O(ops), Authentication!

Slide 1

Slide 1 text

O(ops), Authentication! PHPBenelux 2014

Slide 2

Slide 2 text

Andreas Hucks @meandmymonkey • Software Architect at  SensioLabs Deutschland • Symfony Trainer

Slide 3

Slide 3 text

Authentication

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Knock Knock. Client Server

Slide 6

Slide 6 text

Who’s there? Client Server

Slide 7

Slide 7 text

Me. Client Server

Slide 8

Slide 8 text

kthx. Client Server

Slide 9

Slide 9 text

HTTP is stateless.

Slide 10

Slide 10 text

Knock Knock. BTW it's me. Client Server

Slide 11

Slide 11 text

Not that long ago in a project not that far away…

Slide 12

Slide 12 text

GET /login?user=myname&pwd=secret DON'T TRY THIS AT HOME

Slide 13

Slide 13 text

HTTP/1.1 200 OK Content-‐Type: text/html […] ! 1a2b3c4e DON'T TRY THIS AT HOME

Slide 14

Slide 14 text

GET /profile?ticket=1a2b3c4e DON'T TRY THIS AT HOME

Slide 15

Slide 15 text

Don’t roll your own.

Slide 16

Slide 16 text

Tokens in the Query String? It happens.

Slide 17

Slide 17 text

Basic Auth

Slide 18

Slide 18 text

GET /account/ HTTP/1.1 Host: api.localhost Authorization: Basic aHR0cHdhdGNoOmY=

Slide 19

Slide 19 text

GET /account/ HTTP/1.1 Host: api.localhost Authorization: Basic aHR0cHdhdGNoOmY=

Slide 20

Slide 20 text

GET /account/ HTTP/1.1 Host: api.localhost Authorization: Basic aHR0cHdhdGNoOmY=

Slide 21

Slide 21 text

Oh, and use TLS.

Slide 22

Slide 22 text

OAuth2

Slide 23

Slide 23 text

Why? • Some API providing data under your control  (GitHub, Facebook, Twitter…) • Third party wants access • Third party should have limited access to resource and no access to your credentials • Centralized Signons

Slide 24

Slide 24 text

How? • Different flows to grant access • Suitable for different types of clients • Result is always a short-lived token that is used for authentication

Slide 25

Slide 25 text

Who? • Facebook • Twitter • GitHub • 2567 others • You

Slide 26

Slide 26 text

Timeline • RFC Expected 2010 • Published October 2012  (RFCs for framework and bearer token)

Slide 27

Slide 27 text

[snip]

Slide 28

Slide 28 text

– RFC6749 „the method of which is beyond the scope of this speciﬁcation"

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Let’s start backwards:

Slide 31

Slide 31 text

Resource Owner Password Credentials Grant * Certain use cases only

Slide 32

Slide 32 text

MyApp for iDroidTM MyApi ! ! POST /token ! client_id=myapp& grant_type=password& username=meandmymonkey& password=supersecret& scope=email

Slide 33

Slide 33 text

MyApp for iDroidTM MyApi ! ! { "access_token":"abcd", "token_type":"bearer", "expires_in":3600, "refresh_token":"1234" }

Slide 34

Slide 34 text

– RFC 6750 „A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. ! Using a bearer token does not require a bearer to prove possession of cryptographic key material““

Slide 35

Slide 35 text

Oh, and use TLS.

Slide 36

Slide 36 text

MyApp for iDroidTM MyApi ! ! GET /account ! Authorization: Bearer abcd

Slide 37

Slide 37 text

Query String Post Body Authorization Header Intermezzo: Token Location

Slide 38

Slide 38 text

Query String Grmpf. Post Body Why? Authorization Header Yep. Intermezzo: Token Location

Slide 39

Slide 39 text

Auth AcmeToken X-‐Auth X-‐AcmeToken X-‐Authorization Authorization Intermezzo: Token Location

Slide 40

Slide 40 text

Auth Nope. AcmeToken Nope. X-‐Auth Nope. X-‐AcmeToken Nope. X-‐Authorization Nope. Authorization Yep. Intermezzo: Token Location

Slide 41

Slide 41 text

Implementation

Slide 42

Slide 42 text

Preconditions • Some kind of user management • Client registration (possibly) • Some resource you want to make accessible (duh)

Slide 43

Slide 43 text

Don’t roll your own.

