible) • For this reason, use always HTTPS with OAuth2!
  7. 8.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    8 OAuth2 in Apigility • OAuth2 Server implementation (using bshaffer/oauth2-server-php project) • DB as data storage for tokens, users, clients, etc • PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL), MongoDB adapters • Client secret and user's password protected using bcrypt
  8. 11.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    11 Web server applications • Use case: authenticate a web application with a third- party service • Example: social login (e.g. Twitter, Facebook) • 3-step flow authentication: 1. Request the permission to access the application (return an authorization code) 2. Send the authorization code to the server (return the access token) 3. Send the access token to consume the API
  9. 13.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    13 Example using Apigility http://localhost:8888/oauth/authorize? response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz Send the authentication_code to request the access_token
  10. 14.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    14 Request the access_token REQUEST RESPONSE
  11. 16.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    16 Browser-based applications • Common when using a Javascript client (e.g., a Single Page Application) that requests access to the API of a third-party server • In a browser-based application, you cannot store the client_secret in a secure way (we cannot use the previous scenario) • Similar to the authorization code, but rather than an authorization code being returned from the authorization request, a token is returned
  12. 18.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    18 Browser-based applications • The access_token is specified using a fragment identifier (#hash): – redirect_uri#access_token=xxx • Using #hash, the access_token is not transmitted to the server pointed by redirect_uri, it can be accessed only by the client (browser) • Access the #hash in Javascript: window.location.hash
  13. 20.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    20 Mobile apps • Similar to browser-based applications • The only difference is the redirect_uri which, in the mobile world, can be a custom URI scheme • This allow native mobile apps to interact with a web browser application, opening a URL from a native app and going back to the app with a custom URI (e.g. facebook://)
  14. 23.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    23 Username and password access • Used to authenticate an API with user based grants (also known as a password grant) • The typical scenario includes a login web page with username and password that is used to authenticate against a first-party API • Password grant is only appropriate for trusted clients. If you build your own website as a client of your API, then this is a great way to handle logging in
  15. 25.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    25 Client type • Confidential – Clients capable of maintaining the confidentiality of their credentials (e.g. client implemented on a secure server with restricted access to the client credentials) • Public – Clients incapable of maintaining the confidentiality of their credentials (e.g. clients executing on the device used by the resource owner such as an installed native application or a web browser-based application)
  16. 26.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    26 Sending client info • With confidential clients you must specify client_id and client_secret to request the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z, client_secret:w } • With public clients you omit the client_secret to request requesting the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z }
  17. 28.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    28 Application access • Authenticate against applications, machine to machine scenarios • The OAuth2 grant type for this use case is called client_credentials • The usage is similar to public client password access – POST /oauth { grant_type:client_credentials, client_id:z, client_secret:w } • The OAuth2 server replies with the token, if the client credentials are valid
  18. 29.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    29 To summarize • Introduction to OAuth2 • Security consideration: always use HTTPS! • OAuth2 in Apigility • Different scenarios: – web-server applications (e.g. social login) – browser-based applications – mobile apps – username and password – application access
  19. 30.

    Confidential - © All rights reserved. Zend Technologies, Inc .

    30 THANKS! More information: http://apigility.org Please rate this talk: https://joind.in/12059