Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Transcription

1 Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

2 Enter OAuth 2.0 Defines authorization & authentication framework for RESTful APIs An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications. Applied to delegated authorization mitigates password anti-pattern - archetypical use case Provides a standard way to give a key to a third-party which allows only limited access to perform specific functions against REST APIs

3 An Overused Analogy OAuth is your valet key to the Interwebs

4 OAuth Timeline WRAP JWT IETF OAuth 2.0 Info RFC 5849 Community 2007 OAuth 1.0a OAuth

5 OAuth 2.0 Terminology: Roles resource owner: an entity (usually an enduser/person)capable of granting access to a protected resource. client: an application obtaining authorization and making protected resource requests (on behalf of the resource owner). resource server (RS): the server hosting protected resources authorization server (AS): a server capable of issuing tokens, obtaining authorization, and authenticating resource owners.

6 Tokens Access Token creden+al used by client to access protected resources at the RS structure is undefined by the spec(s) usually opaque to the client generally short lived Refresh Token used by client to obtain a new access token when the old one expires client only sends to AS, never to RS generally long lived

7 OAuth 2.0 adop+on Growing number of OAuth 2.0 implementa=ons Salesforce, for authen+ca+ng REST API calls Web server redirect flow Trading SAML asser+on for OAuth access token MicrosoM Azure ACS Evolu+on of OAuth WRAP support Facebook authen+ca+on & authoriza+on for Graph API Mul=ple IdM vendors Ping, Layer7, Apigee, etc. Lots of SaaS vendors - Box, WebEx etc

8 Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

9 Walk through Identity Provider Ping Service Provider WebEx 1 Device Password SAML 2 3 Token 4 5 OAuth JSON/XML Browser Native App

10

11 SSO Request ----WebEx--- Ping

12 SSO Request <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" ID="aaf a-fe114412ab72" Version="2.0" IssueInstant=" T09:21:59Z > <saml:issuer> <samlp:nameidpolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid:format:persistent"/> </samlp:authnrequest>

13 User authentication ----WebEx--- Ping

14 User authentication

15 SSO response ----WebEx--- Ping

16 SSO Response <saml:assertion> <saml:issuer> <ds:signature xmlns:ds=" <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:persistent"> 3f7b3dcf ecd-92c8-1544f346baf8 </saml:nameid></ saml:subject> <saml:attributestatement> <saml:attribute Name= > <saml:attributevalue </saml:attribute> </saml:attributestatement> </saml:assertion>

17 Response with code ----WebEx--- Ping

18 Response with authz code HTTP/ Found Location: mobileapp://redirect_here? state=hoser&code=wizjmastpaf0wqseb3vmdx2mns ZK6g

19 Trade code for token ----WebEx--- Ping

20 Trade code for token POST /as/token.oauth2 Host: as.com client_id=a&redirect_uri=mobileapp:// redirecthere&grant_type=authorization_code&code=wizjmastpaf0wqs eb3vmdx2mnszk6g HTTP/1.1 HTTP/ OK Content-Type: application/json; charset=utf-8 {"token_type":"bearer","expires_in":"600","refresh_token":"oqwqwmuil2ndemhs WEyFO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSq ZLBrzEXgd4mKUNhOkyF"}

21 Client calls API ----WebEx--- Ping

22 Return Data ----WebEx--- Ping

23

24 Summary What SAML is for web SSO, OAuth 2.0 is for APIs Mobile native applications, as key consumers of APIs, are important use case for OAuth 2.0 OAuth 2.0 allows native applications to be authenticated without requiring apps themselves collect & store passwords

25 Thank