API authentication with OAuth2 in the cloud

Confidential - © All rights reserved. Zend Technologies, Inc
.
1
.
API Authentication with
OAuth2 in the Cloud
Enrico Zimuel – [email protected]
Senior Software Engineer
Zend Technologies

View Slide

.
2
API authentication
●
You need to develop a web API and you need
authentication to restrict the access
●
How to proceed?
●
You have some options:
– Basic or Digest HTTP authentication
– OAuth1
– OAuth2
– Custom authentication (e.g. Amazon keyed-HMAC)

View Slide

.
3
OAuth2
●
Authorization framework (RFC 6749)
●
OAuth 2.0 focuses on client developer simplicity
●
Provides specific authorization flows for web
applications, desktop applications, mobile phones,
and living room devices
●
OAuth1 was complicated, from a client perspective

View Slide

.
4
OAuth2 definitions
●
Resource Owner: the User
●
Resource Server: the API server
●
Authorization Server: often the same as the API
server
●
Client: the Third-Party Application

View Slide

.
5
OAuth2 access workflow
●
The client requests access to the server
●
The server checks the client credentials
●
If the client is authorized the server returns an
access token
– 907c762e069589c2cd2a229cdae7b8778caa9f07
●
The client uses the token to access APIs
– Authorization: Bearer
907c762e069589c2cd2a229cdae7b8778caa9f07
●
A token can have limited scope

View Slide

.
6
OAuth2 scenarios
●
Web-server applications
●
Browser-based applications
●
Mobile apps
●
Username and password access
●
Application access

View Slide

.
7
OAuth2 security
●
In OAuth2 we send sensitive data such as
client_secret or user's password in plaintext
●
Moreover, the access_token is always the same, if
not expired or revoked (it's not generated with the
specific HTTP request, eavesdropping is possible)
●
Use always HTTPS with OAuth2!

View Slide

.
8
WEB-SERVER APPLICATIONS

View Slide

.
9
Web server applications
●
Use case: authenticate a web application with a third-
party service
●
Example: social login (e.g. Twitter, Facebook)
●
3-step flow authentication:
1. Request the permission to access the application
(return an authorization code)
2. Send the authorization code to the OAuth2 server
(return the access token)
3. Send the access token to consume the API

View Slide

.
10
Diagram

View Slide

.
11
Example using Apigility
http://localhost:8888/oauth/authorize?
response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz
Send the authentication_code
to request the access_token

View Slide

.
12
Request the access_token
REQUEST
RESPONSE

View Slide

.
13
BROWSER-BASED APPLICATIONS

View Slide

.
14
●
Common when using a Javascript client (e.g., a Single
Page Application) that requests access to the API of a
third-party server
●
In a browser-based application, you cannot store the
client_secret in a secure way
●
Similar to the authorization code, but rather than an
authorization code being returned from the
authorization request, a token is returned

View Slide

.
15
Diagram

View Slide

.
16
●
The access_token is specified using a fragment
identifier (#hash):
– redirect_uri#access_token=xxx
●
Using #hash, the access_token is not transmitted to
the server pointed by redirect_uri, it can be accessed
only by the client (browser)
●
Access the #hash in Javascript:
window.location.hash

View Slide

.
17
MOBILE APPS

View Slide

.
18
Mobile apps
●
Similar to browser-based applications
●
The only difference is the redirect_uri which, for
mibile app, can be a custom URI scheme
●
This allow native mobile app to interact with a web
browser application, opening a URL from the app and
going back to the app with a custom URI (e.g.
facebook://)

View Slide

.
19
Diagram

View Slide

.
20
USERNAME AND PASSWORD
ACCESS

View Slide

.
21
Username and password access
●
Used to authenticate API with user based grants (also
known as a password grant)
●
The typical scenario includes a login web page with
username and password that is used to
authenticate against a first-party API
●
Password grant is only appropriate for trusted
clients. If you build your own website as a client of
your API, then this is a great way to handle logging in

View Slide

.
22
Diagram

View Slide

.
23
Client type
●
Confidential
– Clients capable of maintaining the confidentiality of
their credentials (e.g. client implemented on a secure
server with restricted access to the client credentials)
●
Public
– Clients incapable of maintaining the confidentiality of
their credentials (e.g. clients executing on the device
used by the resource owner such as an installed native
application or a web browser-based application)

View Slide

.
24
Sending client info
●
With confidential clients you must specify client_id
and client_secret to request the access_token
– POST /oauth
{ grant_type:password, username:x, password:y,
client_id:z, client_secret:w }
●
With public clients you omit the client_secret to
request requesting the access_token
– POST /oauth
{ grant_type:password, username:x, password:y,
client_id:z }

View Slide

.
25
APPLICATION ACCESS

View Slide

.
26
Application access
●
Authenticate against applications, machine to
machine scenarios
●
The OAuth2 grant type for this use case is called
client_credentials
●
The usage is similar to public client password access
– POST /oauth { grant_type:client_credentials,
client_id:z, client_secret:w }
●
The OAuth2 server replies with the token, if the client
credentials are valid

View Slide

.
27
APIGILITY

View Slide

.
28
Apigility
●
Apigility is the API builder for PHP applications
●
Features: REST/RPC, authentication, content
negotiation, hypermedia, error handling, filter and
validation, versioning, documentation, etc
●
Written in Zend Framework 2 but can be used in
any PHP application
●
Open source project by Zend Technologies
●
http://apigility.org

View Slide

.
29
OAuth2 in Apigility
●
OAuth2 Server implementation (using
bshaffer/oauth2-server-php project)
●
DB as data storage for tokens, users, clients, etc
●
PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL),
MongoDB adapters
●
Client secret and user's password protected using
bcrypt

View Slide

.
30
OAuth2 database

View Slide

.
31
OAuth2 configuration

View Slide

.
32
OAuth2 authorization

View Slide

.
33
To summarize
●
Introduction to OAuth2
●
Security consideration: always use HTTPS!
●
Different scenarios:
– web-server applications (e.g. social login)
– browser-based applications
– mobile apps
– username and password
– application access
●
OAuth2 in Apigility

View Slide

.
34
THANKS!
More information:
http://apigility.org

View Slide

API authentication with OAuth2 in the cloud

API authentication with OAuth2 in the cloud

Enrico Zimuel

More Decks by Enrico Zimuel

Other Decks in Programming

Featured

Transcript