Mastering OAuth 2.0 (Day Camp 4 Developers)

Embed

Start on current slide

Slide 1

Slide 1 text

Mastering OAuth 2.0 Ben Ramsey  Day Camp 4 Developers 2 June 2017

Slide 2

Slide 2 text

HI, I’M BEN. I’m a web craftsman, author, and speaker. I build a platform for professional photographers at ShootProof. I enjoy APIs, open source software, organizing user groups, good beer, and spending time with my family. Nashville, TN is my home. ▸ Zend PHP Certiﬁcation Study Guide ▸ Nashville PHP & Atlanta PHP user groups ▸ array_column() ▸ league/oauth2-client ▸ ramsey/uuid

Slide 3

Slide 3 text

OAuth 2.0

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Instagram Demo

Slide 7

Slide 7 text

#1 Click to authorize

Slide 8

Slide 8 text

#2 Log in on site and grant permission

Slide 9

Slide 9 text

#3 Redirect back with auth code #4 Exchange code  for access token

Slide 10

Slide 10 text

#5 Use access token to get data

Slide 11

Slide 11 text

bram.se/dc4d-oauth2-app

Slide 12

Slide 12 text

Preparing for OAuth

Slide 13

Slide 13 text

1. Register your application with the service 2. Let the service know your domains or  redirect URLs 3. Conﬁgure your application to use the  client ID and client secret given to you by  the service ! No two OAuth 2.0 providers are alike!

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Integrating with the Provider

Slide 20

Slide 20 text

composer require league/oauth2-instagram

Slide 21

Slide 21 text

use League\OAuth2\Client\Provider\Instagram; $provider = new Instagram([ 'clientId' => 'CLIENT_ID', 'clientSecret' => 'CLIENT_SECRET', 'redirectUri' => 'https://example.com/redirect', ]);

Slide 22

Slide 22 text

Authorization Request 1. Generate authorization URL 2. Store state to session 3. Prompt user to authorize or redirect them

Slide 23

Slide 23 text

$authUrl = $provider->getAuthorizationUrl(); $request->session()->put( 'instagramState', $provider->getState() ); return redirect()->away($authUrl);

Slide 24

Slide 24 text

Redirection Endpoint 1. Receive authorization code 2. Check state 3. Exchange code for an access token

Slide 25

Slide 25 text

$state = $request->session()->get('instagramState'); if ($request->state !== $state) { abort(400, 'Invalid state'); } if (!$request->has('code')) { abort(400, 'Authorization code not available'); } $token = $provider->getAccessToken( 'authorization_code', [ 'code' => $request->code, ] ); $request->session()->put('instagramToken', $token); return redirect()->action('HomeController@index');

Slide 26

Slide 26 text

Expiring & Refreshing Tokens 1. Check for expiration & refresh token 2. Request access token using refresh token

Slide 27

Slide 27 text

if ($token->hasExpired() && $token->getRefreshToken()) { $newToken = $provider->getAccessToken('refresh_token', [ 'refresh_token' => $token->getRefreshToken(), ]); $request->session()->put('accessToken', $newToken); } ! Instagram does not support refresh tokens

Slide 28

Slide 28 text

Using Access Tokens 1. getAuthenticatedRequest() returns a PSR-7 RequestInterface object 2. Use your favorite HTTP request library to make a request

Slide 29

Slide 29 text

$feedRequest = $provider->getAuthenticatedRequest( 'GET', 'https://api.instagram.com/v1/users/self/media/recent', $instagramToken ); $client = new \GuzzleHttp\Client(); $feedResponse = $client->send($feedRequest); $instagramFeed = json_decode( $feedResponse->getBody()->getContents() );

Slide 30

Slide 30 text

A Brief History of Web Authorization

Slide 31

Slide 31 text

What is OAuth 2.0?

