Upgrade to Pro — share decks privately, control downloads, hide ads and more …

O(ops), Authentication!

O(ops), Authentication!

When it comes to authentication for Restful Webservices, it seems every vendor is following another recipe. Some modes of authentication in use contradict the restful principle, some don’t. Some are secure, some are less so. We will take a tour of authentication schemes commonly found, discuss their pros and cons, and look at how to build secure, restful authentication mechanisms for your own API and various use cases.

Andreas Hucks

January 27, 2014
Tweet

More Decks by Andreas Hucks

Other Decks in Programming

Transcript

  1. HTTP/1.1  200  OK   Content-­‐Type:  text/html   […]   !

    <ticket>1a2b3c4e</ticket> DON'T TRY THIS AT HOME
  2. Why? • Some API providing data under your control
 (GitHub,

    Facebook, Twitter…) • Third party wants access • Third party should have limited access to resource and no access to your credentials • Centralized Signons
  3. How? • Different flows to grant access • Suitable for

    different types of clients • Result is always a short-lived token that is used for authentication
  4. MyApp for iDroidTM MyApi ! ! POST  /token   !

    client_id=myapp&   grant_type=password&   username=meandmymonkey&   password=supersecret&   scope=email
  5. MyApp for iDroidTM MyApi ! ! {      "access_token":"abcd",

         "token_type":"bearer",      "expires_in":3600,      "refresh_token":"1234"   }
  6. – RFC 6750 „A security token with the property that

    any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. ! Using a bearer token does not require a bearer to prove possession of cryptographic key material““
  7. MyApp for iDroidTM MyApi ! ! GET  /account   !

    Authorization:  Bearer   abcd
  8. Query  String               Post

     Body                   Authorization  Header   Intermezzo: Token Location
  9. Query  String               Grmpf.

      Post  Body                   Why?   Authorization  Header     Yep. Intermezzo: Token Location
  10. Auth                  

    AcmeToken             X-­‐Auth                 X-­‐AcmeToken           X-­‐Authorization   Authorization   Intermezzo: Token Location
  11. Auth                 Nope.

        AcmeToken           Nope.   X-­‐Auth               Nope.   X-­‐AcmeToken         Nope.   X-­‐Authorization     Nope.   Authorization       Yep. Intermezzo: Token Location
  12. Preconditions • Some kind of user management • Client registration

    (possibly) • Some resource you want to make accessible (duh)
  13. Elements • Authorization Provider (let’s say… myapi.com) • Client -

    A third party, (let’s say… thatapp.com) • Resource owner - That’s you
  14. You MyApi ! ! GET  /authorize?   response_type=code&   client_id=thatApp&

      redirect_uri=https:// thatapp.com/auth&   state=xyz   ThatApp
  15. You MyApi POST  /token?   ! grant_type=     authorization_code&

      code=1234&   redirect_uri=https:// thatapp.com/auth&   client_id=thatApp   ! ThatApp
  16. You MyApi ! ! GET  /authorize?   response_type=token&   client_id=thatapp&

      redirect_uri=https:// thatapp.com/auth&   state=xyz   ThatApp
  17. You MyApi ! ! HTTP/1.1  302   location:  https:// thatapp.com/cb#

      access_token=1234&   state=xyz&   token_type=bearer&   expires_in=3600 ThatApp
  18. MyApi ! ! GET  /profile   Authorization:   HMAC-­‐SHA256  

    Id=7d5ae8a[…],   Headers=content-­‐ type;host;date   Nonce=43hd,   Signature=a688746a[…]   Date:  Tue,  14  Aug  2013   13:32:00  GMT ThatApp
  19. Advantages • Authentication AND protection against tampering with the request

    • Can prevent replay attacks • No redirects or other extra requests • In certain circumstances can work without SSL • RESTful
  20. Canonicalizing a request • Add HTTP method • Add URI

    • Add query (needs to be canonicalized itself) • Add headers (sorted and filtered • Add nonce • Add Auth information, like Algorithm
  21. Signing it • Derive a key - derivation must be

    reproducible by the server • Create a hash of the canonicalized request • Use hash and derived key to create signature using hash_hmac();
  22. Sharing Resources with web or mobile apps • OAuth2 Authorization

    Grant • OAuth2 HMAC extension would be nice, but • probably not there yet • ATM, same SDK problems as with pure HMAC
  23. Your own JS app • OAuth2 Implicit Grant or Password

    Grant • If you are logged in for the HTML part, re-use the session (there, I said it) • Oh yes, SSL