Protecting web APIs with OAuth 2.0

44 %
56 %
Information about Protecting web APIs with OAuth 2.0
Software

Published on October 23, 2014

Author: vladimirdzhuvinov

Source: slideshare.net

Description

Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.

1. Protecting web APIs with OAuth 2.0 Vladimir Dzhuvinov

2. Bearer Token Your cool web API

3. HTTPS request with a bearer token GET /client-reg HTTP/1.1 Host: c2id.com Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6 type token value

4. Successful HTTP response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { … }

5. On missing token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

6. On invalid / expired token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error=”invalid_token”

7. On token with insufficient privileges HTTP/1.1 403 Forbidden WWW-Authenticate: Bearer error=”insufficient_scope”

8. To learn more about bearer token usage See RFC 6750 [ http://tools.ietf.org/html/rfc6750 ]

9. How does your web API decode the access tokens? Your W eb API

10. Typical authorisation attributes associated with an access token ● Scope: e.g. read, write, admin... ● Expiration time ● User ID ● Client ID ● Issuer

11. The 2 possible token encodings ● Self-contained: – Require RSA signature verification, < 1 ms – Scale extremely well ● Identifier-based: – Require web API lookup, ~100+ ms – Don't scale well, avoid

12. JSON Web Tokens (JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm 9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRw OlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2l kIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkw mDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hop e7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU Syntax: BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)

13. JSON Web Tokens (JWT) Header { "alg": "RS256", "kid": "1" } Claims { "sub": "alice", "cid": "000123", "iss": "https://connect2id.com", "exp": 1414065134, "iat": 1414064534, "scp": [ "read", "write", "admin" ] } Signature (RSA) fBZW6U9r7M53fwh­oEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimlu­NkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo­3wDpGNM9UtOo8Cc

14. To learn more about JWT See draft-ietf-oauth-json-web-token-29 [ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]

15. The ultimate Java library for JWT http://connect2id.com/products/nimbus-jose-jwt Thousands of deployments, tens of reviewers and contributors Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.

16. Who issues the access tokens?

17. Your authorisation server Authenticates users and clients, issues tokens OAuth 2.0 server mobile app web app native app Web API Web API Web API Web APIs service requests, need only understand access tokens

18. The OAuth 2.0 grants ● Authorisation code – require browser for end-user interaction ● Implicit – for browser (JS) based apps ● Password – for native apps ● Client credentials – for clients acting on their own behalf ● Assertions: – SAML 2.0 Bearer – JWT Bearer

19. To learn more about OAuth 2.0 See RFC 6749 [ http://tools.ietf.org/html/rfc6749 ]

20. OpenID Connect ● Identity layer on top of the OAuth 2.0 framework ● The server issues an ID token in addition to the access token: – The ID token is a signed JWT with claims: ● Subject – the end-user ID ● Issuer – the authority ● Issue and expiration date ● Audience – the intended recipients ● Authentication strength and methods

21. ID token claims { "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ] }

22. To learn more about OpenID Connect See OpenID Connect 1.0 Core OpenID Connect 1.0 Discovery OpenID Connect 1.0 Dynamic Registration OpenID Connect 1.0 Session Management [ http://openid.net/connect/ ]

Add a comment

Related presentations

Speaker: Matt Stine Developing for the Cloud Track Marc Andressen has famou...

This presentation explains how to develop a Web API in Java using (JAX-RS or Restl...

1 App,

1 App,

November 10, 2014

How to bring innovation to your organization by streamlining the deployment proces...

Cisco Call-control solutions can handle voice, video and data

Nathan Sharp of Siemens Energy recently spoke at the SAP Project Management in Atl...

Related pages

Using OAuth 2.0 for Web Server Applications | Google ...

... to create web server applications that use OAuth 2.0 authorization to access Google APIs. OAuth 2.0 allows ... the OAuth 2.0 web ...
Read more

Protecting APIs with OAuth 2.0 - IS&T Contributions - Hermes

... your protected API to the MIT OIDC server to get OAuth 2.0 ... Protecting APIs with OAuth 2.0. On this ... for sharing Protecting APIs with ...
Read more

Using OAuth to Protect Internal REST API - tatiyants.com

Using OAuth to Protect Internal REST API. ... You should use OAuth 2.0 client credentials flow to secure REST APIs used in your web application. Protecting ...
Read more

5 Protecting Web Resources with OAuth 2.0

5 Protecting Web Resources with OAuth 2.0. If you spend much time on your smartphone or tablet, then you may have come to appreciate how convenient it is ...
Read more

Using OAuth 2.0 to Access Google APIs | Google Identity ...

Using OAuth 2.0 to Access Google APIs ... The Google OAuth 2.0 endpoint supports web server applications that use languages and frameworks ...
Read more

Securing ASP.NET Web API endpoints - Using OWIN, OAuth 2.0 ...

In this post we’re going to create some simple endpoints using ASP.NET Web API, OWIN and OAuth 2.0. ... server with full support for all OAuth 2.0 ...
Read more

OData and OAuth – protecting an OData Service using OAuth 2.0

APIs and reference; ... Then you need to add your configuration information to your web.config: ... protecting an OData Service using OAuth 2.0 ...
Read more

OAuth 2.0 in Web API | Howard Dierking - CodeBetter.Com

OAuth 2.0 in Web API. Posted by Howard ... repository for doing an OAuth 2.0 dance for Web APIs. ... a Web API using Facebook’s OAuth 2.0 capabilities so ...
Read more

Protecting your ASP.NET Web API using OAuth2 and the ...

Protecting your ASP.NET Web ... We’ll be using OAuth2 and the Windows Azure Access Control ... From http://hueniverse.com/2010/05/introducing-oauth-2-0/:
Read more