Slide 32

Slide 32 text

“However, as a rich and highly extensible framework with many optional components, on its own, this speciﬁcation is likely to produce a wide range of non-interoperable implementations.” RFC 6749, Section 1.8

Slide 33

Slide 33 text

1. Resource owner 2. Resource server 3. Client 4. Authorization server

Slide 34

Slide 34 text

composer require league/oauth2-client

Slide 35

Slide 35 text

use League\OAuth2\Client\Provider\GenericProvider; $provider = new GenericProvider([ 'clientId' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'clientSecret' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'redirectUri' => 'https://you.example.com/redirect-url', 'urlAuthorize' => 'https://them.example.net/authorize', 'urlAccessToken' => 'https://them.example.net/token', 'urlResourceOwnerDetails' => 'https://them.example.net/api/me' ]);

Slide 36

Slide 36 text

Authorization Code 1. Commonly referred to as three-legged 2. Used in our Instagram example 3. Very common grant type

Slide 37

Slide 37 text

Resource Owner Client Auth Server Resource Server

Slide 38

Slide 38 text

Step 1 Resource Owner Client Auth Server Resource Server

Slide 39

Slide 39 text

Step 2 Step 1 Resource Owner Client Auth Server Resource Server

Slide 40

Slide 40 text

Step 3 Step 2 Step 1 Resource Owner Client Auth Server Resource Server

Slide 41

Slide 41 text

Step 4 Step 3 Step 2 Step 1 Resource Owner Client Auth Server Resource Server

Slide 42

Slide 42 text

1. Gives username and password to client 2. Client exchanges them for access token 3. Use with extreme caution Resource Owner Password Credentials

Slide 43

Slide 43 text

Resource Owner Client Auth Server Resource Server

Slide 44

Slide 44 text

Step 1 Resource Owner Client Auth Server Resource Server

Slide 45

Slide 45 text

Step 2 Step 1 Resource Owner Client Auth Server Resource Server

Slide 46

Slide 46 text

Step 3 Step 2 Step 1 Resource Owner Client Auth Server Resource Server

Slide 47

Slide 47 text

$accessToken = $provider->getAccessToken('password', [ 'username' => 'demouser', 'password' => 'testpass' ]);

Slide 48

Slide 48 text

Client Credentials 1. Client is the resource owner 2. Credentials are stored in the client (usually safely on the server)

Slide 49

Slide 49 text

Client Auth Server Resource Server

Slide 50

Slide 50 text

Step 1 Client Auth Server Resource Server

Slide 51

Slide 51 text

Step 2 Step 1 Client Auth Server Resource Server

Slide 52

Slide 52 text

$accessToken = $provider->getAccessToken( 'client_credentials' );

Slide 53

Slide 53 text

Implicit 1. Relies on client-side redirection using a client ID and a known redirection URL 2. league/oauth2-client cannot support this

Slide 54

Slide 54 text

Toward a More Secure Web

Slide 55

Slide 55 text

Next steps… 1. league/oauth2-client 2. league/oauth2-instagram 3. OAuth 2.0 with Instagram Example App 4. OAuth 2.0 speciﬁcations 5. oauth2-client provider packages 6. “Mastering OAuth 2.0” in Web Security 2016 7. Book: Integrating Web Services with OAuth and PHP

Slide 56

Slide 56 text

Next steps…server league/oauth2-server

Slide 57

Slide 57 text

THANK YOU. ANY QUESTIONS? If you want to talk more, feel free to contact me. benramsey.com @ramsey github.com/ramsey [email protected] Mastering OAuth 2.0 Copyright © 2017 Ben Ramsey This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. Ramsey, Ben. “Mastering OAuth 2.0.” Day Camp 4 Developers. Web conference. 2 Jun. 2017. Conference presentation. This presentation was created using Keynote. The text is set in Chunk Five, Helvetica Neue, and Marker Felt. The source code is set in Menlo. The iconography is provided by Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information.

Slide 58

Slide 58 text

Photo Credits 1. “Untitled” by MICⱵ^ΞL 2. “Master” by Giuditta 3. “Untitled” by MICⱵ^ΞL 4. “Untitled” by MICⱵ^ΞL 5. “Untitled” by MICⱵ^ΞL 6. “master gain” by Chris Blakeley 7. “Mixing board” by Kevin Jaako 1 2 3 4 5 6 7