Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API authentication with OAuth2 in the cloud

API authentication with OAuth2 in the cloud

Slides of the talk "API authentication with OAuth2 in the cloud" presented at CloudConf 2015 - Turin (Italy), http://2015.cloudconf.it/

Enrico Zimuel

March 19, 2015
Tweet

More Decks by Enrico Zimuel

Other Decks in Programming

Transcript

  1. Confidential - © All rights reserved. Zend Technologies, Inc .

    1 Confidential - © All rights reserved. Zend Technologies, Inc . API Authentication with OAuth2 in the Cloud Enrico Zimuel – [email protected] Senior Software Engineer Zend Technologies
  2. Confidential - © All rights reserved. Zend Technologies, Inc .

    2 API authentication • You need to develop a web API and you need authentication to restrict the access • How to proceed? • You have some options: – Basic or Digest HTTP authentication – OAuth1 – OAuth2 – Custom authentication (e.g. Amazon keyed-HMAC)
  3. Confidential - © All rights reserved. Zend Technologies, Inc .

    3 OAuth2 • Authorization framework (RFC 6749) • OAuth 2.0 focuses on client developer simplicity • Provides specific authorization flows for web applications, desktop applications, mobile phones, and living room devices • OAuth1 was complicated, from a client perspective
  4. Confidential - © All rights reserved. Zend Technologies, Inc .

    4 OAuth2 definitions • Resource Owner: the User • Resource Server: the API server • Authorization Server: often the same as the API server • Client: the Third-Party Application
  5. Confidential - © All rights reserved. Zend Technologies, Inc .

    5 OAuth2 access workflow • The client requests access to the server • The server checks the client credentials • If the client is authorized the server returns an access token – 907c762e069589c2cd2a229cdae7b8778caa9f07 • The client uses the token to access APIs – Authorization: Bearer 907c762e069589c2cd2a229cdae7b8778caa9f07 • A token can have limited scope
  6. Confidential - © All rights reserved. Zend Technologies, Inc .

    6 OAuth2 scenarios • Web-server applications • Browser-based applications • Mobile apps • Username and password access • Application access
  7. Confidential - © All rights reserved. Zend Technologies, Inc .

    7 OAuth2 security • In OAuth2 we send sensitive data such as client_secret or user's password in plaintext • Moreover, the access_token is always the same, if not expired or revoked (it's not generated with the specific HTTP request, eavesdropping is possible) • Use always HTTPS with OAuth2!
  8. Confidential - © All rights reserved. Zend Technologies, Inc .

    9 Web server applications • Use case: authenticate a web application with a third- party service • Example: social login (e.g. Twitter, Facebook) • 3-step flow authentication: 1. Request the permission to access the application (return an authorization code) 2. Send the authorization code to the OAuth2 server (return the access token) 3. Send the access token to consume the API
  9. Confidential - © All rights reserved. Zend Technologies, Inc .

    11 Example using Apigility http://localhost:8888/oauth/authorize? response_type=code&client_id=testclient&redirect_uri=/oauth/receivecode&state=xyz Send the authentication_code to request the access_token
  10. Confidential - © All rights reserved. Zend Technologies, Inc .

    12 Request the access_token REQUEST RESPONSE
  11. Confidential - © All rights reserved. Zend Technologies, Inc .

    14 Browser-based applications • Common when using a Javascript client (e.g., a Single Page Application) that requests access to the API of a third-party server • In a browser-based application, you cannot store the client_secret in a secure way • Similar to the authorization code, but rather than an authorization code being returned from the authorization request, a token is returned
  12. Confidential - © All rights reserved. Zend Technologies, Inc .

    16 Browser-based applications • The access_token is specified using a fragment identifier (#hash): – redirect_uri#access_token=xxx • Using #hash, the access_token is not transmitted to the server pointed by redirect_uri, it can be accessed only by the client (browser) • Access the #hash in Javascript: window.location.hash
  13. Confidential - © All rights reserved. Zend Technologies, Inc .

    18 Mobile apps • Similar to browser-based applications • The only difference is the redirect_uri which, for mibile app, can be a custom URI scheme • This allow native mobile app to interact with a web browser application, opening a URL from the app and going back to the app with a custom URI (e.g. facebook://)
  14. Confidential - © All rights reserved. Zend Technologies, Inc .

    21 Username and password access • Used to authenticate API with user based grants (also known as a password grant) • The typical scenario includes a login web page with username and password that is used to authenticate against a first-party API • Password grant is only appropriate for trusted clients. If you build your own website as a client of your API, then this is a great way to handle logging in
  15. Confidential - © All rights reserved. Zend Technologies, Inc .

    23 Client type • Confidential – Clients capable of maintaining the confidentiality of their credentials (e.g. client implemented on a secure server with restricted access to the client credentials) • Public – Clients incapable of maintaining the confidentiality of their credentials (e.g. clients executing on the device used by the resource owner such as an installed native application or a web browser-based application)
  16. Confidential - © All rights reserved. Zend Technologies, Inc .

    24 Sending client info • With confidential clients you must specify client_id and client_secret to request the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z, client_secret:w } • With public clients you omit the client_secret to request requesting the access_token – POST /oauth { grant_type:password, username:x, password:y, client_id:z }
  17. Confidential - © All rights reserved. Zend Technologies, Inc .

    26 Application access • Authenticate against applications, machine to machine scenarios • The OAuth2 grant type for this use case is called client_credentials • The usage is similar to public client password access – POST /oauth { grant_type:client_credentials, client_id:z, client_secret:w } • The OAuth2 server replies with the token, if the client credentials are valid
  18. Confidential - © All rights reserved. Zend Technologies, Inc .

    28 Apigility • Apigility is the API builder for PHP applications • Features: REST/RPC, authentication, content negotiation, hypermedia, error handling, filter and validation, versioning, documentation, etc • Written in Zend Framework 2 but can be used in any PHP application • Open source project by Zend Technologies • http://apigility.org
  19. Confidential - © All rights reserved. Zend Technologies, Inc .

    29 OAuth2 in Apigility • OAuth2 Server implementation (using bshaffer/oauth2-server-php project) • DB as data storage for tokens, users, clients, etc • PDO (MySQL, SQLite, PostgreSQL, Oracle, MsSQL), MongoDB adapters • Client secret and user's password protected using bcrypt
  20. Confidential - © All rights reserved. Zend Technologies, Inc .

    33 To summarize • Introduction to OAuth2 • Security consideration: always use HTTPS! • Different scenarios: – web-server applications (e.g. social login) – browser-based applications – mobile apps – username and password – application access • OAuth2 in Apigility
  21. Confidential - © All rights reserved. Zend Technologies, Inc .

    34 THANKS! More information: http://apigility.org