SlideShare a Scribd company logo

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Download as PPTX, PDF
Brian Campbell
Brian Campbell

This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.

Technology
1 of 26
Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
If All Goes well, HTTP/1.1 200 OK
And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind

Recommended

認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜Masaru Kurahayashi
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST APISiddharth Bezalwar
 
FIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 

Recommended

認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜Masaru Kurahayashi
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST APISiddharth Bezalwar
 
FIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Introduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fastIntroduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fastBartosz Kosarzycki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Vijay kumar java developer_resume
Vijay kumar java developer_resumeVijay kumar java developer_resume
Vijay kumar java developer_resumeVijay Kumar
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Bhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing ResumeBhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing ResumeBhavana Singh
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションTatsuo Kudo
 
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤Naohiro Fujie
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)Jo Hoon
 
Tips on reapplication of study permit in Canada
Tips on reapplication of study permit in CanadaTips on reapplication of study permit in Canada
Tips on reapplication of study permit in CanadaVisa Online Assistance
 
Hello Flutter
Hello FlutterHello Flutter
Hello Flutterrihannakedy
 
Restful api
Restful apiRestful api
Restful apiAnurag Srivastava
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編Takashi Yahata
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツーMasaru Kurahayashi
 
AWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoTAWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoTAmazon Web Services Japan
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State TransferPeter R. Egli
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 

More Related Content

What's hot

OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Introduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fastIntroduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fastBartosz Kosarzycki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Vijay kumar java developer_resume
Vijay kumar java developer_resumeVijay kumar java developer_resume
Vijay kumar java developer_resumeVijay Kumar
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Bhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing ResumeBhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing ResumeBhavana Singh
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションTatsuo Kudo
 
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤Naohiro Fujie
 
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)Jo Hoon
 
Tips on reapplication of study permit in Canada
Tips on reapplication of study permit in CanadaTips on reapplication of study permit in Canada
Tips on reapplication of study permit in CanadaVisa Online Assistance
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編Takashi Yahata
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツーMasaru Kurahayashi
 
AWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoTAWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoTAmazon Web Services Japan
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State TransferPeter R. Egli
 

What's hot (20)

OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Introduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fastIntroduction to Flutter - truly crossplatform, amazingly fast
Introduction to Flutter - truly crossplatform, amazingly fast
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Vijay kumar java developer_resume
Vijay kumar java developer_resumeVijay kumar java developer_resume
Vijay kumar java developer_resume
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Bhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing ResumeBhavana Singh_Manual Testing Resume
Bhavana Singh_Manual Testing Resume
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
 
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
Azure AD B2C + LINE 学校や企業における次世代 ID/ メッセージ基盤
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
온프레미스 쿠버네티스에서도 로드밸런서를 (w MetalLB)
 
Tips on reapplication of study permit in Canada
Tips on reapplication of study permit in CanadaTips on reapplication of study permit in Canada
Tips on reapplication of study permit in Canada
 
Hello Flutter
Hello FlutterHello Flutter
Hello Flutter
 
Restful api
Restful apiRestful api
Restful api
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編ID連携のあるとき~、ないとき~ #エンプラ編
ID連携のあるとき~、ないとき~ #エンプラ編
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツー
 
AWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoTAWS Black Belt Tech シリーズ 2015 - AWS IoT
AWS Black Belt Tech シリーズ 2015 - AWS IoT
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me? (20)

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Api security
Api security Api security
Api security
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 

More from Brian Campbell

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (17)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

  • 1. Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
  • 2. Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
  • 3. Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
  • 4. Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
  • 5. Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
  • 6. Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
  • 7. Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
  • 8. Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
  • 9. Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
  • 10. Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
  • 11. OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
  • 12. Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
  • 13. Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
  • 14. Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
  • 15. Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
  • 16. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
  • 17. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
  • 18. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
  • 19. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
  • 20. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
  • 21. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
  • 22. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
  • 23. Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
  • 24. If All Goes well, HTTP/1.1 200 OK
  • 25. And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
  • 26. Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind