OAuth 2.0 in Depth

By Rohit GhatolDirector @ Synerzip

Passionate about TechNext

Why study about OAuth?

Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png

Do you care about these or Similar Sites?

Browser

Mashups

Facebook

LinkedInFoursquare

Twitter

Http Access

Api Access

7155 APIs listed on http://ProgrammableWeb.com

390 APIs on http://ProgrammableWeb.com support OAuth

Security

Closed ClosedOpen

Authentication Authorization

OAuth In a Nut ShellCan I have your

Debit Card and ATM Pin?

OAuth In a Nut ShellCan I have your

Credit Card?

OAuth Practical Example

Without OAuth

Without OAuth

Without OAuth

Lets Start Again

With OAuth

With OAuth

With OAuth

With OAuth

Lets get Technical

Why OAuth is required?

• What are limitations with Passwords?– Trust – User not trusting– More Access than required– No Support for Granular permissions– Phishing – Helping Phishing activities– Lower Reliability to API interfaces– Unable to revoke access once provided

Why OAuth is required?

• OAuth is required for Delegating Access– To Certain Party– For Certain Resource– For Limited Time– Which can be selectively be revoked

Understand OAuth Roles

Roles

• Resource Owner – e.g Picasa User• Resource Server – e.g Picasa Hosting• Client – e.g Mashup built for Picasa• Authorization Server – e.g Google Auth Server

Resource Owner

• An entity capable of granting access to a protected resource.

• When the resource owner is a person, it is referred to as an end-user

Resource Server

• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Client

• An application making protected resource requests on behalf of the resource owner and with its authorization.

Authorization Server

• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

Client

Resource Owner

Authorization Server

Resource Server

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource

Protocol Flow

Pre Requisite for OAuth

• Register Application with OAuth Provider– Facebook

• https://developers.facebook.com/apps

– Google• https://code.google.com/apis/console/b/0/?pli=1#

access

– Twitter• https://dev.twitter.com/apps/new

– LinkedIn• https://www.linkedin.com/secure/developer?newapp=

Pre Requisite for OAuth

• This will give you two essential things– client_id– client_secret– Redirect_uri

Tools used to try OAuth

Different ways to Do OAuth

Grant Types

• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant

Client

Resource Owner

Authorization Server

Resource Server

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource

Protocol Flow

ClientAuthorization

ServerResource

Server

Access Grant & Client Credentials

Access Token & Refresh Token

Access Token

Protected Resource

Protocol Flow

Access Token

Invalid Token Error

Refresh Token & Client Credentials

Access Token & Optional Refresh Token

Live Example Facebook

Step 1 – Get Authorization Code

Understanding the URL

• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri

State which we sent

Authorization Grant Code which needs to be exchanged for Access

Token

Step 2 – Exchange to get Access Code

Important Note

• This Step is to performed at the Server Side. • Why?• Because you need to use your Client ID and

Client Secret along side the Authorization Code you just received to gain an Access Code

• Access Code is required to gain access to protected resources

Understanding the URL

• client_id – The ID of the Client App• client_secret– The Secret of the Client App• redirect_uri– The Registered redirect_uri• code– Authorization Grant Code

Step 3 – Access Protected Resource

Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies

2. Also position as a Query Parameter

Facebook Protected Resource

Facebook Protected Resource

Live Example Google

Step 1 – Get Authorization Code

Understanding the URL

• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri• response_type = “code” means authorization

code• access_type = “offline” to get access to the

“refresh_token”

State which we sent

Authorization Grant Code which needs to be exchanged for Access

Token

Step 2 – Exchange to get Access Code

Step 3 – Access Protected Resource

Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies

2. Also position as a Query Parameter

Google Protected Resource

What happens when access token expires?

Use Refresh_Token to Issue Access_Token

• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant

Grant Types

Client

Resource Owner

Resource Server

Authorization Request

Access Token

Access Token

Protected Resource

Protocol Flow

Live Example Facebook

Step 1 – Get Access Code

Step 1 – Get Access Code

See you directly got the access code

Step 2 – Access Protected Resource

Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies

2. Also position as a Query Parameter

Facebook Protected Resource

Facebook Protected Resource

Live Example Google

Step 1 – Get Access Code

Step 1 – Get Access Code

Step 1 – Get Access Code

See you directly got the access code

Step 2 – Access Protected Resource

Pass the Access Code to access protected resource1. Recommend – HTTP Headers– So this is not cached by proxies

2. Also position as a Query Parameter

Google Protected Resource

PostMan Import Scripts

• Authorization-Grant – http://www.getpostman.com/collections/

0c31cb5910e6a60896f7 • Implicit-Grant – http://www.getpostman.com/collections/

3085769daec37cc41c1a

• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant

Grant Types

Client

Authorization Server

Resource Server

Username/Password

Access Token with Optional Refresh Token

Access Token

Protected Resource

Protocol Flow

Resource Owner

Resource Owner Credentials & Client Credentials

Use Cases

• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App

• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided

• Example – Salesforce OAuth has provision for this

• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant

Grant Types

Client

Authorization Server

Resource Server

Access Token with Optional Refresh Token

Access Token

Protected Resource

Protocol Flow

Client Credentials

Use case

• The Data accessed is not owned by Resource Owner, but by the Client

• Say Skype showing statistics of uptime of its services

Use case

• There is contract already set between the Client and the Authorization Server

• E.g Google Apps Marketspace

• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.

