DPS907 notes – Tue Oct 8

Another security discussion. Using OAuth in our web service.

.

Should I implement HTTP Basic Authentication in my web service?

No.

Why? It requires the requestor to send their credentials with the request. That’s a problem.

Is there a solution?

Yes.

Don’t send credentials with the request. Instead, send an access token.

An access token is a digital asset which represents the right to perform a task. It is generated when a requestor authenticates, and then is used to authorize access to a resource.

Refresh your memory… You do know these definitions already (right?), but here’s a refresher:

Authentication – sometimes abbreviated to AuthN – the process of presenting credentials that prove your identity.

Authorization – sometimes abbreviated to AuthZ – the process of determining whether a resource can be accessed.

.

More about access tokens

An access token does NOT include credentials in any form.

An access token has a limited lifetime (although it can be refreshed).

There is no ‘standard’ format for the content of an access token.

A requestor obtains an access token after authenticating.

A resource server can ask (must ask!) the issuer whether the token is valid.

The access token is the digital asset that’s used to authorize access to a web service resource.

How do we begin using access tokens in our web service? There are (at least) two approaches:

  1. Create your own design and infrastructure
  2. Take advantage of an existing framework or standard

Today, we will look at the second approach, by studying the OAuth Authorization Framework.

.

OAuth, a framework for authorization

OAuth is an open framework for authorization, and is fully described in RFC 6749.

It enables a person to authorize an app to access the person’s resources, without giving the app their credentials. That’s the key benefit.

Criticisms of OAuth

OAuth is not perfect:

It is not an interoperable protocol. So it will never be a ‘standard’.

It is not inherently secure. However, a developer who understands security principles can implement security.

It was designed just before the mobile device and modern web app revolutions. As a result, it’s too browser-centric (but as you’ll see, it can be adapted and used).

However, despite these important criticisms, it’s widely used, and its goals offer promise for the future.

Therefore, we’ll study it. Read and study the web service security principles document before continuing below.

.

OAuth infrastructure for today’s code example

Your professor has created a web app that will help us implement OAuth, and use this infrastructure 1) in our web service and 2) during testing (with, for example, Fiddler).

When you studied the web service security principles, you learned about a number of roles that are performed by software components. This table shows the roles and the software component that handles the role:

oauth-authorization-server The professor’s web app implements the authorization server role.
oauth-resource-server YOUR web service, with an OAuth handler
oauth-client-app Fiddler

.

The authorization server role web app is at this URL: http://warp.senecac.on.ca:81/bti420_121a42/

Here is its start screen: (Click any image to show it full-size in a new tab/window.)

oauth-web-app-home

Before you can use the app, you must create an account. Click the link to do so.

When you create an account, you must select one or more ‘roles’. To help you test your web service later, we suggest that you create accounts that combine your My.Seneca user name, and a suffix to remind you about the account’s role. For example, if the My.Seneca user name is ‘pmcintyr’:

  • pmcintyr_mem is in the Member role
  • pmcintyr_ed is in the Editor role
  • pmcintyr_rev is in the Reviewer role

oauth-web-app-create-account

After creating an account, you are returned to the start screen. Notice the ‘client app identifier’. It is hard-coded into the web app. It’s the only client app that has had an account created for it.

Click the Next button to login:

oauth-web-app-login

After login, you are taken to the ‘client app redirection’ page. At this point in time, an authorization grant has been successfully created.

oauth-web-app-client-app-redir 

Click Next to exchange it for an authorization token. You must select a lifetime:

oauth-web-app-token-lifetime

After you do so, you will see an authorization token:

oauth-web-app-token-created

.

The token’s content/format is opaque. It’s not good enough for real-world use, but it’s good enough to help you learn about the OAuth framework. If you’re interested, the token was created with:

  • a string concatenation of the user name and the app name
  • a comma-separated list of strings, for the role names the user belongs to
  • a cryptographically-strong random number, transformed to a string
  • these three parts were concatenated (with dot separators), and the result transformed to a Base64 string

.

If you are writing your own client app, which will send requests to a web service on behalf of users, then you will need to add some functionality to that client app, which will enable the user to obtain an access token.

.

Today’s web service code example

Today’s web service code example is named SecurityUsingOAuth. Get it from the code example repository.

It implements the resource server role that’s described earlier.

The code is similar to the first security-themed example, but the authorization handler is different.

The handler in the code example calls the professor’s web app, specifically the token validation endpoint.

If the token is valid, a plain text (Content-Type: text/plain) response is generated, with the body message “valid”. However, if the token is invalid, the response body message is “invalid”.

When using Fiddler, you must add this kind of ‘Authorization’ header to your request:

Authorization: Bearer <access_token>

.

.

.

.

.

.

.

.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: