Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API authentication with OAuth2 in the cloud

API authentication with OAuth2 in the cloud

Slides of the talk "API authentication with OAuth2 in the cloud" presented at CloudConf 2015 - Turin (Italy), http://2015.cloudconf.it/

Enrico Zimuel

March 19, 2015
Tweet

More Decks by Enrico Zimuel

Other Decks in Programming

Transcript

  1. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    1
    Confidential - © All rights reserved. Zend Technologies, Inc
    .
    API Authentication with
    OAuth2 in the Cloud
    Enrico Zimuel – [email protected]
    Senior Software Engineer
    Zend Technologies

    View Slide

  2. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    2
    API authentication

    You need to develop a web API and you need
    authentication to restrict the access

    How to proceed?

    You have some options:
    – Basic or Digest HTTP authentication
    – OAuth1
    – OAuth2
    – Custom authentication (e.g. Amazon keyed-HMAC)

    View Slide

  3. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    3
    OAuth2

    Authorization framework (RFC 6749)

    OAuth 2.0 focuses on client developer simplicity

    Provides specific authorization flows for web
    applications, desktop applications, mobile phones,
    and living room devices

    OAuth1 was complicated, from a client perspective

    View Slide

  4. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    4
    OAuth2 definitions

    Resource Owner: the User

    Resource Server: the API server

    Authorization Server: often the same as the API
    server

    Client: the Third-Party Application

    View Slide

  5. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    5
    OAuth2 access workflow

    The client requests access to the server

    The server checks the client credentials

    If the client is authorized the server returns an
    access token
    – 907c762e069589c2cd2a229cdae7b8778caa9f07

    The client uses the token to access APIs
    – Authorization: Bearer
    907c762e069589c2cd2a229cdae7b8778caa9f07

    A token can have limited scope

    View Slide

  6. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    6
    OAuth2 scenarios

    Web-server applications

    Browser-based applications

    Mobile apps

    Username and password access

    Application access

    View Slide

  7. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    7
    OAuth2 security

    In OAuth2 we send sensitive data such as
    client_secret or user's password in plaintext

    Moreover, the access_token is always the same, if
    not expired or revoked (it's not generated with the
    specific HTTP request, eavesdropping is possible)

    Use always HTTPS with OAuth2!

    View Slide

  8. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    8
    WEB-SERVER APPLICATIONS

    View Slide

  9. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    9
    Web server applications

    Use case: authenticate a web application with a third-
    party service

    Example: social login (e.g. Twitter, Facebook)

    3-step flow authentication:
    1. Request the permission to access the application
    (return an authorization code)
    2. Send the authorization code to the OAuth2 server
    (return the access token)
    3. Send the access token to consume the API

    View Slide

  10. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    10
    Diagram

    View Slide

  11. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    11
    Example using Apigility
    http://localhost:8888/oauth/authorize?
    response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz
    Send the authentication_code
    to request the access_token

    View Slide

  12. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    12
    Request the access_token
    REQUEST
    RESPONSE

    View Slide

  13. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    13
    BROWSER-BASED APPLICATIONS

    View Slide

  14. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    14
    Browser-based applications

    Common when using a Javascript client (e.g., a Single
    Page Application) that requests access to the API of a
    third-party server

    In a browser-based application, you cannot store the
    client_secret in a secure way

    Similar to the authorization code, but rather than an
    authorization code being returned from the
    authorization request, a token is returned

    View Slide

  15. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    15
    Diagram

    View Slide

  16. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    16
    Browser-based applications

    The access_token is specified using a fragment
    identifier (#hash):
    – redirect_uri#access_token=xxx

    Using #hash, the access_token is not transmitted to
    the server pointed by redirect_uri, it can be accessed
    only by the client (browser)

    Access the #hash in Javascript:
    window.location.hash

    View Slide

  17. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    17
    MOBILE APPS

    View Slide

  18. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    18
    Mobile apps

    Similar to browser-based applications

    The only difference is the redirect_uri which, for
    mibile app, can be a custom URI scheme

    This allow native mobile app to interact with a web
    browser application, opening a URL from the app and
    going back to the app with a custom URI (e.g.
    facebook://)

    View Slide

  19. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    19
    Diagram

    View Slide

  20. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    20
    USERNAME AND PASSWORD
    ACCESS

    View Slide

  21. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    21
    Username and password access

    Used to authenticate API with user based grants (also
    known as a password grant)

    The typical scenario includes a login web page with
    username and password that is used to
    authenticate against a first-party API

    Password grant is only appropriate for trusted
    clients. If you build your own website as a client of
    your API, then this is a great way to handle logging in

    View Slide

  22. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    22
    Diagram

    View Slide

  23. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    23
    Client type

    Confidential
    – Clients capable of maintaining the confidentiality of
    their credentials (e.g. client implemented on a secure
    server with restricted access to the client credentials)

    Public
    – Clients incapable of maintaining the confidentiality of
    their credentials (e.g. clients executing on the device
    used by the resource owner such as an installed native
    application or a web browser-based application)

    View Slide

  24. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    24
    Sending client info

    With confidential clients you must specify client_id
    and client_secret to request the access_token
    – POST /oauth
    { grant_type:password, username:x, password:y,
    client_id:z, client_secret:w }

    With public clients you omit the client_secret to
    request requesting the access_token
    – POST /oauth
    { grant_type:password, username:x, password:y,
    client_id:z }

    View Slide

  25. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    25
    APPLICATION ACCESS

    View Slide

  26. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    26
    Application access

    Authenticate against applications, machine to
    machine scenarios

    The OAuth2 grant type for this use case is called
    client_credentials

    The usage is similar to public client password access
    – POST /oauth { grant_type:client_credentials,
    client_id:z, client_secret:w }

    The OAuth2 server replies with the token, if the client
    credentials are valid

    View Slide

  27. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    27
    APIGILITY

    View Slide

  28. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    28
    Apigility

    Apigility is the API builder for PHP applications

    Features: REST/RPC, authentication, content
    negotiation, hypermedia, error handling, filter and
    validation, versioning, documentation, etc

    Written in Zend Framework 2 but can be used in
    any PHP application

    Open source project by Zend Technologies

    http://apigility.org

    View Slide

  29. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    29
    OAuth2 in Apigility

    OAuth2 Server implementation (using
    bshaffer/oauth2-server-php project)

    DB as data storage for tokens, users, clients, etc

    PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL),
    MongoDB adapters

    Client secret and user's password protected using
    bcrypt

    View Slide

  30. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    30
    OAuth2 database

    View Slide

  31. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    31
    OAuth2 configuration

    View Slide

  32. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    32
    OAuth2 authorization

    View Slide

  33. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    33
    To summarize

    Introduction to OAuth2

    Security consideration: always use HTTPS!

    Different scenarios:
    – web-server applications (e.g. social login)
    – browser-based applications
    – mobile apps
    – username and password
    – application access

    OAuth2 in Apigility

    View Slide

  34. Confidential - © All rights reserved. Zend Technologies, Inc
    .
    34
    THANKS!
    More information:
    http://apigility.org

    View Slide