Upload
nordic-apis
View
1.438
Download
6
Tags:
Embed Size (px)
DESCRIPTION
Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013
Citation preview
Incorporating OAuth
How to integrate OAuth into your mobile app
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
Crucial Security Concerns
Copyright © 2013 Twobo Technologies AB. All rights reserved
Enterprise
Security
API
Security
Mobile
Security
Identity is Central
Copyright © 2013 Twobo Technologies AB. All rights reserved
MDM MAM
AuthZ
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
Neo-security Stack
SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
OAuth 2 is the new meta-protocol defining how
tokens are handled
These address old requirements, solves new
problems & are composed
in useful ways
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML
& junior
OpenID Connect
OAuth Actors
Client
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Resource Owner (RO)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Get
a t
oken
User a token
RS Client
AS
OAuth Mobile App Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
Request Authorization
Copyright © 2013 Twobo Technologies AB. All rights reserved
Authenticate & Authorize
Copyright © 2013 Twobo Technologies AB. All rights reserved
Register Custom Scheme in App
<activity android:name=".CallbackActivity“ …>
<intent-filter>
<data android:scheme="twobo" />
…
</intent-filter>
</activity>
Copyright © 2013 Twobo Technologies AB. All rights reserved
Callback to Custom Scheme
In OAuth Server, configure to callback to scheme
that was registered
Copyright © 2013 Twobo Technologies AB. All rights reserved
Exchange Code for Token
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC
Calling the Token Endpoint
var data = {
"client_id" : clientId,
"client_secret" : clientSecret,
"code" : code,
"grant_type" : "authorization_code",
"response_type" : "token" };
$.post(tokenEndpoint, data,
processAccessToken, "json");
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC AT, RT
Tokens are Often JWTs
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
Calling the API
Provide AT to API according to bearer token profile
$.ajax({
url: apiEndpoint,
dataType: 'json',
headers: {"Authorization":"Bearer "+accessToken},
success: processResults });
Copyright © 2013 Twobo Technologies AB. All rights reserved
API May Validate Token
def validateToken(self, tokenEndpoint, clientId,
clientSecret, accessToken):
values = { "client_id" : clientId,
"client_secret" : clientSecret,
"grant_type" : “…",
"token" : accessToken, }
request = urllib2.Request(tokenEndpoint,
urllib.urlencode(values))
return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved
• App should only present
AT to API
• Never send RT to API
• Use RT to get new AT if
AT expires
• App can’t use AT to
determine anything about
user
App Consumes API Data
Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of OpenID Connect
Builds on OAuth for profile sharing
Uses the flows optimized for user-consent
scenarios
Adds identity-based inputs/outputs to core OAuth
messages
Tokens are JWTs
Copyright © 2013 Twobo Technologies AB. All rights reserved
What OAuth is and is not for
Copyright © 2013 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
For delegation
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved