Upgrade to Pro — share decks privately, control downloads, hide ads and more …

O(ops), Authentication!

O(ops), Authentication!

When it comes to authentication for Restful Webservices, it seems every vendor is following another recipe. Some modes of authentication in use contradict the restful principle, some don’t. Some are secure, some are less so. We will take a tour of authentication schemes commonly found, discuss their pros and cons, and look at how to build secure, restful authentication mechanisms for your own API and various use cases.

Andreas Hucks

January 27, 2014
Tweet

More Decks by Andreas Hucks

Other Decks in Programming

Transcript

  1. O(ops), Authentication!
    PHPBenelux 2014

    View Slide

  2. Andreas Hucks
    @meandmymonkey
    • Software Architect at

    SensioLabs Deutschland
    • Symfony Trainer

    View Slide

  3. Authentication

    View Slide

  4. View Slide

  5. Knock Knock.
    Client Server

    View Slide

  6. Who’s there?
    Client Server

    View Slide

  7. Me.
    Client Server

    View Slide

  8. kthx.
    Client Server

    View Slide

  9. HTTP is stateless.

    View Slide

  10. Knock Knock.
    BTW it's me.
    Client Server

    View Slide

  11. Not that long ago in a
    project not that far away…

    View Slide

  12. GET  /login?user=myname&pwd=secret
    DON'T TRY THIS AT HOME

    View Slide

  13. HTTP/1.1  200  OK  
    Content-­‐Type:  text/html  
    […]  
    !
    1a2b3c4e
    DON'T TRY THIS AT HOME

    View Slide

  14. GET  /profile?ticket=1a2b3c4e
    DON'T TRY THIS AT HOME

    View Slide

  15. Don’t roll your own.

    View Slide

  16. Tokens in the Query String?
    It happens.

    View Slide

  17. Basic Auth

    View Slide

  18. GET  /account/  HTTP/1.1  
    Host:  api.localhost  
    Authorization:  Basic  aHR0cHdhdGNoOmY=

    View Slide

  19. GET  /account/  HTTP/1.1  
    Host:  api.localhost  
    Authorization:  Basic  aHR0cHdhdGNoOmY=

    View Slide

  20. GET  /account/  HTTP/1.1  
    Host:  api.localhost  
    Authorization:  Basic  aHR0cHdhdGNoOmY=

    View Slide

  21. Oh, and use TLS.

    View Slide

  22. OAuth2

    View Slide

  23. Why?
    • Some API providing data under your control

    (GitHub, Facebook, Twitter…)
    • Third party wants access
    • Third party should have limited access to
    resource and no access to your credentials
    • Centralized Signons

    View Slide

  24. How?
    • Different flows to grant access
    • Suitable for different types of clients
    • Result is always a short-lived token that is used
    for authentication

    View Slide

  25. Who?
    • Facebook
    • Twitter
    • GitHub
    • 2567 others
    • You

    View Slide

  26. Timeline
    • RFC Expected 2010
    • Published October 2012

    (RFCs for framework and bearer token)

    View Slide

  27. [snip]

    View Slide

  28. – RFC6749
    „the method of which is beyond the scope of
    this specification"

    View Slide

  29. View Slide

  30. Let’s start backwards:

    View Slide

  31. Resource Owner Password
    Credentials Grant
    * Certain use cases only

    View Slide

  32. MyApp
    for
    iDroidTM
    MyApi
    !
    !
    POST  /token  
    !
    client_id=myapp&  
    grant_type=password&  
    username=meandmymonkey&  
    password=supersecret&  
    scope=email

    View Slide

  33. MyApp
    for
    iDroidTM
    MyApi
    !
    !
    {  
       "access_token":"abcd",  
       "token_type":"bearer",  
       "expires_in":3600,  
       "refresh_token":"1234"  
    }

    View Slide

  34. – RFC 6750
    „A security token with the property that any party in
    possession of the token (a "bearer") can use the token in
    any way that any other party in possession of it can.
    !
    Using a bearer token does not require a bearer to prove
    possession of cryptographic key material““

    View Slide

  35. Oh, and use TLS.

    View Slide

  36. MyApp
    for
    iDroidTM
    MyApi
    !
    !
    GET  /account  
    !
    Authorization:  Bearer  
    abcd

    View Slide

  37. Query  String              
    Post  Body                  
    Authorization  Header  
    Intermezzo: Token Location

    View Slide

  38. Query  String               Grmpf.  
    Post  Body                   Why?  
    Authorization  Header     Yep.
    Intermezzo: Token Location

    View Slide

  39. Auth                  
    AcmeToken            
    X-­‐Auth                
    X-­‐AcmeToken          
    X-­‐Authorization  
    Authorization  
    Intermezzo: Token Location

    View Slide

  40. Auth                 Nope.    
    AcmeToken           Nope.  
    X-­‐Auth               Nope.  
    X-­‐AcmeToken         Nope.  
    X-­‐Authorization    
    Nope.  
    Authorization  
        Yep.
    Intermezzo: Token Location

    View Slide

  41. Implementation

    View Slide

  42. Preconditions
    • Some kind of user management
    • Client registration (possibly)
    • Some resource you want to make accessible
    (duh)

    View Slide

  43. Don’t roll your own.

    View Slide

  44. oauth2-php
    Composer: friendsofsymfony/oauth2-php

    View Slide

  45. Granting the Token

    View Slide

  46. Protecting a Resource

    View Slide

  47. Authorization Grant

    View Slide

  48. Elements
    • Authorization Provider (let’s say… myapi.com)
    • Client - A third party, (let’s say… thatapp.com)
    • Resource owner - That’s you

