Demystifying OAuth
Transcript of Demystifying OAuth
![Page 1: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/1.jpg)
Demystifying OAuth A standard for authorization
![Page 2: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/2.jpg)
24-3-2019Demystifying OAuth2
MENNO HOOGENDIJK
APEX Consultant
mennooo
mennooo
menn.ooo
![Page 3: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/3.jpg)
OAuth in APEX
![Page 4: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/4.jpg)
![Page 5: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/5.jpg)
https://www.slideshare.net/msewtz/oracle-apex-social-login
https://asktom.oracle.com/pls/apex/f?p=100:551:::NO:RP,551:P551_CLASS_ID:5861
![Page 6: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/6.jpg)
![Page 7: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/7.jpg)
![Page 8: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/8.jpg)
![Page 9: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/9.jpg)
https://asktom.oracle.com/pls/apex/f?p=100:551:::NO:RP,551:P551_CLASS_ID:4824
![Page 10: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/10.jpg)
APEX Packages for OAuth
Package OAuth functionality
APEX_AUTHENTICATION Social sign-in
APEX_CREDENTIAL Manage OAuth client credentials
APEX_EXEC Work with remote data sources via OAuth
APEX_JWT Work with OAuth tokens
APEX_WEB_SERVICES Work with OAuth protected web services
24-3-2019Demystifying OAuth10
![Page 11: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/11.jpg)
What is OAuth
![Page 12: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/12.jpg)
ScenarioA person stores pictures in the cloud
![Page 13: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/13.jpg)
24-3-2019Ruimte voor voettekst13
Pictures in the cloudUser
User has access to picturesUsername & password, two factor authentication or fingerprint?
No reason for OAuth
![Page 14: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/14.jpg)
24-3-2019Ruimte voor voettekst14
Application Pictures in the cloud
User
Third-party application
To edit the pictures
How to give this application access to the pictures?
![Page 15: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/15.jpg)
24-3-2019Ruimte voor voettekst15
Application Pictures in the cloud
User
Option 1: Ask user for credentials
Application impersonates the user
User credentials exposed to application
Same credentials might be used elsewhere
Full access for application
![Page 16: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/16.jpg)
24-3-2019Ruimte voor voettekst16
Application Pictures in the cloud
User
Option 2: Developer key
User creates a key in the cloud and adds it in the application
Cloud won't know who's using the key
Extra tasks for the user
Full access for application
![Page 17: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/17.jpg)
24-3-2019Ruimte voor voettekst17
Application Pictures in the cloud
User Authorization server
Solution is OAuth 2.0
To deligate authority on user resources to an application
![Page 18: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/18.jpg)
24-3-2019Ruimte voor voettekst18
Client Protected resource
Resource owner Authorization server
Access service
Access data
Issue token
Grant access
Validate token
![Page 19: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/19.jpg)
OAuth 2 is about tokens
How to get a token
How to use a token
![Page 20: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/20.jpg)
What is an authorization server
![Page 21: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/21.jpg)
Authorization Server
• Owner: the organization where the protected resource resides
• The central security authority
• Most complex component in OAuth ecosystem
Authorization server
Each organization with a REST API protected by OAuth has its own Authorization Server
24-3-2019Demystifying OAuth22
![Page 22: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/22.jpg)
Authorization Server implementations
• Proprietary solutions
• Open source solutions
• Hosted solutions
Authorization serverOracle REST Data Services is also an Authorization Server
24-3-2019Demystifying OAuth23
![Page 23: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/23.jpg)
Tasks for an Authorization Server
• Managing OAuth client registrations
• Authenticate users
• Authorizing clients
• Issuing Tokens
• Validating Tokens
Authorization server
24-3-2019Demystifying OAuth24
![Page 24: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/24.jpg)
Authorization Server: Register clients
The Authorization Server needs the following
information to register a client
• Grant type (flow type) which will be used
• A redirect URL to return to client after grant by
resource owner
• Scopes (rights on the protected resource)
Authorization server
24-3-2019Demystifying OAuth25
![Page 25: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/25.jpg)
The client gets its credentials by the authorization server
The client is assigned the following
Attribute Purpose Security remarks
client_id Like a username Client may expose this
client_secret Like a password A secret must not be exposed
Only if client has a back-end
24-3-2019Demystifying OAuth26
![Page 26: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/26.jpg)
Authorization Server: authenticate users
How to authenticate is not part of OAuth. Could be:
• Username / password
• Two factor
• HTTP Header
• Biometric
• LDAP
• …
Authorization server
24-3-2019Demystifying OAuth27
![Page 27: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/27.jpg)
Authorization Server: authorize clients
Fine-grained rights via scopes
• Create, read, update and delete pictures
• Accessible scopes defined on client creation
• Client may ask resource owner to grant on subset
• Resource owner can revoke rights
Authorization server
24-3-2019Demystifying OAuth28
![Page 28: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/28.jpg)
Authorization Server: issuing tokens
• Format is not part of OAuth 2.0 specification
• Represents requested client access, resource
owner & scope
• A weak spot of OAuth 2.0
Authorization server
24-3-2019Demystifying OAuth29
![Page 29: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/29.jpg)
Authorization Server: validating tokens
• Correct scope to access resource?
