Scribd Logo
Upload

Welcome to Scribd!

  • Apisecuritywithoauth 181030043459

    Uploaded by

    Kalpa De Silva
    6 views39 pages
    The document discusses OAuth 2.0 and its use for API security, describing key concepts like the roles of clients, resource servers, and authorization servers, different grant types like authorization codes and refresh tokens, and how OAuth allows third-party applications secure access to resources hosted by another party. It provides examples of how OAuth is used for social login and accessing user data through APIs with authorization.

    Original Description:

    Original Title

    apisecuritywithoauth-181030043459 (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses OAuth 2.0 and its use for API security, describing key concepts like the roles of clients, resource servers, and authorization servers, different grant types like authorization codes and refresh tokens, and how OAuth allows third-party applications secure access to resources hosted by another party. It provides examples of how OAuth is used for social login and accessing user data through APIs with authorization.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views39 pages

    Apisecuritywithoauth 181030043459

    Uploaded by

    Kalpa De Silva
    The document discusses OAuth 2.0 and its use for API security, describing key concepts like the roles of clients, resource servers, and authorization servers, different grant types like authorization codes and refresh tokens, and how OAuth allows third-party applications secure access to resources hosted by another party. It provides examples of how OAuth is used for social login and accessing user data through APIs with authorization.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 39

    OAuth 2.

    0 for API Security

    1
    Use Cases from Real World

    2
    Welcome John !
    ABC Social Network sam@yahoo.com
    john@yahoo.com

    bob@yahoo.com

    tom@gmail.com
    John

    John’s Yahoo contacts


    harry@yahoo.com
    - sam@yahoo.com
    - alice@yahoo.com
    - bob@yahoo.com

    3
    Pre-Auth Era

    Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
    4
    Pre-Auth Era

    Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
    5
    Pre-Auth Era

    6
    Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
    Online Movie Tickets Website
    ABC Movie Tickets

    ● View showtimes

    ● View theaters

    ● Reserve seats

    ● Make payments

    Developer
    Online Movie Tickets Website
    ABC Movie Tickets

    ● View showtimes

    ● View theaters

    ● Reserve seats

    ● Make payments

    Developer
    * User should be logged-in to perform above operations
    Online Movie Tickets Website
    ● Userstores (LDAP/AD/DB)
    ABC Movie Tickets
    ● Login

    ● View showtimes ● Password Recovery

    ● View theaters ● Change Password

    ● Reserve seats ● Profile Management

    ● Make payments ● Store Passwords

    Developer ● Multi-Factor Authentication

    * User should be logged-in to perform above operations


    Social Login Login with Facebook
    Facebook

    ABC Movie Tickets

    Here’s the details of the


    logged in user john@yahoo.com

    Email: john@yahoo.com
    First Name: John
    Last Name: Doe

    john
    Social Login Facebook

    john@yahoo.com
    ABC Movie Tickets
    ● Userstores (LDAP/AD/DB)

    ● View showtimes ● Login

    ● View theaters ● Password Recovery

    ● Reserve seats ● Change Password

    ● Make payments ● Profile Management

    john ● Store Passwords

    ● Multi-Factor Authentication
    OAuth 2.0 Framework
    https://tools.ietf.org/html/rfc6749

    12
    Roles

    13
    Roles in OAuth Framework
    Resource
    Server
    Client App

    Authorization
    Server

    User

    14
    Roles in OAuth Framework
    Resource Owner
    An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred
    to as an end-user.

    Resource Server
    The server hosting the protected resources, capable of accepting and responding to protected resource
    requests using access tokens.

    Client
    An application making protected resource requests on behalf of the resource owner and with its authorization.
    The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes
    on a server, a desktop, or other devices).

    Authorization Server
    The server issuing access tokens to the client after successfully authenticating the resource owner and
    obtaining authorization. 15
    Roles in OAuth Framework
    Resource
    Client App
    Server
    Hi5 Social
    Yahoo
    Network

    Authorization
    Server
    Yahoo
    User

    16
    Protocol Endpoints

    17
    Protocol Endpoints in OAuth
    Authorization endpoint
    Used by the client to obtain authorization from the resource owner via user-agent redirection.

    Token endpoint
    Used by the client to exchange an authorization grant for an access token, typically with client
    authentication.

    Redirection endpoint
    Used by the authorization server to return responses containing authorization credentials to the
    client via the resource owner user-agent.