Slide 44

Slide 44 text

oauth2-php Composer: friendsofsymfony/oauth2-php

Slide 45

Slide 45 text

Granting the Token

Slide 46

Slide 46 text

Protecting a Resource

Slide 47

Slide 47 text

Authorization Grant

Slide 48

Slide 48 text

Elements • Authorization Provider (let’s say… myapi.com) • Client - A third party, (let’s say… thatapp.com) • Resource owner - That’s you

Slide 49

Slide 49 text

You MyApi ! ! GET /authorize? response_type=code& client_id=thatApp& redirect_uri=https:// thatapp.com/auth& state=xyz ThatApp

Slide 50

Slide 50 text

You MyApi ! HTTP/1.1 302 location: https:// thatapp.com/cb? code=1234& state=xyz ThatApp

Slide 51

Slide 51 text

Authorization

Slide 52

Slide 52 text

You MyApi POST /token? ! grant_type= authorization_code& code=1234& redirect_uri=https:// thatapp.com/auth& client_id=thatApp ! ThatApp

Slide 53

Slide 53 text

Granting the Token

Slide 54

Slide 54 text

Protecting a Resource

Slide 55

Slide 55 text

Implicit Grant

Slide 56

Slide 56 text

You MyApi ! ! GET /authorize? response_type=token& client_id=thatapp& redirect_uri=https:// thatapp.com/auth& state=xyz ThatApp

Slide 57

Slide 57 text

You MyApi ! ! HTTP/1.1 302 location: https:// thatapp.com/cb# access_token=1234& state=xyz& token_type=bearer& expires_in=3600 ThatApp

Slide 58

Slide 58 text

Implementation • PHP: Same as the previous authorization steps • JS: Using hello.js • bower install hello

Slide 59

Slide 59 text

WebApp

Slide 60

Slide 60 text

WebApp

Slide 61

Slide 61 text

Client Credentials Grant

Slide 62

Slide 62 text

Intermezzo:  Shameless Plug

Slide 63

Slide 63 text

FOSOauthServerBundle

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

OAuth2  Problems & Gotchas

Slide 66

Slide 66 text

HashMAC

Slide 67

Slide 67 text

HMAC

Slide 68

Slide 68 text

Simple Hash fc1de43bebbfaf6e9268fd7974100347  884d1b4c574d31f7c17bf2f66d6f95ef hash('sha526', 'meandymonkey');

Slide 69

Slide 69 text

Simple Hash 2d0aaf9c491869665e98a28b2d3be32b  e9854271b4d01f2146a59c659a8d2f6f hash('sha526', 'meandYmonkey');

Slide 70

Slide 70 text

HMAC a688746a6187b2c82d919c2a88c4fbc0 36902956ef977835e6d8267b7774f509 hash_hmac('sha256', 'meandmymonkey', 'secret');

Slide 71

Slide 71 text

Client Key and Secret 7d5ae8a791ce21309e596274e6d69281 5d0d28493bd8bc6c84920200dd88e7d8 53335e65e0624971917d09d376dfdfc9 ae5cf625da962d314515b98753f82193

Slide 72

Slide 72 text

MyApi ! ! GET /profile Authorization: HMAC-‐SHA256 Id=7d5ae8a[…], Headers=content-‐ type;host;date Nonce=43hd, Signature=a688746a[…] Date: Tue, 14 Aug 2013 13:32:00 GMT ThatApp

Slide 73

Slide 73 text

Advantages • Authentication AND protection against tampering with the request • Can prevent replay attacks • No redirects or other extra requests • In certain circumstances can work without SSL • RESTful

Slide 74

Slide 74 text

Now this is more diﬃcult than you would think

Slide 75

Slide 75 text

Canonicalizing a request • Add HTTP method • Add URI • Add query (needs to be canonicalized itself) • Add headers (sorted and ﬁltered • Add nonce • Add Auth information, like Algorithm

Slide 76

Slide 76 text

Signing it • Derive a key - derivation must be reproducible by the server • Create a hash of the canonicalized request • Use hash and derived key to create signature using hash_hmac();

Slide 77

Slide 77 text

Don’t roll your own?

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

Hash Collisions In AWS V1 ?query=yojimbo&limit=5&offset=3 ?query=yojimbolimit=5&offset=3&

Slide 80

Slide 80 text

… same result after normalizing: yojimbolimit5offset3 yojimbolimit5offset3

Slide 81

Slide 81 text

Vendors • AWS V2, V3, V4 • Windows Azure API

Slide 82

Slide 82 text

HMAC Problems

Slide 83

Slide 83 text

X.509 Client Certiﬁcates

Slide 84

Slide 84 text

– me „the method of which is beyond the  scope of this talk"

Slide 85

Slide 85 text

User and Credentials

Slide 86

Slide 86 text

Wrap up: When to use what?

Slide 87

Slide 87 text

Sharing Resources with web or mobile apps • OAuth2 Authorization Grant • OAuth2 HMAC extension would be nice, but • probably not there yet • ATM, same SDK problems as with pure HMAC

Slide 88

Slide 88 text

Server to Server • Basic Auth • HMAC • OAuth2 Client Credentials

Slide 89

Slide 89 text

Other JS apps • OAuth2 Implicit Grant

Slide 90

Slide 90 text

Your own JS app • OAuth2 Implicit Grant or Password Grant • If you are logged in for the HTML part, re-use the session (there, I said it) • Oh yes, SSL