using arcgis with oauth 2 - esri · before oauth • services recognized the problems with password...

49
U Using ArcGIS with OAuth 2.0 Aaron Parecki @aaronpk CTO, Esri R&D Center Portland

Upload: others

Post on 24-Sep-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

UUsing ArcGIS with OAuth 2.0

Aaron Parecki @aaronpk CTO, Esri R&D Center Portland

Page 2: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Before OAuth

• Apps stored the user’s password • Apps got complete access to a user’s account

• Users couldn’t revoke access to an app except by changing their password

• Compromised apps exposed the user’s password

An Introduction to OAuth 2

Page 3: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Before OAuth

• Services recognized the problems with password authentication

• Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”)

An Introduction to OAuth 2

Page 4: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

The OAuth 2.0 Spec http://oauth.net/2/

Page 5: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Definitions

• Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server

• Client: The Third-Party Application

An Introduction to OAuth 2

Page 6: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Use Cases

• Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps

An Introduction to OAuth 2

Page 7: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

• Web-server apps – authorization_code • Browser-based apps – implicit • Application access – client_credentials • Mobile apps – implicit

Use Cases – Grant Types

An Introduction to OAuth 2

Page 8: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Creating an App

An Introduction to OAuth 2

Page 9: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

developers.arcgis.com

An Introduction to OAuth 2

Page 10: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create an Application

An Introduction to OAuth 2

Page 11: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Get your app’s client_id

An Introduction to OAuth 2

Page 12: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Set the redirect_uri

An Introduction to OAuth 2

Page 13: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Mobile Apps Implicit Grant

Page 14: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a Sign-In Button

Page 15: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Launch Safari to the ArcGIS Online Authorization Endpoint

github.com/Esri/OAuth2-Demo-iOS

Page 16: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

The User Signs In

Page 17: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Redirect back to your app

oauthdemo://auth #access_token=BAAEEmo2nocQBAFFOeRTd…

ArcGIS Online redirects back to your app using a custom URI scheme.

Access token is included in the redirect, just like browser-based apps.

Page 18: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Parse the token from the URL

github.com/Esri/OAuth2-Demo-iOS

Page 19: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

The User is Signed In!

Page 20: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Mobile Apps

• Use the “Implicit” grant type

• No server-side code needed

• Client secret not used

• Mobile app makes API requests directly

Page 21: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Web Server Apps Authorization Code Grant

Page 22: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a “Log In” link

Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

An Introduction to OAuth 2

Page 23: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a “Log In” link

An Introduction to OAuth 2

Link to: https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

Page 24: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a “Log In” link

An Introduction to OAuth 2

Link to: https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

Page 25: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a “Log In” link

An Introduction to OAuth 2

Link to: https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

Page 26: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

User visits the authorization page

An Introduction to OAuth 2

https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

An Introduction to OAuth 2

Page 27: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

On success, user is redirected back to your site with auth code

https://example.com/auth?code=AUTH_CODE_HERE

On error, user is redirected back to your site with error code

https://example.com/auth?error=access_denied

An Introduction to OAuth 2

Page 28: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Server exchanges auth code for an access token

Your server makes the following request

POST https://www.arcgis.com/sharing/oauth2/token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2

Page 29: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Server exchanges auth code for an access token

Your server gets a response like the following

{ "access_token":"RsT5O30zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qok2RRua48lXI”, "username":"aaronpk" } or if there was an error { "error":"invalid_request" } An Introduction to OAuth 2

Page 30: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Browser-Based Apps Implicit Grant

Page 31: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Create a “Log In” link

Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

An Introduction to OAuth 2

Page 32: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

User visits the authorization page

An Introduction to OAuth 2

https://www.arcgis.com/sharing/oauth2/authorize?response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI

An Introduction to OAuth 2

Page 33: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN

On error, user is redirected back to your site with error code

https://example.com/auth#error=access_denied

An Introduction to OAuth 2

Page 34: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Browser-Based Apps

• Use the “Implicit” grant type

• No server-side code needed

• Client secret not used

•  Browser makes API requests directly

An Introduction to OAuth 2

Page 35: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Grant Type Summary

• authorization_code: Web-server apps

• implicit: Mobile and browser-based apps

• password: Username/password access

• client_credentials: Application access

An Introduction to OAuth 2

Page 36: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Authorization Code

• User visits auth page response_type=code

• User is redirected to your site with auth code http://example.com/?code=xxxxxxx

• Your server exchanges auth code for access token POST /token code=xxxxxxx&grant_type=authorization_code

Page 37: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Implicit

• User visits auth page response_type=token

• User is redirected to your site with access token http://example.com/#token=xxxxxxx

• Token is only available to the browser since it’s in the fragment

Page 38: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Client Credentials

• Your server exchanges client ID/secret for access token POST /token client_id=xxxxxxx&client_secret=yyyyyyy& grant_type=client_credentials

Page 39: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Application Access Client Credentials Grant

Page 40: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Client Credentials Grant

POST https://www.arcgis.com/sharing/oauth2/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600 } An Introduction to OAuth 2

Page 41: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Accessing Resources So you have an access token. Now what?

Page 42: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Use the access token to make requests

Now you can make requests using the access token. GET http://www.arcgis.com/sharing/rest/portals/self ?token=RsT5OjbzRn430zqMLgV3Ia

An Introduction to OAuth 2

Page 43: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Eventually the access token may expire

When you make a request with an expired token, you will get this response { "error":"expired_token" }

Now you need to get a new access token!

An Introduction to OAuth 2

Page 44: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Get a new access token using a refresh token

Your server makes the following request POST https://www.arcgis.com/sharing/oauth2/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "username":"aaronpk" } An Introduction to OAuth 2

Page 45: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Other

Page 46: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

An Introduction to OAuth 2

developers.arcgis.com/en/authentication/

Page 47: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

oauth.net/2

An Introduction to OAuth 2

Page 48: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Links

github.com/Esri/OAuth2-Demo-iOS

developers.arcgis.com

Page 49: Using ArcGIS with OAuth 2 - Esri · Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr:

Thanks.

@aaronpk

[email protected]

github.com/aaronpk