    18
    Roles in OAuth Framework
    Resource
    Client App
    Server
    Hi5 Social
    Yahoo
    Network

    Redirection Endpoint

    Authorization Endpoint
    Authorization
    Server
    Yahoo
    Token Endpoint
    User

    19
    Grant Types

    20
    Authorization Code
    7. access token Resource
    Client App Server

    6. Token response
    (access token)
    1. Authz
    request 4. Authz 5. Token
    response request (code)
    (code)
    Token
    endpoint Authorization
    3. Authz response (code) Server
    Authorize
    User endpoint
    Agent 2. Authz request
    21
    Implicit
    Client App

    1. Authz
    request 4. Authz
    response
    (access token)
    Authorization
    Server
    3. Authz response (access token)
    Authorize
    User endpoint
    Agent 2. Authz request
    22
    Resource Owner Password Credentials
    (password)
    Client App

    3. Token response
    (access token)

    2. Token
    1. User request (user
    credentials credentials)
    Token
    endpoint Authorization
    Server

    User

    23
    Password Grant: Example

    24
    Client Credentials

    1. Token request Authorization


    (client credentials) Server
    Token
    Client App
    2. Token response (access token) Endpoint

    25
    Refresh Tokens

    26
    Use of Refresh Tokens
    Facebook
    Login with Authorization
    Token Server
    Client App Facebook Token Request endpoint
    (Ebay)
    Token Response
    (access_token, refresh_token)

    Purchase Item

    access_token

    Request User’s Address


    Facebook
    User Resource Server
    Email
    Shipping address

    27
    Use of Refresh Tokens
    Facebook
    Login with Authorization
    Token Server
    Client App Facebook Token Request endpoint
    (Ebay)
    Token Response
    (access_token, refresh_token)

    Purchase Item

    access_token

    Request User’s Address


    Facebook
    User Resource Server
    Email
    ERROR: Token Expired Shipping address

    28
    Use of Refresh Tokens
    Facebook
    Authorization
    Token Server
    Client App Refresh Token Request endpoint
    (Ebay)
    Refresh Token Response
    (new access_token, new refresh_token)

    Purchase Item

    New access_token

    Request User’s Address


    Facebook
    User Resource Server
    Address: XXXXXXXX Email
    Shipping address

    29
    Refresh Token Grant

    Facebook
    Authorization
    Token Server
    Client App Refresh Token Request endpoint

    Refresh Token Response


    (new access_token, new refresh_token)
    OAuth 2.0
    Token Introspection
    https://tools.ietf.org/html/rfc7662

    31
    Token Introspection
    Facebook
    Authorization
    Server
    Client App Token Request

    Token Response

    access_token

    Request User Resource


    Resource Server

    Email
    Profile
    Photos
    Statuses 32
    Token Introspection
    Facebook
    Authorization
    Server
    Client App Token Request

    Token Response Token


    Introspection
    Endpoint

    access_token

    Request User Resource Introspection Request


    access_token

    Resource Server

    Introspection Response
    Email
    Profile
    Photos
    Statuses 33
    Token Introspection Request

    POST /introspect HTTP/1.1


    Host: server.example.com
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

    token=mF_9.B5f-4.1JqM&token_type_hint=access_token

    34
    Token Introspection Response
    Valid Token Invalid Token

    { {
    "active": true, "active": false
    "client_id": "l238j323ds-23ij4", }
    "username": "jdoe",
    "scope": "read write dolphin",
    "sub": "Z5O3upPC88QrAjx00dis",
    "aud": "https://protected.example.net/resource",
    "iss": "https://server.example.com/",
    "exp": 1419356238,
    "iat": 1419350238,
    "extension_field": "twenty-seven"
    }

    35
    Token Introspection
    Facebook
    Authorization
    Server
    Client App Token Request , scope=Profile

    Token Response Token


    Introspection
    Endpoint

    access_token

    Give me photos Introspection Request


    access_token

    Resource Server

    Introspection Response
    ? Email
    Profile Active: true
    Photos Scope: Profile
    Statuses 36
    OAuth 2.0
    Token Revocation
    https://tools.ietf.org/html/rfc7009

    37
    Token Revocation Request
    Facebook
    Authorization
    Server
    Client App Token Revocation Request
    Token
    Endpoint
    Token Revocation Response

    POST /revoke HTTP/1.1


    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

    token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

    38
    Thank You !

    39

    You might also like