OAuth from Mobile Device

Popular Approaches

• Using User Agent (Stock Browser)• Using Embedded WebView

Disclaimer

• Following slides are extracted from http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

• I have no claim on the following slides with reference stated in them

• Thank you Brian Campbell for the excellent presentation

Request Authorization

When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint

Device

NativeApp

Browser

1

Cloud!

1

Authorization Endpoint

Token Endpoint

Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status");

Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);

startActivity(launchBrowser);

NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status";

[[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];

https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status

http://

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

Authenticate and Approve The AS authenticates the user

Directly Indirectly via Facebook, Twitter, Google, Yahoo, etc.

Device

NativeApp

Browser

Cloud!

2

Authorization Endpoint

Token Endpoint

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

Approve

Device

NativeApp

Browser

Cloud!

2

Authorization Endpoint

Token Endpoint

User approves the requested access

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

Handle Callback

Server returns control to the app via HTTP redirection and includes an authorization code

HTTP/1.1 302 Found

Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAhttp://

Device

NativeApp

Browser

Cloud!

3

Authorization Endpoint

Token Endpoint

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

<activity android:name=".MyAppCallback” … >

<intent-filter>

<action android:name="android.intent.action.VIEW"/>

<category android:name="android.intent.category.DEFAULT"/>

<category android:name="android.intent.category.BROWSABLE"/>

<data android:scheme="x-com.mycorp.myapp" />

</intent-filter>

</activity>

Handle Callback (cont’d)Registering a custom URI scheme

String authzCode = getIntent().getData().getQueryParameter("code");

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

3

In AndroidManifest.xml file:

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url

{

NSString *queryString = [url query];

NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init];

for (NSString *param in [queryString componentsSeparatedByString:@"&"]) {

NSArray *elts = [param componentsSeparatedByString:@"="];

if([elts count] < 2) continue;

[qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]];

};

NSString *code = [qsParms objectForKey:@"code"];

...

Handle Callback (cont’d)Registering a custom URI scheme

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

3

In app info plist file:

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

POST /as/token.oauth2 HTTP/1.1

Host: as.example.com

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA

Trade Code for Token(s)

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

4

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"token_type":"Bearer",

"expires_in":3600,

"access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”,

"refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8”

}

http://

http://

Token Endpoint Request

Token Endpoint Response

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

POST /api/update-status HTTP/1.1

Host: rs.example.com

Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

status=Almost%20done.

Using an Access Token

http://

Device

NativeApp

Browser

Cloud!

Authorization Endpoint

Token Endpoint

5

NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken];

NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];

[request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]];

[request setValue:authzHeader forHTTPHeaderField:@"Authorization"];

DefaultHttpClient httpClient = new DefaultHttpClient();

HttpPost post = new HttpPost("https://rs.example.com/api/update-status");

post.setHeader("Authorization", "Bearer " + accessToken);

Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header

Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices

Pros and Cons

• Pros– User may be already

logged in most cases– User will trust as he/she

sees https and domain name

• Cons– Complicated Custom URI

schema

Popular Approaches

• Using User Agent (Stock Browser)• Using Embedded WebView

Pros and Cons

• Pros– Easier to monitor pages

and extract authorization or access codes

• Cons– May not appeal since

neither https or domain name is visible

– WebView has separate cookie and history leading to client entering credentials each time

Open ID Story

Example of OpenID

What are you doing?

Proving you own http://rohitghatol.myopenid.com

Another Example

Wait!!

It’s http://openid.rohitghatol.com your own page, how does open id work then

Discover who is the Identity provider

Behind the Scene

Reference - http://openid.net/pres/protocolflow-1.1.png

Difference between OpenID and OAuth

Open ID• Know who is coming to your

site .

• Delegated Authentication

OAuth• Give rights to certain APIs

.

• Delegated Authorization

Next Steps : OpenID Connect

Disclaimer

• My Understanding on OpenID Connect is limited.

• Me talking about OpenID Connect is an attempt to understand Why it is born and what is the purpose of it

OpenID Connect

OpenID Connect

OpenID Connect

• Why it came into Picture?– Both OpenID and OAuth rely on redirection to

allow client to grant permissions– Protocol Flow is similar – redirection & verification– Passing Permissions to Gain Authentication

(Identity Information) is same as Passing Permission to Gain authority to some APIs

Let’s see a Dummy Flow

Step 1 – Get Access_Code and ID_Token

Build the OAuth URL for id_token & access_token (implicit grant flow)

Dummy Response

https://oauth2demo.appspot.com/oauthcallback# access_token=ya29.AHES6ZSzX & token_type=Bearer& expires_in=3600& id_token =eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY…

ID_Token

• Is a Json Web Token• It can be decrypted to get details• Or • taken to the Check ID Endpoint to get the

decryption done

Step 2 – Verify the Identity by going to Check ID End Point

Verify with Check ID End Point

{ "iss" : "https://accounts.example.com", "user_id" : "113487456102835830811", "aud" : "753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com", "exp" : 1311281970, “nounce”:12345677}

What does the response mean?

• “user_id”: Authenticated User• “aud”: client_id so we know its meant for it• “exp”: Expiry• “nounce”: what we sent to prevent replay

attacks

Step 3 – Get User Info from UserInfo EndPoint

UserInfo EndPoint is a special resource accessed by providing access_token

Reference

• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation