SlideShare une entreprise Scribd logo

OAuth - Don’t Throw the Baby Out with the Bathwater

Télécharger en tant que PPTX, PDF
Apigee | Google Cloud
Apigee | Google Cloud
Technologie
1  sur  33
OAuth 2.0 - Don’t Throw the Baby Out with the Bathwater Greg Brail @gbrail Ed Anuff Apigee @edanuff @apigee
groups.google.com/group/api-craft
youtube.com/apigee
slideshare.net/apigee
@edanuff @gbrail Ed Anuff Greg Brail
Overview What happened? OAuth 2.0 refresher course OAuth in the world Next steps and recommendations
WHAT HAPPENED?
What happened? Eran Hammer-Lahav, one of the spec leads, quit He blogged about how screwed up OAuth 2.0 is He got a lot of attention Some other people blogged about his blog
Why does it matter? One of the primary authors of OAuth 2.0 disowned it. So is this an excuse to give up on OAuth? We don’t think so
OAUTH 1.0 & 2.0 RECAP
OAuth 1.0a recap Start with: Application credentials (ID and secret) Authenticate the user Web browser redirect Get a token and secret Sign with it on every request
What was wrong with OAuth 1.0? Signatures are hard This may seem minor but ask the “developer on the street” about OAuth and you will get some version of this response
What is OAuth 2.0? A family of specs The “authorization framework” Bearer token spec SAML, JWT, and other token specs More specs
What does it really do? Start with “client credentials” These identify the application requesting authentication Optionally authenticate the user There are many “grant types” that define this Get an “access token” Uniquely identifies the user / application / device Send the access token on every request
OAuth 2.0 grant types Grant Type What You Need How You Authenticate User Authorization Code App Credentials Web browser redirect. Web End-user credentials app determines what is required Implicit Grant App Credentials Web browser redirect End-user credentials optimized for script-heavy web apps Resource Owner App Credentials Send username / password in End-user username / password API call Client Credentials App Credentials You don’t Extensions SAML token, JSON web token Depends on the extension spec In OAuth 2.0, “app credentials” are essentially a username / password that identifies a single application
OAuth 2.0 token types Token Type What it Is Signed? Spec Status Bearer A big random N Proposed Standard number HTTP-MAC Signed request Y Very old For reference: OAuth 1.0 only supported a “Mac” style of token
Security considerations Token Type On the Wire On the Disk Bearer Totally open – requires SSL to Hash it just like a password prevent token theft or misuse “Mac” Secure – secret cannot be reverse Server must access it in clear engineered and “nonce” prevents text replay. No SSL required.
What about “legs?” Three grant types require user authentication Many people call these “three-legged” They involve the app, the API, and the user One does not – it just uses the app credentials Many people call this “two-legged” Minor fact – the words “leg” and “legged” are not present in the spec
Scopes Every OAuth 2.0 token can have “scopes” Identify what the token can do For instance: READ, WRITE, DELETE or SEND_SMS, SEND_MMS, GET_LOCATION, PAY
Refresh tokens APIs may return two tokens Access token with an expiration time Refresh token with no expiration time Refresh token used to get a new access token No additional user authentication is required
Why refresh tokens? What if the access token is compromised? Harder to guess if it has an expiration time Harder to use a stolen token from a device So why is the refresh token harder to steal? It isn’t It’s still stored on the device or web server
Why refresh tokens, really? It supports a two-tier architecture: Authorization grants, token generation, and all that on a complex, slow server Access tokens in a scalable caching layer No need for complex cache invalidation What if the main OAuth system already scales? Then there is no reason to use refresh tokens
OAUTH IN THE WORLD
Status of key specs Spec Revision Status Authorization Framework 31 Proposed Standard Bearer Token 23 Proposed Standard JWT Token 3 Draft JWT Bearer Token 1 Draft SAML 2 Token 13 Draft HTTP MAC Token 1 Draft; Last update February How a spec grows up to become a “law:” 1. Draft 2. Proposed Standard 3. Draft Standard 4. Internet Standard There are many more specs – check the IETF process: http://tools.ietf.org/wg/oauth/
Status of big APIs Provider Spec Revision Reference Foursquare 10 http://aaron.pk/2YS Google 10 https://developers.google.com/acco unts/docs/ OAuth2 Facebook 10* https://developers.facebook.com/d ocs/ authentication/ Windows Live 10 http://aaron.pk/2YV Salesforce 10 http://aaron.pk/2YW GitHub 7 http://developer.github.com/v3/oa uth/ Geoloqi 10 https://developers.geoloqi.com/api Thanks to Aaron Parecki from Geoloqi for this table
OAuth in production - versions 31 Apigee Enterprise customers use OAuth 2.0 20 have “two-legged OAuth” aka “client credentials” 19 have “three-legged OAuth” 8 have both 6 Customers have OAuth 1.0a Many customers have neither “API Key” authentication only Username / password SSL, many other options Thanks to Amit Chakraborty from Apigee for this data
Two more steps to OAuth It’s not just about tokens How is the user authenticated? All but two Apigee customers use existing web pages or directory servers for user authentication How is consent granted to issue the token? Usually done through the browser Many different ways to implement it
NEXT STEPS AND RECOMMENDATIONS
Why use OAuth? For web apps that use APIs OAuth is the most standard, secure choice For mobile / native apps that use APIs OAuth has advantages over alternatives Uniquely identifies the end user, device, and app Credentials may be revoked at any time For server-to-server APIs Use OAuth if you use it for other things too
Keeping OAuth under control Stick with the basics: Bearer tokens No refresh tokens No extensions
Questions
groups.google.com/group/api-craft
THANK YOU Questions and ideas to: @gbrail @ edanuff groups.google.com/group/api-craft

Recommandé

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 

Recommandé

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Postman
PostmanPostman
PostmanIgor Shubovych
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
Test Design and Automation for REST API
Test Design and Automation for REST APITest Design and Automation for REST API
Test Design and Automation for REST APIIvan Katunou
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best PracticesTricode (part of Dept)
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products OverviewApigee | Google Cloud
 
REST API
REST APIREST API
REST APITofazzal Ahmed
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?Akana
 

Contenu connexe

Tendances

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Test Design and Automation for REST API
Test Design and Automation for REST APITest Design and Automation for REST API
Test Design and Automation for REST APIIvan Katunou
 

Tendances (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Postman
PostmanPostman
Postman
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Test Design and Automation for REST API
Test Design and Automation for REST APITest Design and Automation for REST API
Test Design and Automation for REST API
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
REST API
REST APIREST API
REST API
 

En vedette

Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsApigee | Google Cloud
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?Akana
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersKim Clark
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Apigee | Google Cloud
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyApigee | Google Cloud
 
What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.Apigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 

En vedette (12)

Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIs
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it matters
 
Is Microservices SOA Done Right?
Is Microservices SOA Done Right?Is Microservices SOA Done Right?
Is Microservices SOA Done Right?
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?
 
Becoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital JourneyBecoming the Uncarrier: T-Mobile's Digital Journey
Becoming the Uncarrier: T-Mobile's Digital Journey
 
What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
API Management and Kubernetes
API Management and KubernetesAPI Management and Kubernetes
API Management and Kubernetes
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 

Similaire à OAuth - Don’t Throw the Baby Out with the Bathwater

OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentEdin Kapic
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentBIWUG
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 

Similaire à OAuth - Don’t Throw the Baby Out with the Bathwater (20)

OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Api security
Api security Api security
Api security
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Oauth
OauthOauth
Oauth
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
 

