- exact connect event 20151. exact connect event 2015 more clients with oauth how oauthilicious is...

- EXACT CONNECT EVENT 20151

EXACT CONNECT EVENT 2015

More clients with OAuth

How OAuthilicious is your app?

Jurjen Boss & Robin van Loon, April 23rd 2015, Delft

© 2015 EXACT3 | EXACT CONNECT EVENT 2015 | MORE CLIENTS WITH OAUTH

Master degree in Electrical Engineering

15+ years IT-experience; broad knowledge product development life cycles

Started as Product Manager Connectivity team

Now App Delivery Manager central Eco-system team

Jurjen Boss

INTRODUCTIONPresenters

Bachelor ICT and Certified Ethical Hacker

Started in 2001 with Exact, background in industrial automation

Started as software engineer Custom Solutions

Now working fulltime on application security for Exact Online

Robin van Loon

© 2015 EXACT4 | EXACT CONNECT EVENT 2015 | MORE CLIENTS WITH OAUTH

BUILD

REVIEW

PLAN

SOLUTION TEAM

PRODUCTDELIVERY

APPDELIVERY

APP CENTER

APP CENTER

API

API

EXACT ONLINE

DEV DOC

API

INTRODUCTIONApp delivery management: relation to product delivery

© 2015 EXACT

INTRODUCTIONApp delivery management: what’s the plan?

| EXACT CONNECT EVENT 2015 | MORE CLIENTS WITH OAUTH5

• Presentations, events, publications• App Center - app delivery process• Security - OAuth• Try now

• App delivery process• Webinar• International adoption• Automate review steps

• Project management• Consultancy• Optimal integration• Cloud apps• Try now

• App fact sheets• Review apps• Audit

Thought leadership Onboarding

Must-win apps

App Center Quality

© 2015 EXACT

AGENDA

• Cloud security˃ Introduction˃ Web Application Security˃ Rate control˃ Access by third party services

• OAuth˃ History˃ Why is it needed?˃ What is it?˃ How does it work?˃ When is it required?

• App Center Apps˃ Offer the ultimate try now UX˃ Provisioning – Application - Deprovisioning


© 2015 EXACT | EXACT CONNECT EVENT 2015 | MORE CLIENTS WITH OAUTH7

CLOUD SECURITY

© 2015 EXACT

CLOUD SECURITYIntroduction (1/2)

• Development teams

• Customers\Partners• Support\Marketing\Legal• Operations\Infra\...

• Balancing act:˃ Security˃ Functionality˃ Ease of use


Security

Functionality Ease of use

© 2015 EXACT

Training

Requirem-ents

Design

Implemen-tation

Verification

Release

Response

CLOUD SECURITYIntroduction (2/2)


Technology and ProcessEducation Accountability

The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address

security compliance requirements while reducing development cost

© 2015 EXACT

CLOUD SECURITYWeb Application Security (1/2)

• Traditional approach: Protect your perimeter˃ Obviously you still protect your infrastructure˃ But you open up to the outside world via the application

• Attacks on application layer increase˃ Not only your own application

• OWASP Top 10 https://owasp.org˃ Development team needs to be aware and capable˃ Security is not complete when the OWASP Top 10 is covered


https://owasp.org/

https://owasp.org/

https://owasp.org/

© 2015 EXACT

CLOUD SECURITYWeb Application Security (2/2)

• Train your developers˃ Improve their skills˃ Change their mindset

• Threat model your application\service˃ A process to understand security threats to a system, determine risks from those threats,

and establish appropriate mitigations

• Always verify:˃ Automated source scans˃ Automated penetrations test˃ Security audits


© 2015 EXACT

CLOUD SECURITYRate control

• Shared infrastructure that needs to be protected

• Define fair use

• How to act?


© 2015 EXACT

CLOUD SECURITYAccess by third party services

• Traditionally credentials are used by third party services˃ Who is using those credentials?˃ What can you do with those credentials?

• Protect our users and offer a transparent way of working with third party services

• Offer partners a standardized way of connecting to Exact Online


© 2015 EXACT

‘OH-OAUTH’


© 2015 EXACT

OAUTHHistory


• November 2006:˃ Research started to use OpenID with Twitter API to delegate authentication˃ No open standard for API access delegation

• December 2007˃ OAuth Core 1.0 specification released

• April 2010˃ OAuth 1.0 Protocol published

• October 2012˃ OAuth 2.0 Framework published

• August 2013˃ OAuth 2.0 for Exact Online released (ready in April 2013)

© 2015 EXACT

OAUTHWhy is it needed?


• Credential storage in 3rd party applications

• Get access to all protected data for unlimited duration

• Access can only be revoked for all 3rd party applications by changing credentials

• Compromise 3rd party application results in compromise credentials and all its protected data

• Multiple or re-use of credentials

© 2015 EXACT

OAUTHIntroduction


• Open standard for authorization

• Only keep track of one set of credentials for a popular provider

• Provides application secure delegated access to protected data

• Authenticate users via trusted provider like Google, Twitter, GitHub, etc.

