ìOAuth & OpenID Connect

Fall2017SecureSoftwareSystems

1

OAuth for Sign-In

Fall2017SecureSoftwareSystems

2

OAuth for Sign-In

Fall2017SecureSoftwareSystems

3

Sign-InWith…

OAuth for Sign-In

ì Assume:You’realreadyloggedinwithFacebook(webbrowserhascookie)

ì Facebookwillgivelimitedaccountinformation(Email,publicprofile,…)tonewserviceforaccountcreationpurposes

ì Facebookpasswordisnotshared

ì NewservicecannotposttoyourFacebookaccount

Fall2017SecureSoftwareSystems

4

OAuth for Third Party Access

Fall2017SecureSoftwareSystems

5

OAuth Workflow [Google]

ì Anonymoususervisitsyourwebsite/app

ì UserwantstouseGoogleIdentity

ì Theyclicka “LogIn” buttononyoursite/appandareredirectedtoGoogle’swebsite,andarepromptedtoacceptcertainpermissions

ì Iftheyacceptthesepermissions,Googlewillredirecttheuserbacktoyourwebsitealongwithan authorizationcode.

ì Youcanexchangethiscodeforaccess tokenandrefresh token

ì Youcantheseusethis accesstoken toactuallyretrievetheuser’sinformation viaAPIfromGoogle.Therefresh tokenisusedwhentheaccesstokenexpires.

Fall2017SecureSoftwareSystems

6

https://developers.google.com/identity/protocols/OAuth2

OAuth Workflow [Google]

Fall2017SecureSoftwareSystems

7

(1)UserwantstologinviaGoogle

(2)RedirecttoGoogle’sAuthorizationServer:https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=http%3A%2F%2Foauth2.example.com%2Fcallback&response_type=code&client_id=client_id

redirect_uri isYOURAPP(wheretogoafterauthorization)client_id isYOURAPP(needAPIkeyfromGoogle)

(3)Googlepromptsuserforconsent

(4)Googleredirectsbacktoyourapp(viaredirect_uri)andprovidesauthorizationcodehttps://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7

https://developers.google.com/identity/protocols/OAuth2WebServer

OAuth Workflow [Google]

Fall2017SecureSoftwareSystems

8

(5)Exchangeauthorizationcode forrefreshandaccesstokens viaHTTP/RESTAPI

POST/oauth2/v4/tokenHTTP/1.1Host:www.googleapis.comContent-Type:application/x-www-form-urlencoded

code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&client_id=your_client_id&client_secret=your_client_secret&redirect_uri=https://oauth2.example.com/code&grant_type=authorization_code

(6)ServerreturnsJSON objectwithaccesstoken(shortlived)andrefreshtoken{"access_token":"1/fFAGRNJru1FTz70BzhT3Zg","expires_in":3920,"token_type":"Bearer","refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"}

(7)UseAccesstoken tocallGoogleAPIforspecificdata

https://developers.google.com/identity/protocols/OAuth2WebServer

OAuth

ì OAuthisaframework,notaprotocolì Implementationsvarybyenterpriseì InteroperabilityLì Youcan’tswitchfromGooglesign-intoFacebook

sign-injustbyreplacinggoogle.com withfacebook.com

ì Nosignaturesorcryptography,justplaintokensthatareprotectedbyTLS(web)

Fall2017SecureSoftwareSystems

9

OAuth and OpenID Connect

ì Twowebstandardsbutwithdifferentgoals

ì OAuthisaframeworkthatprovidesauthorizationì AuthorizeotherwebsitestoaccessyourGoogle

Driveì Finegrainpermission– OKtoread/writeDrivefiles,

butnotaccessyourGMailì DoesnothandlehowyouauthenticatewithGoogle

inthefirstplace– that’sGoogle’sproblem

ì OpenIDConnectisalayerbuiltonOAuththatprovidesauthentication

Fall2017SecureSoftwareSystems

10