Plus de Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 

Plus de Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

OAuth - Don’t Throw the Baby Out with the Bathwater

  • 1. OAuth 2.0 - Don’t Throw the Baby Out with the Bathwater Greg Brail @gbrail Ed Anuff Apigee @edanuff @apigee
  • 5. @edanuff @gbrail Ed Anuff Greg Brail
  • 6. Overview What happened? OAuth 2.0 refresher course OAuth in the world Next steps and recommendations
  • 8. What happened? Eran Hammer-Lahav, one of the spec leads, quit He blogged about how screwed up OAuth 2.0 is He got a lot of attention Some other people blogged about his blog
  • 9. Why does it matter? One of the primary authors of OAuth 2.0 disowned it. So is this an excuse to give up on OAuth? We don’t think so
  • 10. OAUTH 1.0 & 2.0 RECAP
  • 11. OAuth 1.0a recap Start with: Application credentials (ID and secret) Authenticate the user Web browser redirect Get a token and secret Sign with it on every request
  • 12. What was wrong with OAuth 1.0? Signatures are hard This may seem minor but ask the “developer on the street” about OAuth and you will get some version of this response
  • 13. What is OAuth 2.0? A family of specs The “authorization framework” Bearer token spec SAML, JWT, and other token specs More specs
  • 14. What does it really do? Start with “client credentials” These identify the application requesting authentication Optionally authenticate the user There are many “grant types” that define this Get an “access token” Uniquely identifies the user / application / device Send the access token on every request
  • 15. OAuth 2.0 grant types Grant Type What You Need How You Authenticate User Authorization Code App Credentials Web browser redirect. Web End-user credentials app determines what is required Implicit Grant App Credentials Web browser redirect End-user credentials optimized for script-heavy web apps Resource Owner App Credentials Send username / password in End-user username / password API call Client Credentials App Credentials You don’t Extensions SAML token, JSON web token Depends on the extension spec In OAuth 2.0, “app credentials” are essentially a username / password that identifies a single application
  • 16. OAuth 2.0 token types Token Type What it Is Signed? Spec Status Bearer A big random N Proposed Standard number HTTP-MAC Signed request Y Very old For reference: OAuth 1.0 only supported a “Mac” style of token
  • 17. Security considerations Token Type On the Wire On the Disk Bearer Totally open – requires SSL to Hash it just like a password prevent token theft or misuse “Mac” Secure – secret cannot be reverse Server must access it in clear engineered and “nonce” prevents text replay. No SSL required.
  • 18. What about “legs?” Three grant types require user authentication Many people call these “three-legged” They involve the app, the API, and the user One does not – it just uses the app credentials Many people call this “two-legged” Minor fact – the words “leg” and “legged” are not present in the spec
  • 19. Scopes Every OAuth 2.0 token can have “scopes” Identify what the token can do For instance: READ, WRITE, DELETE or SEND_SMS, SEND_MMS, GET_LOCATION, PAY
  • 20. Refresh tokens APIs may return two tokens Access token with an expiration time Refresh token with no expiration time Refresh token used to get a new access token No additional user authentication is required
  • 21. Why refresh tokens? What if the access token is compromised? Harder to guess if it has an expiration time Harder to use a stolen token from a device So why is the refresh token harder to steal? It isn’t It’s still stored on the device or web server
  • 22. Why refresh tokens, really? It supports a two-tier architecture: Authorization grants, token generation, and all that on a complex, slow server Access tokens in a scalable caching layer No need for complex cache invalidation What if the main OAuth system already scales? Then there is no reason to use refresh tokens
  • 23. OAUTH IN THE WORLD
  • 24. Status of key specs Spec Revision Status Authorization Framework 31 Proposed Standard Bearer Token 23 Proposed Standard JWT Token 3 Draft JWT Bearer Token 1 Draft SAML 2 Token 13 Draft HTTP MAC Token 1 Draft; Last update February How a spec grows up to become a “law:” 1. Draft 2. Proposed Standard 3. Draft Standard 4. Internet Standard There are many more specs – check the IETF process: http://tools.ietf.org/wg/oauth/
  • 25. Status of big APIs Provider Spec Revision Reference Foursquare 10 http://aaron.pk/2YS Google 10 https://developers.google.com/acco unts/docs/ OAuth2 Facebook 10* https://developers.facebook.com/d ocs/ authentication/ Windows Live 10 http://aaron.pk/2YV Salesforce 10 http://aaron.pk/2YW GitHub 7 http://developer.github.com/v3/oa uth/ Geoloqi 10 https://developers.geoloqi.com/api Thanks to Aaron Parecki from Geoloqi for this table
  • 26. OAuth in production - versions 31 Apigee Enterprise customers use OAuth 2.0 20 have “two-legged OAuth” aka “client credentials” 19 have “three-legged OAuth” 8 have both 6 Customers have OAuth 1.0a Many customers have neither “API Key” authentication only Username / password SSL, many other options Thanks to Amit Chakraborty from Apigee for this data
  • 27. Two more steps to OAuth It’s not just about tokens How is the user authenticated? All but two Apigee customers use existing web pages or directory servers for user authentication How is consent granted to issue the token? Usually done through the browser Many different ways to implement it
  • 29. Why use OAuth? For web apps that use APIs OAuth is the most standard, secure choice For mobile / native apps that use APIs OAuth has advantages over alternatives Uniquely identifies the end user, device, and app Credentials may be revoked at any time For server-to-server APIs Use OAuth if you use it for other things too
  • 30. Keeping OAuth under control Stick with the basics: Bearer tokens No refresh tokens No extensions
  • 33. THANK YOU Questions and ideas to: @gbrail @ edanuff groups.google.com/group/api-craft

Notes de l'éditeur

  1. Creative Commons Attribution-Share Alike 3.0 United States License