    View Slide

  49. You
    MyApi
    !
    !
    GET  /authorize?  
    response_type=code&  
    client_id=thatApp&  
    redirect_uri=https://
    thatapp.com/auth&  
    state=xyz  
    ThatApp

    View Slide

  50. You
    MyApi
    !
    HTTP/1.1  302  
    location:  https://
    thatapp.com/cb?  
    code=1234&  
    state=xyz
    ThatApp

    View Slide

  51. Authorization

    View Slide

  52. You
    MyApi
    POST  /token?  
    !
    grant_type=    
    authorization_code&  
    code=1234&  
    redirect_uri=https://
    thatapp.com/auth&  
    client_id=thatApp  
    !
    ThatApp

    View Slide

  53. Granting the Token

    View Slide

  54. Protecting a Resource

    View Slide

  55. Implicit Grant

    View Slide

  56. You
    MyApi
    !
    !
    GET  /authorize?  
    response_type=token&  
    client_id=thatapp&  
    redirect_uri=https://
    thatapp.com/auth&  
    state=xyz  
    ThatApp

    View Slide

  57. You
    MyApi
    !
    !
    HTTP/1.1  302  
    location:  https://
    thatapp.com/cb#  
    access_token=1234&  
    state=xyz&  
    token_type=bearer&  
    expires_in=3600
    ThatApp

    View Slide

  58. Implementation
    • PHP: Same as the previous authorization steps
    • JS: Using hello.js
    • bower install hello

    View Slide

  59. WebApp

    View Slide

  60. WebApp

    View Slide

  61. Client Credentials Grant

    View Slide

  62. Intermezzo:

    Shameless Plug

    View Slide

  63. FOSOauthServerBundle

    View Slide

  64. View Slide

  65. OAuth2

    Problems & Gotchas

    View Slide

  66. HashMAC

    View Slide

  67. HMAC

    View Slide

  68. Simple Hash
    fc1de43bebbfaf6e9268fd7974100347

    884d1b4c574d31f7c17bf2f66d6f95ef
    hash('sha526',  'meandymonkey');

    View Slide

  69. Simple Hash
    2d0aaf9c491869665e98a28b2d3be32b

    e9854271b4d01f2146a59c659a8d2f6f
    hash('sha526',  'meandYmonkey');

    View Slide

  70. HMAC
    a688746a6187b2c82d919c2a88c4fbc0  
    36902956ef977835e6d8267b7774f509
    hash_hmac('sha256',  'meandmymonkey',  'secret');

    View Slide

  71. Client Key and Secret
    7d5ae8a791ce21309e596274e6d69281  
    5d0d28493bd8bc6c84920200dd88e7d8
    53335e65e0624971917d09d376dfdfc9  
    ae5cf625da962d314515b98753f82193

    View Slide

  72. MyApi
    !
    !
    GET  /profile  
    Authorization:  
    HMAC-­‐SHA256  
    Id=7d5ae8a[…],  
    Headers=content-­‐
    type;host;date  
    Nonce=43hd,  
    Signature=a688746a[…]  
    Date:  Tue,  14  Aug  2013  
    13:32:00  GMT
    ThatApp

    View Slide

  73. Advantages
    • Authentication AND protection against
    tampering with the request
    • Can prevent replay attacks
    • No redirects or other extra requests
    • In certain circumstances can work without SSL
    • RESTful

    View Slide

  74. Now this is more difficult
    than you would think

    View Slide

  75. Canonicalizing a request
    • Add HTTP method
    • Add URI
    • Add query (needs to be canonicalized itself)
    • Add headers (sorted and filtered
    • Add nonce
    • Add Auth information, like Algorithm

    View Slide

  76. Signing it
    • Derive a key - derivation must be reproducible
    by the server
    • Create a hash of the canonicalized request
    • Use hash and derived key to create signature
    using hash_hmac();

    View Slide

  77. Don’t roll your own?

    View Slide

  78. View Slide

  79. Hash Collisions In AWS V1
    ?query=yojimbo&limit=5&offset=3
    ?query=yojimbolimit=5&offset=3&

    View Slide

  80. … same result after normalizing:
    yojimbolimit5offset3
    yojimbolimit5offset3

    View Slide

  81. Vendors
    • AWS V2, V3, V4
    • Windows Azure API

    View Slide

  82. HMAC Problems

    View Slide

  83. X.509
    Client Certificates

    View Slide

  84. – me
    „the method of which is beyond the

    scope of this talk"

    View Slide

  85. User and Credentials

    View Slide

  86. Wrap up: When to use
    what?

    View Slide

  87. Sharing Resources
    with web or mobile apps
    • OAuth2 Authorization Grant
    • OAuth2 HMAC extension would be nice, but
    • probably not there yet
    • ATM, same SDK problems as with pure HMAC

    View Slide

  88. Server to Server
    • Basic Auth
    • HMAC
    • OAuth2 Client Credentials

    View Slide

  89. Other JS apps
    • OAuth2 Implicit Grant

    View Slide

  90. Your own JS app
    • OAuth2 Implicit Grant or Password Grant
    • If you are logged in for the HTML part, re-use the
    session (there, I said it)
    • Oh yes, SSL

    View Slide

  91. Your own Mobile App
    • OAuth2 Password Grant

    View Slide

  92. Infrastructure or Intranet Level
    • X.509 Client Certificates

    View Slide

  93. Thanks!
    @meandmymonkey
    !
    http://joind.in/10285

    View Slide

  94. View Slide