2 API authentication • You need to develop a web API and you need authentication to restrict the access • How to proceed? • You have some options: – Basic or Digest HTTP authentication – OAuth1 – OAuth2 – Custom authentication (e.g. Amazon keyed-HMAC)
3 OAuth2 • Authorization framework (RFC 6749) • OAuth 2.0 focuses on client developer simplicity • Provides specific authorization flows for web applications, desktop applications, mobile phones, and living room devices • OAuth1 was complicated, from a client perspective
4 OAuth2 definitions • Resource Owner: the User • Resource Server: the API server • Authorization Server: often the same as the API server • Client: the Third-Party Application
5 OAuth2 access workflow • The client requests access to the server • The server checks the client credentials • If the client is authorized the server returns an access token – 907c762e069589c2cd2a229cdae7b8778caa9f07 • The client uses the token to access APIs – Authorization: Bearer 907c762e069589c2cd2a229cdae7b8778caa9f07 • A token can have limited scope
7 OAuth2 security • In OAuth2 we send sensitive data such as client_secret or user's password in plaintext • Moreover, the access_token is always the same, if not expired or revoked (it's not generated with the specific HTTP request, eavesdropping is possible) • Use always HTTPS with OAuth2!
9 Web server applications • Use case: authenticate a web application with a third- party service • Example: social login (e.g. Twitter, Facebook) • 3-step flow authentication: 1. Request the permission to access the application (return an authorization code) 2. Send the authorization code to the OAuth2 server (return the access token) 3. Send the access token to consume the API
11 Example using Apigility http://localhost:8888/oauth/authorize? response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz Send the authentication_code to request the access_token
14 Browser-based applications • Common when using a Javascript client (e.g., a Single Page Application) that requests access to the API of a third-party server • In a browser-based application, you cannot store the client_secret in a secure way • Similar to the authorization code, but rather than an authorization code being returned from the authorization request, a token is returned
16 Browser-based applications • The access_token is specified using a fragment identifier (#hash): – redirect_uri#access_token=xxx • Using #hash, the access_token is not transmitted to the server pointed by redirect_uri, it can be accessed only by the client (browser) • Access the #hash in Javascript: window.location.hash
18 Mobile apps • Similar to browser-based applications • The only difference is the redirect_uri which, for mibile app, can be a custom URI scheme • This allow native mobile app to interact with a web browser application, opening a URL from the app and going back to the app with a custom URI (e.g. facebook://)
21 Username and password access • Used to authenticate API with user based grants (also known as a password grant) • The typical scenario includes a login web page with username and password that is used to authenticate against a first-party API • Password grant is only appropriate for trusted clients. If you build your own website as a client of your API, then this is a great way to handle logging in
23 Client type • Confidential – Clients capable of maintaining the confidentiality of their credentials (e.g. client implemented on a secure server with restricted access to the client credentials) • Public – Clients incapable of maintaining the confidentiality of their credentials (e.g. clients executing on the device used by the resource owner such as an installed native application or a web browser-based application)
24 Sending client info • With confidential clients you must specify client_id and client_secret to request the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z, client_secret:w } • With public clients you omit the client_secret to request requesting the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z }
26 Application access • Authenticate against applications, machine to machine scenarios • The OAuth2 grant type for this use case is called client_credentials • The usage is similar to public client password access – POST /oauth { grant_type:client_credentials, client_id:z, client_secret:w } • The OAuth2 server replies with the token, if the client credentials are valid
28 Apigility • Apigility is the API builder for PHP applications • Features: REST/RPC, authentication, content negotiation, hypermedia, error handling, filter and validation, versioning, documentation, etc • Written in Zend Framework 2 but can be used in any PHP application • Open source project by Zend Technologies • http://apigility.org
29 OAuth2 in Apigility • OAuth2 Server implementation (using bshaffer/oauth2-server-php project) • DB as data storage for tokens, users, clients, etc • PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL), MongoDB adapters • Client secret and user's password protected using bcrypt
33 To summarize • Introduction to OAuth2 • Security consideration: always use HTTPS! • Different scenarios: – web-server applications (e.g. social login) – browser-based applications – mobile apps – username and password – application access • OAuth2 in Apigility
ezimuel
coe401_
masuda220
manfredsteyer
plaidtech
tomohisa
cyrilmottier
junk0612
markostanimirovic
jbvincey
harukasao
ninikoko
dmnlk
jcasabona
dougneiner
wjessup
hannesfritz
gr2m
lynnandtonic
addyosmani
mclloyd
kastner
caitiem20
sergeychernyshev
garrettdimon
