ì OAuth & OpenID Connect · OAuth Workflow [Google] ì Anonymous user visits your website / app ì...
Transcript of ì OAuth & OpenID Connect · OAuth Workflow [Google] ì Anonymous user visits your website / app ì...
ìOAuth & OpenID Connect
Fall2017SecureSoftwareSystems
1
OAuth for Sign-In
Fall2017SecureSoftwareSystems
2
OAuth for Sign-In
Fall2017SecureSoftwareSystems
3
Sign-InWith…
OAuth for Sign-In
ì Assume:You’realreadyloggedinwithFacebook(webbrowserhascookie)
ì Facebookwillgivelimitedaccountinformation(Email,publicprofile,…)tonewserviceforaccountcreationpurposes
ì Facebookpasswordisnotshared
ì NewservicecannotposttoyourFacebookaccount
Fall2017SecureSoftwareSystems
4
OAuth for Third Party Access
Fall2017SecureSoftwareSystems
5
OAuth Workflow [Google]
ì Anonymoususervisitsyourwebsite/app
ì UserwantstouseGoogleIdentity
ì Theyclicka “LogIn” buttononyoursite/appandareredirectedtoGoogle’swebsite,andarepromptedtoacceptcertainpermissions
ì Iftheyacceptthesepermissions,Googlewillredirecttheuserbacktoyourwebsitealongwithan authorizationcode.
ì Youcanexchangethiscodeforaccess tokenandrefresh token
ì Youcantheseusethis accesstoken toactuallyretrievetheuser’sinformation viaAPIfromGoogle.Therefresh tokenisusedwhentheaccesstokenexpires.
Fall2017SecureSoftwareSystems
6
https://developers.google.com/identity/protocols/OAuth2
OAuth Workflow [Google]
Fall2017SecureSoftwareSystems
7
(1)UserwantstologinviaGoogle
(2)RedirecttoGoogle’sAuthorizationServer:https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=http%3A%2F%2Foauth2.example.com%2Fcallback&response_type=code&client_id=client_id
redirect_uri isYOURAPP(wheretogoafterauthorization)client_id isYOURAPP(needAPIkeyfromGoogle)
(3)Googlepromptsuserforconsent
(4)Googleredirectsbacktoyourapp(viaredirect_uri)andprovidesauthorizationcodehttps://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
https://developers.google.com/identity/protocols/OAuth2WebServer
OAuth Workflow [Google]
Fall2017SecureSoftwareSystems
8
(5)Exchangeauthorizationcode forrefreshandaccesstokens viaHTTP/RESTAPI
POST/oauth2/v4/tokenHTTP/1.1Host:www.googleapis.comContent-Type:application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&client_id=your_client_id&client_secret=your_client_secret&redirect_uri=https://oauth2.example.com/code&grant_type=authorization_code
(6)ServerreturnsJSON objectwithaccesstoken(shortlived)andrefreshtoken{"access_token":"1/fFAGRNJru1FTz70BzhT3Zg","expires_in":3920,"token_type":"Bearer","refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"}
(7)UseAccesstoken tocallGoogleAPIforspecificdata
https://developers.google.com/identity/protocols/OAuth2WebServer
OAuth
ì OAuthisaframework,notaprotocolì Implementationsvarybyenterpriseì InteroperabilityLì Youcan’tswitchfromGooglesign-intoFacebook
sign-injustbyreplacinggoogle.com withfacebook.com
ì Nosignaturesorcryptography,justplaintokensthatareprotectedbyTLS(web)
Fall2017SecureSoftwareSystems
9
OAuth and OpenID Connect
ì Twowebstandardsbutwithdifferentgoals
ì OAuthisaframeworkthatprovidesauthorizationì AuthorizeotherwebsitestoaccessyourGoogle
Driveì Finegrainpermission– OKtoread/writeDrivefiles,
butnotaccessyourGMailì DoesnothandlehowyouauthenticatewithGoogle
inthefirstplace– that’sGoogle’sproblem
ì OpenIDConnectisalayerbuiltonOAuththatprovidesauthentication
Fall2017SecureSoftwareSystems
10