Upgrade to Pro — share decks privately, control downloads, hide ads and more …

O(ops), Authentication!

Andreas Hucks
January 27, 2014
Programming
4
770

O(ops), Authentication!

When it comes to authentication for Restful Webservices, it seems every vendor is following another recipe. Some modes of authentication in use contradict the restful principle, some don’t. Some are secure, some are less so. We will take a tour of authentication schemes commonly found, discuss their pros and cons, and look at how to build secure, restful authentication mechanisms for your own API and various use cases.

Andreas Hucks

January 27, 2014
Tweet

More Decks by Andreas Hucks

See All by Andreas Hucks
Divide and Conquer (LonghornPHP 2019)
meandmymonkey
0
98
Symfony Internals
meandmymonkey
3
720
Divide and Conquer
meandmymonkey
1
600
Deptrac - Keep Your Architecture Clean
meandmymonkey
0
580
Introduction to Docker at PHPBenelux2015
meandmymonkey
3
770
Best Practices in Symfony2
meandmymonkey
0
320
Introduction to Docker at PHPNW2014
meandmymonkey
4
390
Best Practices in Symfony2
meandmymonkey
15
1.7k
Best Practices in Symfony2
meandmymonkey
28
4.5k

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
PagerDuty を軸にした On-Call 構築と運用課題の解決 / PagerDuty Japan Community Meetup 4
horimislime
1
110
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
役立つログに取り組もう
irof
26
8.7k
go.mod、DockerfileやCI設定に分散しがちなGoのバージョンをまとめて管理する / Go Connect #3
arthur1
10
2.4k
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
130
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
480
Progressive Web Apps für Desktop und Mobile mit Angular (Hands-on)
christianliebel
PRO
0
110
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
150
推し活としてのrails new/oshikatsu_ha_iizo
sakahukamaki
3
1.7k
C#/.NETのこれまでのふりかえり
tomokusaba
1
160

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
GraphQLとの向き合い方2022年版
quramy
43
13k
What's new in Ruby 2.0
geeforr
342
31k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Facilitating Awesome Meetings
lara
49
6k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
GitHub's CSS Performance
jonrohan
1030
460k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Ruby is Unlike a Banana
tanoku
96
11k
Scaling GitHub
holman
458
140k

Transcript

  1. O(ops), Authentication! PHPBenelux 2014

  2. Andreas Hucks @meandmymonkey • Software Architect at
 SensioLabs Deutschland •

    Symfony Trainer

  3. Authentication

  4. None

  5. Knock Knock. Client Server

  6. Who’s there? Client Server

  7. Me. Client Server

  8. kthx. Client Server

  9. HTTP is stateless.

  10. Knock Knock. BTW it's me. Client Server

  11. Not that long ago in a project not that far

    away…

  12. GET  /login?user=myname&pwd=secret DON'T TRY THIS AT HOME

  13. HTTP/1.1  200  OK   Content-­‐Type:  text/html   […]   !

    <ticket>1a2b3c4e</ticket> DON'T TRY THIS AT HOME

  14. GET  /profile?ticket=1a2b3c4e DON'T TRY THIS AT HOME

  15. Don’t roll your own.

  16. Tokens in the Query String? It happens.

  17. Basic Auth

  18. GET  /account/  HTTP/1.1   Host:  api.localhost   Authorization:  Basic  aHR0cHdhdGNoOmY=

  19. GET  /account/  HTTP/1.1   Host:  api.localhost   Authorization:  Basic  aHR0cHdhdGNoOmY=

  20. GET  /account/  HTTP/1.1   Host:  api.localhost   Authorization:  Basic  aHR0cHdhdGNoOmY=

  21. Oh, and use TLS.

  22. OAuth2

  23. Why? • Some API providing data under your control
 (GitHub,

    Facebook, Twitter…) • Third party wants access • Third party should have limited access to resource and no access to your credentials • Centralized Signons

  24. How? • Different flows to grant access • Suitable for

    different types of clients • Result is always a short-lived token that is used for authentication

  25. Who? • Facebook • Twitter • GitHub • 2567 others

    • You

  26. Timeline • RFC Expected 2010 • Published October 2012
 (RFCs

    for framework and bearer token)

  27. [snip]

  28. – RFC6749 „the method of which is beyond the scope

    of this specification"
  29. None

  30. Let’s start backwards:

  31. Resource Owner Password Credentials Grant * Certain use cases only

  32. MyApp for iDroidTM MyApi ! ! POST  /token   !

    client_id=myapp&   grant_type=password&   username=meandmymonkey&   password=supersecret&   scope=email

  33. MyApp for iDroidTM MyApi ! ! {      "access_token":"abcd",

         "token_type":"bearer",      "expires_in":3600,      "refresh_token":"1234"   }

  34. – RFC 6750 „A security token with the property that

    any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. ! Using a bearer token does not require a bearer to prove possession of cryptographic key material““

  35. Oh, and use TLS.

  36. MyApp for iDroidTM MyApi ! ! GET  /account   !

    Authorization:  Bearer   abcd

  37. Query  String               Post

     Body                   Authorization  Header   Intermezzo: Token Location

  38. Query  String               Grmpf.

      Post  Body                   Why?   Authorization  Header     Yep. Intermezzo: Token Location

  39. Auth                  

    AcmeToken             X-­‐Auth                 X-­‐AcmeToken           X-­‐Authorization   Authorization   Intermezzo: Token Location

  40. Auth                 Nope.

        AcmeToken           Nope.   X-­‐Auth               Nope.   X-­‐AcmeToken         Nope.   X-­‐Authorization     Nope.   Authorization       Yep. Intermezzo: Token Location

  41. Implementation

  42. Preconditions • Some kind of user management • Client registration

    (possibly) • Some resource you want to make accessible (duh)

  43. Don’t roll your own.

  44. oauth2-php Composer: friendsofsymfony/oauth2-php

  45. Granting the Token

  46. Protecting a Resource

  47. Authorization Grant

  48. Elements • Authorization Provider (let’s say… myapi.com) • Client -

    A third party, (let’s say… thatapp.com) • Resource owner - That’s you

  49. You MyApi ! ! GET  /authorize?   response_type=code&   client_id=thatApp&

      redirect_uri=https:// thatapp.com/auth&   state=xyz   ThatApp

  50. You MyApi ! HTTP/1.1  302   location:  https:// thatapp.com/cb?  

    code=1234&   state=xyz ThatApp

  51. Authorization

  52. You MyApi POST  /token?   ! grant_type=     authorization_code&

      code=1234&   redirect_uri=https:// thatapp.com/auth&   client_id=thatApp   ! ThatApp

  53. Granting the Token

  54. Protecting a Resource

  55. Implicit Grant

  56. You MyApi ! ! GET  /authorize?   response_type=token&   client_id=thatapp&

      redirect_uri=https:// thatapp.com/auth&   state=xyz   ThatApp

  57. You MyApi ! ! HTTP/1.1  302   location:  https:// thatapp.com/cb#

      access_token=1234&   state=xyz&   token_type=bearer&   expires_in=3600 ThatApp

  58. Implementation • PHP: Same as the previous authorization steps •

    JS: Using hello.js • bower install hello

  59. WebApp

  60. WebApp

  61. Client Credentials Grant

  62. Intermezzo:
 Shameless Plug

  63. FOSOauthServerBundle

  64. None

  65. OAuth2
 Problems & Gotchas

  66. HashMAC

  67. HMAC

  68. Simple Hash fc1de43bebbfaf6e9268fd7974100347
 884d1b4c574d31f7c17bf2f66d6f95ef hash('sha526',  'meandymonkey');

  69. Simple Hash 2d0aaf9c491869665e98a28b2d3be32b
 e9854271b4d01f2146a59c659a8d2f6f hash('sha526',  'meandYmonkey');

  70. HMAC a688746a6187b2c82d919c2a88c4fbc0   36902956ef977835e6d8267b7774f509 hash_hmac('sha256',  'meandmymonkey',  'secret');

  71. Client Key and Secret 7d5ae8a791ce21309e596274e6d69281   5d0d28493bd8bc6c84920200dd88e7d8 53335e65e0624971917d09d376dfdfc9   ae5cf625da962d314515b98753f82193

  72. MyApi ! ! GET  /profile   Authorization:   HMAC-­‐SHA256  

    Id=7d5ae8a[…],   Headers=content-­‐ type;host;date   Nonce=43hd,   Signature=a688746a[…]   Date:  Tue,  14  Aug  2013   13:32:00  GMT ThatApp

  73. Advantages • Authentication AND protection against tampering with the request

    • Can prevent replay attacks • No redirects or other extra requests • In certain circumstances can work without SSL • RESTful

  74. Now this is more difficult than you would think

  75. Canonicalizing a request • Add HTTP method • Add URI

    • Add query (needs to be canonicalized itself) • Add headers (sorted and filtered • Add nonce • Add Auth information, like Algorithm

  76. Signing it • Derive a key - derivation must be

    reproducible by the server • Create a hash of the canonicalized request • Use hash and derived key to create signature using hash_hmac();

  77. Don’t roll your own?

  78. None

  79. Hash Collisions In AWS V1 ?query=yojimbo&limit=5&offset=3 ?query=yojimbolimit=5&offset=3&

  80. … same result after normalizing: yojimbolimit5offset3 yojimbolimit5offset3

  81. Vendors • AWS V2, V3, V4 • Windows Azure API

  82. HMAC Problems

  83. X.509 Client Certificates

  84. – me „the method of which is beyond the
 scope

    of this talk"

  85. User and Credentials

  86. Wrap up: When to use what?

  87. Sharing Resources with web or mobile apps • OAuth2 Authorization

    Grant • OAuth2 HMAC extension would be nice, but • probably not there yet • ATM, same SDK problems as with pure HMAC

  88. Server to Server • Basic Auth • HMAC • OAuth2

    Client Credentials

  89. Other JS apps • OAuth2 Implicit Grant

  90. Your own JS app • OAuth2 Implicit Grant or Password

    Grant • If you are logged in for the HTML part, re-use the session (there, I said it) • Oh yes, SSL

  91. Your own Mobile App • OAuth2 Password Grant

  92. Infrastructure or Intranet Level • X.509 Client Certificates

  93. Thanks! @meandmymonkey ! http://joind.in/10285

  94. None