oauth 2.0 - assaf arkin
DESCRIPTION
Assaf Arkin, FlowtownYou're building an API and the question comes up, how to let client applications authenticate against it? Giving username/password to 3rd party client applications is a security anti-pattern. You don't want to do that. API keys are better, but confusing for the average user. So we're going to look at solving that with OAuth 2.0. If you used Facebook Connect to allow a non-Facebook application restricted access to your Facebook account, you've used OAuth 2.0. Let's talk about what OAuth 2.0 is, how it works, and how to add support to your application/API. We'll cover authentication flows for Web apps, mobile, desktop and even command-line tools, and talk about access control patterns that are based, not on users and roles, but client applications and requested access scopes. This talk will cover rack-oauth2-server, an open source OAuth 2.0 Authorization Server module:https://github.com/flowtown/rack-oauth2-serverTRANSCRIPT
Assaf Arkin
OAuth 2.0
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
OWNED!!!Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Simple to connect new application
No giving password
Authorize limited permissions
Revoke individual client application
Wednesday, July 27, 11
Each access token is tied to an end-user, a client application, a resource and a scope.
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
OAuth 2.0 draft 10: OAuth scheme
OAuth 2.0 draft 20: two extensions
Bearer Token
MAC Access Authentication
OAuth 1.0, similar to 2.0 + MAC
Wednesday, July 27, 11
Wednesday, July 27, 11
Redirect user to authorization
endpointUser authenticates
User grants authorization
request
Exchange access grant for access
token
Grant access token
Client ID, Redirect URI, Scope
Redirect user back to application
Authorization code
Authorization ServerClient Application
Client ID, Redirect URI
Store in safe place
Access resource
Access token(w/optional Refresh token)
Access tokenProtected resource
Wednesday, July 27, 11
Wednesday, July 27, 11
1. Authenticate
2. Verify application
3. Verify scope
4. Authorize
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Desktop/mobile applications open in-app browser (e.g. UIWebView)
Command line can open <url>, final page asks user to copy & paste access token
High trust applications can exchange username/password for access token
Wednesday, July 27, 11
Client applications should not ask users for their password
OAuth provides an alternative flow that balances convenience and security
It can support Web applications, desktop and mobile, even command line tools
Wednesday, July 27, 11
Not complicated or terribly hard, existing tools help a lot
First time might trip and fall, some new concepts to wrap head around
Almost one year in, ongoing maintenance cost has been zero for us
Wednesday, July 27, 11