• Token not expired?
• No check if token belongs to clientAuthorization server
Protected resource
Validate token
24-3-2019Demystifying OAuth30
![Page 30: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/30.jpg)
OAuth 2.0 is designed to work in
different situations
![Page 31: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/31.jpg)
24-3-2019Ruimte voor voettekst32
Client Protected resource
Resource owner
Access service
Access data
Client - Server
![Page 32: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/32.jpg)
24-3-2019Ruimte voor voettekst33
System B
Access data
Server - Server
System A
![Page 33: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/33.jpg)
The client chooses the OAuth flow it wants to use
Am I requesting an access token for the protected resource:
• On behalf of a user? (client – server)
• On behalf of myself as application? (server – server)
Client
24-3-2019Demystifying OAuth34
![Page 34: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/34.jpg)
How the user and client communicate
with the authorization server
![Page 35: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/35.jpg)
Resource owner Authorization server
Front channel communication
via user agent (browser) of resource owner
![Page 36: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/36.jpg)
Client Authorization server
Back channel communication
via back-end of the client
All requests are authenticated using the client_id and client_secret
![Page 37: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/37.jpg)
Flow 1: Authorization Code
![Page 38: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/38.jpg)
Authorization code flow
The client wants to access protected resources on behalf of the user
24-3-2019Demystifying OAuth39
![Page 39: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/39.jpg)
Authorization code flow
• Most complex flow
• Requires a client back-end
• Variable scope
• Tree-legged process
Authenticate user
Obtain authorization
code
Obtain access token
front channel front channel back channel
24-3-2019Demystifying OAuth40
![Page 40: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/40.jpg)
Resource owner
Starts application
Client
Front channel
![Page 41: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/41.jpg)
Do I have an unexpired access
token for the user?
Client
Back channel
![Page 42: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/42.jpg)
Yes, I have a valid access token
Back channel
Client Protected resource
Access data
Access token is send as Bearer Authorization header
![Page 43: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/43.jpg)
Do I have refresh token for the user?
Client
Back channel
No, I don't have a token
A refresh token can be used to get a new access token when the old one is expired
![Page 44: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/44.jpg)
Yes, I have a valid refresh token
Back channel
Client Authorization server
Refresh token
client_id + client_secret are send as basic authentication header
![Page 45: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/45.jpg)
The authorization server validates the refresh token and returns an access token
Back channel
Access token
Authorization server Client
![Page 46: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/46.jpg)
Client uses the valid access token
Back channel
Client Protected resource
Access data
Access token is send as Bearer Authorization header
![Page 47: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/47.jpg)
Redirect resource owner
Client
Front channel
No, I don't have an refresh token
Authorization server
The client_id and scopes are part of the redirect URL
![Page 48: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/48.jpg)
Provide credentials
Front channel
Resource owner authenticates
Authorization serverResource owner
![Page 49: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/49.jpg)
Front channel
Resource owner authenticates
![Page 50: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/50.jpg)
Approval for client
Front channel
Resource owner grants permission to protected resource
Authorization serverResource owner
![Page 51: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/51.jpg)
Front channel
Resource owner grants permission to protected resource
![Page 52: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/52.jpg)
Authorization code
Front channel
Authorization server redirects back to client with authorization code
Authorization server Client
![Page 53: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/53.jpg)
Client uses authorization code to request access token
Back channel
Client
Authorizationcode
Authorization server
client_id + client_secret are send as basic authentication header
![Page 54: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/54.jpg)
Authorization server validates authorization code and returns access token
Back channel
Client
Access token+
Refresh token
Authorization server
![Page 55: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/55.jpg)
Client uses the valid access token
Back channel
Client Protected resource
Access data
Access token is send as Bearer Authorization header
![Page 56: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/56.jpg)
Flow 2: Client credentials
![Page 57: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/57.jpg)
Client credentials flow
The client uses its own credentials to authenticate on the authorization
server.
