Slides of the talk "API authentication with OAuth2 in the cloud" presented at CloudConf 2015 - Turin (Italy), http://2015.cloudconf.it/
Confidential - © All rights reserved. Zend Technologies, Inc.1Confidential - © All rights reserved. Zend Technologies, Inc.API Authentication withOAuth2 in the CloudEnrico Zimuel – [email protected]Senior Software EngineerZend Technologies
View Slide
Confidential - © All rights reserved. Zend Technologies, Inc.2API authentication●You need to develop a web API and you needauthentication to restrict the access●How to proceed?●You have some options:– Basic or Digest HTTP authentication– OAuth1– OAuth2– Custom authentication (e.g. Amazon keyed-HMAC)
Confidential - © All rights reserved. Zend Technologies, Inc.3OAuth2●Authorization framework (RFC 6749)●OAuth 2.0 focuses on client developer simplicity●Provides specific authorization flows for webapplications, desktop applications, mobile phones,and living room devices●OAuth1 was complicated, from a client perspective
Confidential - © All rights reserved. Zend Technologies, Inc.4OAuth2 definitions●Resource Owner: the User●Resource Server: the API server●Authorization Server: often the same as the APIserver●Client: the Third-Party Application
Confidential - © All rights reserved. Zend Technologies, Inc.5OAuth2 access workflow●The client requests access to the server●The server checks the client credentials●If the client is authorized the server returns anaccess token– 907c762e069589c2cd2a229cdae7b8778caa9f07●The client uses the token to access APIs– Authorization: Bearer907c762e069589c2cd2a229cdae7b8778caa9f07●A token can have limited scope
Confidential - © All rights reserved. Zend Technologies, Inc.6OAuth2 scenarios●Web-server applications●Browser-based applications●Mobile apps●Username and password access●Application access
Confidential - © All rights reserved. Zend Technologies, Inc.7OAuth2 security●In OAuth2 we send sensitive data such asclient_secret or user's password in plaintext●Moreover, the access_token is always the same, ifnot expired or revoked (it's not generated with thespecific HTTP request, eavesdropping is possible)●Use always HTTPS with OAuth2!
Confidential - © All rights reserved. Zend Technologies, Inc.8WEB-SERVER APPLICATIONS
Confidential - © All rights reserved. Zend Technologies, Inc.9Web server applications●Use case: authenticate a web application with a third-party service●Example: social login (e.g. Twitter, Facebook)●3-step flow authentication:1. Request the permission to access the application(return an authorization code)2. Send the authorization code to the OAuth2 server(return the access token)3. Send the access token to consume the API
Confidential - © All rights reserved. Zend Technologies, Inc.10Diagram
Confidential - © All rights reserved. Zend Technologies, Inc.11Example using Apigilityhttp://localhost:8888/oauth/authorize?response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyzSend the authentication_codeto request the access_token
Confidential - © All rights reserved. Zend Technologies, Inc.12Request the access_tokenREQUESTRESPONSE
Confidential - © All rights reserved. Zend Technologies, Inc.13BROWSER-BASED APPLICATIONS
Confidential - © All rights reserved. Zend Technologies, Inc.14Browser-based applications●Common when using a Javascript client (e.g., a SinglePage Application) that requests access to the API of athird-party server●In a browser-based application, you cannot store theclient_secret in a secure way●Similar to the authorization code, but rather than anauthorization code being returned from theauthorization request, a token is returned
Confidential - © All rights reserved. Zend Technologies, Inc.15Diagram
Confidential - © All rights reserved. Zend Technologies, Inc.16Browser-based applications●The access_token is specified using a fragmentidentifier (#hash):– redirect_uri#access_token=xxx●Using #hash, the access_token is not transmitted tothe server pointed by redirect_uri, it can be accessedonly by the client (browser)●Access the #hash in Javascript:window.location.hash
Confidential - © All rights reserved. Zend Technologies, Inc.17MOBILE APPS
Confidential - © All rights reserved. Zend Technologies, Inc.18Mobile apps●Similar to browser-based applications●The only difference is the redirect_uri which, formibile app, can be a custom URI scheme●This allow native mobile app to interact with a webbrowser application, opening a URL from the app andgoing back to the app with a custom URI (e.g.facebook://)
Confidential - © All rights reserved. Zend Technologies, Inc.19Diagram
Confidential - © All rights reserved. Zend Technologies, Inc.20USERNAME AND PASSWORDACCESS
Confidential - © All rights reserved. Zend Technologies, Inc.21Username and password access●Used to authenticate API with user based grants (alsoknown as a password grant)●The typical scenario includes a login web page withusername and password that is used toauthenticate against a first-party API●Password grant is only appropriate for trustedclients. If you build your own website as a client ofyour API, then this is a great way to handle logging in
Confidential - © All rights reserved. Zend Technologies, Inc.22Diagram
Confidential - © All rights reserved. Zend Technologies, Inc.23Client type●Confidential– Clients capable of maintaining the confidentiality oftheir credentials (e.g. client implemented on a secureserver with restricted access to the client credentials)●Public– Clients incapable of maintaining the confidentiality oftheir credentials (e.g. clients executing on the deviceused by the resource owner such as an installed nativeapplication or a web browser-based application)
Confidential - © All rights reserved. Zend Technologies, Inc.24Sending client info●With confidential clients you must specify client_idand client_secret to request the access_token– POST /oauth{ grant_type:password, username:x, password:y,client_id:z, client_secret:w }●With public clients you omit the client_secret torequest requesting the access_token– POST /oauth{ grant_type:password, username:x, password:y,client_id:z }
Confidential - © All rights reserved. Zend Technologies, Inc.25APPLICATION ACCESS
Confidential - © All rights reserved. Zend Technologies, Inc.26Application access●Authenticate against applications, machine tomachine scenarios●The OAuth2 grant type for this use case is calledclient_credentials●The usage is similar to public client password access– POST /oauth { grant_type:client_credentials,client_id:z, client_secret:w }●The OAuth2 server replies with the token, if the clientcredentials are valid
Confidential - © All rights reserved. Zend Technologies, Inc.27APIGILITY
Confidential - © All rights reserved. Zend Technologies, Inc.28Apigility●Apigility is the API builder for PHP applications●Features: REST/RPC, authentication, contentnegotiation, hypermedia, error handling, filter andvalidation, versioning, documentation, etc●Written in Zend Framework 2 but can be used inany PHP application●Open source project by Zend Technologies●http://apigility.org
Confidential - © All rights reserved. Zend Technologies, Inc.29OAuth2 in Apigility●OAuth2 Server implementation (usingbshaffer/oauth2-server-php project)●DB as data storage for tokens, users, clients, etc●PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL),MongoDB adapters●Client secret and user's password protected usingbcrypt
Confidential - © All rights reserved. Zend Technologies, Inc.30OAuth2 database
Confidential - © All rights reserved. Zend Technologies, Inc.31OAuth2 configuration
Confidential - © All rights reserved. Zend Technologies, Inc.32OAuth2 authorization
Confidential - © All rights reserved. Zend Technologies, Inc.33To summarize●Introduction to OAuth2●Security consideration: always use HTTPS!●Different scenarios:– web-server applications (e.g. social login)– browser-based applications– mobile apps– username and password– application access●OAuth2 in Apigility
Confidential - © All rights reserved. Zend Technologies, Inc.34THANKS!More information:http://apigility.org