Incorporating OAuth
How to integrate OAuth into your mobile app
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
Crucial Security Concerns
Copyright © 2013 Twobo Technologies AB. All rights reserved
Enterprise
Security
API
Security
Mobile
Security
Identity is Central
Copyright © 2013 Twobo Technologies AB. All rights reserved
MDM MAM
AuthZ
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
Neo-security Stack
SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
OAuth 2 is the new meta-protocol defining how
tokens are handled
These address old requirements, solves new
problems & are composed
in useful ways
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML
& junior
OpenID Connect
OAuth Actors
Client
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Resource Owner (RO)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Get
a t
oken
User a token
RS Client
AS
OAuth Mobile App Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
Request Authorization
Copyright © 2013 Twobo Technologies AB. All rights reserved
Authenticate & Authorize
Copyright © 2013 Twobo Technologies AB. All rights reserved
Register Custom Scheme in App
<activity android:name=".CallbackActivity“ …>
<intent-filter>
<data android:scheme="twobo" />
…
</intent-filter>
</activity>
Copyright © 2013 Twobo Technologies AB. All rights reserved
Callback to Custom Scheme
In OAuth Server, configure to callback to scheme
that was registered
Copyright © 2013 Twobo Technologies AB. All rights reserved
Exchange Code for Token
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC
Calling the Token Endpoint
var data = {
"client_id" : clientId,
"client_secret" : clientSecret,
"code" : code,
"grant_type" : "authorization_code",
"response_type" : "token" };
$.post(tokenEndpoint, data,
processAccessToken, "json");
Copyright © 2013 Twobo Technologies AB. All rights reserved
AC AT, RT
Tokens are Often JWTs
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
Calling the API
Provide AT to API according to bearer token profile
$.ajax({
url: apiEndpoint,
dataType: 'json',
headers: {"Authorization":"Bearer "+accessToken},
success: processResults });
Copyright © 2013 Twobo Technologies AB. All rights reserved
API May Validate Token
def validateToken(self, tokenEndpoint, clientId,
clientSecret, accessToken):
values = { "client_id" : clientId,
"client_secret" : clientSecret,
"grant_type" : “…",
"token" : accessToken, }
request = urllib2.Request(tokenEndpoint,
urllib.urlencode(values))
return urllib2.urlopen(request) Copyright © 2013 Twobo Technologies AB. All rights reserved
• App should only present
AT to API
• Never send RT to API
• Use RT to get new AT if
AT expires
• App can’t use AT to
determine anything about
user
App Consumes API Data
Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of OpenID Connect
Builds on OAuth for profile sharing
Uses the flows optimized for user-consent
scenarios
Adds identity-based inputs/outputs to core OAuth
messages
Tokens are JWTs
Copyright © 2013 Twobo Technologies AB. All rights reserved
What OAuth is and is not for
Copyright © 2013 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
For delegation
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved
Top Related