System B
Access data
System A
24-3-2019Demystifying OAuth58
![Page 58: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/58.jpg)
Client credentials flow
• Most simple flow
• Requires a client back-end
• Only back channel communication
• Predefined scope
• Two-legged process
Authenticate client
Obtain access token
24-3-2019Demystifying OAuth59
![Page 59: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/59.jpg)
Do I have an unexpired access
token for the myself?
Back channel
System A
![Page 60: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/60.jpg)
Yes, I have a valid access token
Back channel
System B
Access data
System A
Access token is send as Bearer Authorization header
![Page 61: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/61.jpg)
No I don't have an access token
Back channel
credentials
Authorization serverSystem A
client_id + client_secret are send as basic authentication header
![Page 62: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/62.jpg)
Authorization server validates credentials and returns access token
Back channel
Access token
Authorization server System A
![Page 63: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/63.jpg)
Client uses the valid access token
Back channel
System B
Access data
System A
Access token is send as Bearer Authorization header
![Page 64: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/64.jpg)
Why use the client credentials flow instead of basic
authentication?
Because OAuth adds these benefits:
• Access tokens a short lived
• Central security authority
• Standardization
24-3-2019Demystifying OAuth65
![Page 65: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/65.jpg)
Flow 3: implicit
![Page 66: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/66.jpg)
Implicit flow
The client wants to access protected resources on behalf of the user
24-3-2019Demystifying OAuth67
![Page 67: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/67.jpg)
Implicit flow
• Specific flow for front-end only apps (like Oracle JET)
• Client doesn't get a client_secret
• Only front channel communication
• Variable scope
• Two-legged process
Authenticate user
Obtain access token
24-3-2019Demystifying OAuth68
![Page 68: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/68.jpg)
Resource owner
Starts application
Client
Front channel
![Page 69: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/69.jpg)
Do I have an unexpired access
token for the user?
Client
Front channel
![Page 70: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/70.jpg)
Yes, I have a valid access token
Front channel
Client Protected resource
Access data
Access token is send as Bearer Authorization header
![Page 71: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/71.jpg)
Redirect resource owner
Client
Front channel
No, I don't have an access token
Authorization server
The client_id and scopes are part of the redirect URL
![Page 72: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/72.jpg)
Provide credentials
Front channel
Resource owner authenticates
Authorization serverResource owner
![Page 73: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/73.jpg)
Approval for client
Front channel
Resource owner grants permission to protected resource
Authorization serverResource owner
![Page 74: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/74.jpg)
Access token
Front channel
Authorization server redirects back to client with access token
Authorization server Client
![Page 75: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/75.jpg)
Client uses the valid access token
Front channel
Client Protected resource
Access data
Access token is send as Bearer Authorization header
![Page 76: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/76.jpg)
Oauth 2.0 is demystified
![Page 77: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/77.jpg)
If you want to
know more
24-3-2019Demystifying OAuth78
![Page 78: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/78.jpg)
Thank you
![Page 79: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/79.jpg)
Using an external authorization server with ORDS..
![Page 80: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/80.jpg)
24-3-2019Ruimte voor voettekst81
Client Protected resource
Resource owner Authorization server
Access service
Access data
Issue token
Grant access
Validate tokenMissing
link
![Page 81: Demystifying OAuth](https://reader033.fdocuments.net/reader033/viewer/2022053120/62924f74b330e233731d6315/html5/thumbnails/81.jpg)
24-3-2019Ruimte voor voettekst82Client Protected resource
Resource owner Authorization server
Access service
Access data
Issue token
Grant access
Validate token
Authorization server