• Optimize sign-up flows to onboard users faster

© 2015 EXACT

OAUTHDefinitions


• Protected resource˃ Data to be protected by OAuth

• Resource owner = USER˃ User granting access to protected resource

• Resource server˃ Server hosting protected resources accessible by access tokens

• Client = APP˃ Application accessing protected resources based on resource owner authorization

• Authorization server˃ Server issuing acccess tokens to client based on authenticated resource owner and its authorization

• Tokens˃ Used instead of user credentials to access protected resources

© 2015 EXACT

OAUTHProcess


© 2015 EXACT

OAUTHFlow diagram


© 2015 EXACT

OAUTHAuthorization grant types


• Authorization grant is a credential representing the user's authorization˃ To access its protected resources˃ Used by the app to obtain access token

• 4 grant types1. Authorization code2. Implicit

‐ simplified authorization code flow optimized for script-based browser apps‐ app is issued access token directly‐ no authorization code issued (app not authenticated)

3. User credentials‐ obtain access token based on credentials‐ high degree of trust between app and user (privileged app)‐ credentials used for single request to exchange for access token

4. App credentials‐ protected resources under control of app‐ authorization previously arranged

Security

Functionality Ease of use

1

2

34

© 2015 EXACT

OAUTHIntegration cases


CLOUD

• token management in app

• best OAuth implementation

MOBILE


• embedded webviewOR

system webbrowser

ON-PREMISE


• embedded webviewOR

system webbrowser

BACKEND

• OAuth service:• UI• token management

• link OAuth service with backend service

• customized OAuth implementation

© 2015 EXACT

OAUTHHow do we help?


• We offer client library˃ Currently only .NET˃ Source code available on GitHub: https://github.com/exactonline/ClientSDK˃ Rewrite to the library you require?

‐ initiate a pull request‐ commit new library

˃ Other client libraries (to be build): PHP, Python, JAVA, JavaScript, …• Google is your friend ;-)˃ OAuth 2.0 Playground˃ Lot’s of articles, video’s, etc.˃ Exact Online supports OAuth2.0 specification, grant types:

‐ authorization code‐ Implicit

• API support specialists team˃ webrequest via Exact Online partner account

https://github.com/exactonline/ClientSDK

© 2015 EXACT

OAUTHMigration

• Deprecated authentication services˃ Basic˃ Form-based

• Standard authentication service˃ OAuth˃ Deadline: 1st of August 2015

• Migration help˃ Partner

‐ https://developers.exactonline.com/#migration_oauth.html˃ Customer

‐ https://developers.exactonline.com/#migration_Oauth_Authentication.html˃ .NET Client SDK

‐ https://github.com/exactonline/ClientSDK


https://developers.exactonline.com/#migration_oauth.html

https://developers.exactonline.com/#migration_oauth.html

https://developers.exactonline.com/#migration_Oauth_Authentication.html







APP CENTER APPS

© 2015 EXACT

APP CENTER APPSOffer the ultimate try now UX


Step #1 Step #2 Step #3

• make it faster and easier to onboard users• securely get a unique, stable user identifier (no emailaddress)• personalize your site

© 2015 EXACT

APP CENTER APPSProvisioning flow


• explain functionality of app

• explain app proposition(s)

• explain trial period / pricing model

© 2015 EXACT



• explain why an account will be created

• retrieve Exact Online account data../api/v1/current/Me

• automatically setup app account

• use e.g. Exact Online UserID as identification key

© 2015 EXACT



• explain why company needs to be selected

• explain why settings must be configured

• retrieve Exact Online master data

• select company

• configure settings (G/L Accounts, VAT, …)

© 2015 EXACT



• explain app is connected• trial period• commercial model after trial• confirmation mail• which data to be synschronized• synchronization times of data• how to get support

• after ‘DONE’ continue to App Center or Partner App platform

© 2015 EXACT

APP CENTER APPSApplication flow


start app in Exact Online App Center *

validate Exact Online User ID with App User ID **

start app directly as signed-in user

../api/v1/current/Me

* app can also be started from other platforms

** configured during provisioning flow


• connection with Exact Online user is directly deactivated *

• explain consequences contract termination

• restore connection with Exact Online user?

* deactivation directly processed by Exact Online App Center

APP CENTER APPSDeprovisioning flow

© 2015 EXACT



• connection restored

• explain connection restored for Exact Online user

• after ‘DONE’ continue to App Center or Partner App platform

© 2015 EXACT



• explain app is disconnected, account deactivated

• ask for feedback: why stop using?

• after ‘DONE’ continue to App Center

THANK YOU

FOCUS ONWHAT’S NEXT

- exact connect event 20151. exact connect event 2015 more clients with oauth how oauthilicious is...

Documents

oauth7 cloud security

capable security

product delivery slide

app center apps

apps app center quality

security functionality

development cost slide

oauth10 slide