incorporating oauth: how to integrate oauth into your mobile app

21
Incorporating OAuth How to integrate OAuth into your mobile app By Travis Spencer, CEO @travisspencer , @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved

Upload: nordic-apis

Post on 11-May-2015

1.426 views

Category:

Technology


6 download

DESCRIPTION

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013

TRANSCRIPT

Page 1: Incorporating OAuth: How to integrate OAuth into your mobile app

Incorporating OAuth

How to integrate OAuth into your mobile app

By Travis Spencer, CEO

@travisspencer, @2botech

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 2: Incorporating OAuth: How to integrate OAuth into your mobile app

Agenda

The security challenge in context

Neo-security stack

OAuth Basics

Overview of other layers

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 3: Incorporating OAuth: How to integrate OAuth into your mobile app

Crucial Security Concerns

Copyright © 2013 Twobo Technologies AB. All rights reserved

Enterprise

Security

API

Security

Mobile

Security

Page 4: Incorporating OAuth: How to integrate OAuth into your mobile app

Identity is Central

Copyright © 2013 Twobo Technologies AB. All rights reserved

MDM MAM

AuthZ

Mobile

Security

API

Security

Enterprise

Security

Identity

Venn diagram by Gunnar Peterson

Page 5: Incorporating OAuth: How to integrate OAuth into your mobile app

Neo-security Stack

SCIM, SAML, OAuth, and JWT are the new

standards-based cloud security stack

OAuth 2 is the new meta-protocol defining how

tokens are handled

These address old requirements, solves new

problems & are composed

in useful ways

Copyright © 2013 Twobo Technologies AB. All rights reserved

Grandpa SAML

& junior

OpenID Connect

Page 6: Incorporating OAuth: How to integrate OAuth into your mobile app

OAuth Actors

Client

Authorization Server (AS)

Resource Server (RS) (i.e., API)

Resource Owner (RO)

Copyright © 2013 Twobo Technologies AB. All rights reserved

Get

a t

oken

User a token

RS Client

AS

Page 7: Incorporating OAuth: How to integrate OAuth into your mobile app

OAuth Mobile App Flow

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 8: Incorporating OAuth: How to integrate OAuth into your mobile app

Request Authorization

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 9: Incorporating OAuth: How to integrate OAuth into your mobile app

Authenticate & Authorize

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 10: Incorporating OAuth: How to integrate OAuth into your mobile app

Register Custom Scheme in App

<activity android:name=".CallbackActivity“ …>

<intent-filter>

<data android:scheme="twobo" />

</intent-filter>

</activity>

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 11: Incorporating OAuth: How to integrate OAuth into your mobile app

Callback to Custom Scheme

In OAuth Server, configure to callback to scheme

that was registered

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 12: Incorporating OAuth: How to integrate OAuth into your mobile app

Exchange Code for Token

Copyright © 2013 Twobo Technologies AB. All rights reserved

AC

Page 13: Incorporating OAuth: How to integrate OAuth into your mobile app

Calling the Token Endpoint

var data = {

"client_id" : clientId,

"client_secret" : clientSecret,

"code" : code,

"grant_type" : "authorization_code",

"response_type" : "token" };

$.post(tokenEndpoint, data,

processAccessToken, "json");

Copyright © 2013 Twobo Technologies AB. All rights reserved

AC AT, RT

Page 14: Incorporating OAuth: How to integrate OAuth into your mobile app

Tokens are Often JWTs

Pronounced like the English word “jot”

Lightweight tokens passed in HTTP headers &

query strings

Akin to SAML tokens

Less expressive

Less security options

More compact

Encoded w/ JSON not XML

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 15: Incorporating OAuth: How to integrate OAuth into your mobile app

Calling the API

Provide AT to API according to bearer token profile

$.ajax({

url: apiEndpoint,

dataType: 'json',

headers: {"Authorization":"Bearer "+accessToken},

success: processResults });

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 16: Incorporating OAuth: How to integrate OAuth into your mobile app

API May Validate Token

def validateToken(self, tokenEndpoint, clientId,

clientSecret, accessToken):

values = { "client_id" : clientId,

"client_secret" : clientSecret,

"grant_type" : “…",

"token" : accessToken, }

request = urllib2.Request(tokenEndpoint,

urllib.urlencode(values))

return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 17: Incorporating OAuth: How to integrate OAuth into your mobile app

• App should only present

AT to API

• Never send RT to API

• Use RT to get new AT if

AT expires

• App can’t use AT to

determine anything about

user

App Consumes API Data

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 18: Incorporating OAuth: How to integrate OAuth into your mobile app

Overview of OpenID Connect

Builds on OAuth for profile sharing

Uses the flows optimized for user-consent

scenarios

Adds identity-based inputs/outputs to core OAuth

messages

Tokens are JWTs

Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 19: Incorporating OAuth: How to integrate OAuth into your mobile app

What OAuth is and is not for

Copyright © 2013 Twobo Technologies AB. All rights reserved

Not for authentication

Not really for authorization

For delegation

Page 20: Incorporating OAuth: How to integrate OAuth into your mobile app

Questions & Thanks

@2botech

@travisspencer

www.2botech.com

travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved

Page 21: Incorporating OAuth: How to integrate OAuth into your mobile app