OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric - - PowerPoint PPT Presentation

oauth 2 0
SMART_READER_LITE
LIVE PREVIEW

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric - - PowerPoint PPT Presentation

Sep 20, 2023 572 likes •1.03k views

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

slide-1
SLIDE 1

OAuth 2.0

Ein Standard wird erwachsen

Uwe Friedrichsen (codecentric AG) – Berlin Expert Days 2013 – 4. April 2013

slide-2
SLIDE 2

Uwe Friedrichsen

@ufried

slide-3
SLIDE 3

<session> <no-code>

<motivation /> <history />

<solution />

<extensions /> <criticism /> <tips />

</no-code> <code>

<authzorization /> <token /> <resource />

</code>

<wrap-up />

</session>

slide-4
SLIDE 4

{ „session“ : { „no-code“ : [

„motivation“, „history“,

„solution“,

„extensions“, „criticism“, „tips“

], „code“ : [

„authorization“, „token“, „resource“

],

„wrap-up“ : true

}

slide-5
SLIDE 5

Players

You Application with protected resources Another application

slide-6
SLIDE 6

Assignment

You Application with protected resources Another application Access your resources

slide-7
SLIDE 7

Problem

You Application with protected resources Another application Access your resources

slide-8
SLIDE 8

Challenge

You Application with protected resources Another application Access your resources Secure

?

Easy to use

slide-9
SLIDE 9

OAuth 1.0

  • Started by Twitter in 2006
  • 1st Draft Standard in 10/2007
  • IETF RFC 5849 in 4/2010
  • Widespread
  • Complex Client Security Handling
  • Limited Scope
  • Not extendable
  • Not „Enterprise-ready“
slide-10
SLIDE 10

OAuth 2.0

  • Working Group started 4/2010
  • 31 Draft Versions
  • Eran Hammer-Laval left 7/2012 *
  • IETF RFC 6749 in 10/2012

* http://hueniverse.com/2012/07/

  • auth-2-0-and-the-road-to-hell/
slide-11
SLIDE 11

You Application with protected resources Another application

Players revisited

slide-12
SLIDE 12

Players revisited

You Authorization Server Client Application Resource Server

slide-13
SLIDE 13

Solution (Step 1)

You Authorization Server Client Application Resource Server

  • 1. I want an

authorization code

  • 4. Here is an authorization code for client XYZ
  • 3. User: „Yes, it‘s okay“

2.Client XYZ wants an authorization code

  • 5. Here you are
slide-14
SLIDE 14

Solution (Step 2)

You Authorization Server Client Application Resource Server

  • 7. Here you are
  • 6. I want to trade my

authorization code for an access token

slide-15
SLIDE 15

Solution (Step 3)

You Authorization Server Client Application Resource Server

Give me some resources. Here is my access token, btw.

slide-16
SLIDE 16

A few more Details

  • TLS/SSL
  • Endpoints
  • Client Types
  • Client Identifier
  • Client Authentication
  • Redirect URI
  • Access T
  • ken Scope
  • Refresh T
  • ken
  • Client State
slide-17
SLIDE 17

You Authorization Server Client Application Resource Server

  • 1. I want an

authorization code

  • 4. Here is an authorization code for client XYZ
  • 3. User: „Yes, it‘s okay“

2.Client XYZ wants an authorization code

  • 5. Here you are

GET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com

slide-18
SLIDE 18

You Authorization Server Client Application Resource Server

  • 1. I want an

authorization code

  • 4. Here is an authorization code for client XYZ
  • 3. User: „Yes, it‘s okay“

2.Client XYZ wants an authorization code

  • 5. Here you are

HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz

slide-19
SLIDE 19

You Authorization Server Client Application Resource Server

  • 7. Here you are
  • 6. I want to trade my

authorization code for an access token

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

slide-20
SLIDE 20

You Authorization Server Client Application Resource Server

  • 7. Here you are
  • 6. I want to trade my

authorization code for an access token

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

slide-21
SLIDE 21

You Authorization Server Client Application Resource Server

Give me some resources. Here is my access token, btw.

… GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA

slide-22
SLIDE 22

More flows & Extensions

  • Implicit Grant
  • Resource Owner Password

Credentials Grant

  • Client Credentials Grant
  • Refresh T
  • ken Grant
  • Standard & custom Extensions
  • Standards based on OAuth 2.0
slide-23
SLIDE 23

Criticism

  • T
  • o many compromises
  • No built-in security
  • Relies solely on SSL
  • Bearer T
  • ken
  • Self-encrypted token
slide-24
SLIDE 24

Tips

  • Turn MAY into MUST
  • Use HMAC T
  • kens
  • Use HMAC to sign Content
  • No self-encrypted token
  • Always check the SSL Certificate
slide-25
SLIDE 25

How does the code feel like?

using Apache Amber 0.22

slide-26
SLIDE 26

You Authorization Server Client Application Resource Server

  • 1. I want an

authorization code

  • 4. Here is an authorization code for client XYZ
  • 3. User: „Yes, it‘s okay“

2.Client XYZ wants an authorization code

  • 5. Here you are

GET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com

slide-27
SLIDE 27

Authorization Endpoint (1)

@Path("/authorize") public class AuthorizationEndpoint { @Context private SecurityDataStore securityDataStore; @GET @Consumes(OAuth.ContentType.URL_ENCODED) public Response authorize(@Context HttpServletRequest request) { // Do the required validations OAuthAuthzRequest oauthRequest = wrapAndValidate(request); validateRedirectionURI(oauthRequest); // Actual authentication not defined by OAuth 2.0 // Here a forward to a login page is used String loginURI = buildLoginURI(oauthRequest); return Response.status(HttpServletResponse.SC_FOUND) .location(new URI(loginUri)).build(); } ...

