Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough
Enter OAuth 2.0 Defines authorization & authentication framework for RESTful APIs An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications. Applied to delegated authorization mitigates password anti-pattern - archetypical use case Provides a standard way to give a key to a third-party which allows only limited access to perform specific functions against REST APIs
An Overused Analogy OAuth is your valet key to the Interwebs
OAuth Timeline WRAP JWT IETF OAuth 2.0 Info RFC 5849 Community 2007 OAuth 1.0a OAuth 1.0 2008 2009 2010 2011
OAuth 2.0 Terminology: Roles resource owner: an entity (usually an enduser/person)capable of granting access to a protected resource. client: an application obtaining authorization and making protected resource requests (on behalf of the resource owner). resource server (RS): the server hosting protected resources authorization server (AS): a server capable of issuing tokens, obtaining authorization, and authenticating resource owners.
Tokens Access Token creden+al used by client to access protected resources at the RS structure is undefined by the spec(s) usually opaque to the client generally short lived Refresh Token used by client to obtain a new access token when the old one expires client only sends to AS, never to RS generally long lived
OAuth 2.0 adop+on Growing number of OAuth 2.0 implementa=ons Salesforce, for authen+ca+ng REST API calls Web server redirect flow Trading SAML asser+on for OAuth access token MicrosoM Azure ACS Evolu+on of OAuth WRAP support Facebook authen+ca+on & authoriza+on for Graph API Mul=ple IdM vendors Ping, Layer7, Apigee, etc. Lots of SaaS vendors - Box, WebEx etc
Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough
Walk through Identity Provider Ping Service Provider WebEx 1 Device Password SAML 2 3 Token 4 5 OAuth JSON/XML Browser Native App
SSO Request ----WebEx--- Ping
SSO Request <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59Z > <saml:issuer>https://sp.webex.com/saml2</saml:issuer> <samlp:nameidpolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid:format:persistent"/> </samlp:authnrequest>
User authentication ----WebEx--- Ping
User authentication
SSO response ----WebEx--- Ping
SSO Response <saml:assertion> <saml:issuer>https://idp.pingidentity.com/saml2</saml:issuer> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:signature> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:persistent"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:nameid></ saml:subject> <saml:attributestatement> <saml:attribute Name= email > <saml:attributevalue xsi:type="xs:string">pmadsen@pingidentity.com</saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion>
Response with code ----WebEx--- Ping
Response with authz code HTTP/1.1 302 Found Location: mobileapp://redirect_here? state=hoser&code=wizjmastpaf0wqseb3vmdx2mns ZK6g
Trade code for token ----WebEx--- Ping
Trade code for token POST /as/token.oauth2 Host: as.com client_id=a&redirect_uri=mobileapp:// redirecthere&grant_type=authorization_code&code=wizjmastpaf0wqs eb3vmdx2mnszk6g HTTP/1.1 HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 {"token_type":"bearer","expires_in":"600","refresh_token":"oqwqwmuil2ndemhs WEyFO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSq ZLBrzEXgd4mKUNhOkyF"}
Client calls API ----WebEx--- Ping
Return Data ----WebEx--- Ping
Summary What SAML is for web SSO, OAuth 2.0 is for APIs Mobile native applications, as key consumers of APIs, are important use case for OAuth 2.0 OAuth 2.0 allows native applications to be authenticated without requiring apps themselves collect & store passwords
Thank you @paulmadsen