slide-28
SLIDE 28

Authorization Endpoint (2)

... private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) { // Implicitly validates the request locally return new OAuthAuthzRequest(req); } ...

slide-29
SLIDE 29

Authorization Endpoint (3)

... private void validateRedirectionURI(OAuthAuthzRequest oauthReq) { String redirectionURISent = oauthReq.getRedirectURI(); String redirectionURIStored = securityDataStore .getRedirectUriForClient(oauthReq.getClientId()); if (!redirectionURIStored .equalsIgnoreCase(redirectionURISent)) { OAuthProblemException oAuthProblem = OAuthProblemException .error(OAuthError.CodeResponse.ACCESS_DENIED, "Invalid Redirection URI");

  • AuthProblem.setRedirectUri(redirectionURISent);

throw oAuthProblem; } } ...

slide-30
SLIDE 30

Authorization Endpoint (4)

... private String buildLoginURI(OAuthAuthzRequest oauthRequest) { String loginURI = getBaseLoginURI(); // As an example loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“ + oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE); loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“ + oauthRequest.getClientId(); loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“ + redirectUri; loginURI += "&" + OAuth.OAUTH_SCOPE + "=“ + getParam(OAuth.OAUTH_SCOPE); loginURI += "&" + OAuth.OAUTH_STATE + "=“ + getParam(OAuth.OAUTH_STATE); return loginURI; } }

slide-31
SLIDE 31

You Authorization Server Client Application Resource Server

  • 1. I want an

authorization code

  • 4. Here is an authorization code for client XYZ
  • 3. User: „Yes, it‘s okay“

2.Client XYZ wants an authorization code

  • 5. Here you are

HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz

slide-32
SLIDE 32

Login page handler

private void getAndSendAuthorizationCode(HttpServletRequest req, HttpServletResponse resp) { // Assuming login was successful and forwarded // parameters can be found in the request String userId = (String) request.getAttribute("userId"); String clientId = (String) request.getAttribute(OAuth.OAUTH_CLIENT_ID); // Create a new authorization code and store it in the database String authzCode = securityDataStore.getAuthorizationCode(userId, clientId); // Redirect back to client String redirectUri = (String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI); redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode); redirectUri += "&" + OAuth.OAUTH_STATE + "=“ + request.getAttribute(OAuth.OAUTH_STATE); resp.sendRedirect(redirectUri); }

slide-33
SLIDE 33

You Authorization Server Client Application Resource Server

  • 7. Here you are
  • 6. I want to trade my

authorization code for an access token

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

slide-34
SLIDE 34

T

  • ken Endpoint (1)

@Path("/token") public class TokenEndpoint { ... @POST public Response authorize(@Context HttpServletRequest request, @HeaderParam(AUTHORIZATION) String authorizationHeader) { // Do the required validations validateClient(authorizationHeader); OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request); validateRedirectionURI(oauthRequest); OAuthToken token = securityDataStore .exchangeAuthorizationCodeForAccessToken(oauthRequest); OAuthResponse oauthResponse = buildOAuthResponse(token); return Response.status(oAuthResponse.getResponseStatus()) .entity(oAuthResponse.getBody()).build(); } ...

slide-35
SLIDE 35

T

  • ken Endpoint (2)

... private void validateClient(String authorizationHeader) { Pattern headerPattern = Pattern.compile("\\s+"); String[] headerParts = headerPattern.split(authorizationHeader); byte[] encoded = headerParts[1].getBytes(); String decoded = new String(Base64.decode(encoded), Charset.forName("UTF-8")); String[] clientParts = StringUtils.split(decoded, ":", 2); String clientId = clientParts[0]; String clientSecret = clientParts[1]; if (!securityDataStore.isValidClient(clientId, clientSecret)) { ... // Create and throw an OAuthProblemException } } ...

slide-36
SLIDE 36

You Authorization Server Client Application Resource Server

  • 7. Here you are
  • 6. I want to trade my

authorization code for an access token

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

slide-37
SLIDE 37

T

  • ken Endpoint (3)

... private OAuthResponse buildOAuthResponse(OAuthToken token) { return OAuthASResponse .tokenResponse(HttpServletResponse.SC_OK) .setAccessToken(token.getAccessToken()) .setTokenType(TokenType.BEARER) .setExpiresIn(token.getExpiresIn()) .setRefreshToken(token.getRefreshToken()) .setScope(token.getScope()) .buildJSONMessage(); } }

slide-38
SLIDE 38

You Authorization Server Client Application Resource Server

Give me some resources. Here is my access token, btw.

… GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA

slide-39
SLIDE 39

Resource Filter (1)

public class AuthorizationFilter implements ContainerRequestFilter { @Context private SecurityDataStore securityDataStore; @Context private HttpServletRequest httpServletRequest; @Override public ContainerRequest filter(ContainerRequest request) { String accessToken = extractAccessToken(); validateAccessToken(accessToken); return request; } ...

slide-40
SLIDE 40

Resource Filter (2)

... private String extractAccessToken() { OAuthAccessResourceRequest oauthRequest = new OAuthAccessResourceRequest(httpServletRequest); return oauthRequest.getAccessToken(); } ...

slide-41
SLIDE 41

Resource Filter (3)

... private void validateAccessToken(String accessToken) { if (!securityDataStore.isValidAccessToken(accessToken)) { throw new AuthorizationFailedException( "Unknown or expired token!"); } } }

slide-42
SLIDE 42

Summary

  • OAuth 2.0 is ready for use
  • Quite easy to use
  • Don‘t go for least security
slide-43
SLIDE 43

Uwe Friedrichsen

@ufried

uwe.friedrichsen@codecentric.de http://www.slideshare.net/ufried/ http://blog.codecentric.de/author/ufr

slide-44
SLIDE 44