34,79 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth.
With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way.
At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration.
By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 247
Veröffentlichungsjahr: 2015
Ähnliche
Table of Contents
Mastering OAuth 2.0
Mastering OAuth 2.0
Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: December 2015
Production reference: 1081215
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78439-540-7
www.packtpub.com
Credits
Author
Charles Bihis
Reviewers
Shubham Jindal
Oleg Mikheev
Commissioning Editor
Pramila Balan
Acquisition Editors
Richard Harvey
Aaron Lazar
Content Development Editor
Rohit Singh
Technical Editor
Siddhi Rane
Copy Editors
Janbal Dharmaraj
Kevin McGowan
Project Coordinator
Mary Alex
Proofreader
Safis Editing
Indexer
Priya Sane
Graphics
Kirk D'Penha
Production Coordinator
Komal Ramchandani
Cover Work
Komal Ramchandani
About the Author
Charles Bihis is a scientist and engineer from Vancouver, Canada. Earning his degree in computer science from the University of British Columbia, specializing in software engineering, he enjoys exploring the boundaries of technology. He believes that technology is the key to enriching the lives of everyone around us and strives to solve problems people face every day. Reach out to him on his website, www.whoischarles.com, and let's solve the world's problems together!
This work would not have been possible without the help of my colleagues, friends, and family. A special thanks goes to my teammates on the Identity Platform team at Adobe for the years of guidance and tutelage. I'd also like to thank my friends for their constant support and encouragement. And finally, I'd like to thank my family, especially my wife, for their ceaseless confidence in all that I do.
About the Reviewers
Shubham Jindal has an avid interest in programming and is currently pursuing his degree in computer science and engineering from Indian Institute of Technology, Delhi. Leaning towards JavaScript, he breathes computers and can be easily spotted hacking around with things, scripting or inspecting elements on the Web. Being a clinophile, he believes in doing smart work. Inclined towards music since childhood, you can inevitably find him with his earphones plugged in.
He is always agog for new opportunities and is striving to establish his very own start-up.
I would like to thank Dr. Karthikeyan Bhargavan—my INRIA's internship mentor, parents, friends, and Vartika Garg—my partner in crime, for their help in producing this book.
Oleg Mikheev is a computer science enthusiast with over 17 years background both in industry and academia, holding a PhD from one of the top Russian universities. He has completed numerous projects in industries where security is always a top priority—finance, insurance, government.
The list of clients Oleg has worked for includes names such as UBS, CSFB and NYSE, where he has applied a full stack of technologies, specifically IBM WebSphere. Lately, Oleg is focused on start-up ventures, currently working in a financial start-up, Personal Capital.
He has authored a number of articles for the Java World journal, contributed to open source projects and reviewed a book on Struts 2.
I would like to thank Mary Alex for her exceptional work and would like to wish her the best of luck with her married life.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
To my wife, Stephanie, my mom, Purificacion, and my aunt, Elizabeth, the three most important women in my life. Everything I do is possible because of you.
--CharlesPreface
The Internet is a thriving and dynamic ecosystem. Living and playing within this ecosystem are many world-class services, all offering world-class technologies. Think about the massive social graph that Facebook hosts, the most up-to-date mapping system proudly owned and operated by Google, or the ever-growing professional network that is available from LinkedIn. All of these companies, and more, are presenting their world-class technologies for the world to use!
Until recently, it was very difficult to access these technologies in your own applications. Each company would create their own protocols for how to access and leverage their respective technologies. You may have heard of Yahoo!'s BBAuth, or Google's AuthSub. These are just a couple of examples of proprietary protocols created to allow people to leverage these company's services. Unfortunately, the trend of creating and using proprietary protocols just doesn't scale. Enter OAuth 2.0.
OAuth 2.0 is an open protocol for delegating authorization to such services, and it has become the standard authorization protocol used by companies around the world. It allows developers like you and I to access these world-class technologies and use them in our own applications! It is a fascinating problem space with an equally fascinating and elegant solution.
I've been lucky enough to work in the Identity space for the past 7 years, and during this time, I've been able to witness the evolution and progression of this protocol. Mastering OAuth 2.0 is an attempt at distilling the most important parts of the protocol, including design and usage. With a hard focus on practicality and security, this book focuses on the parts of integration that will give application developers like you and I the most benefit and mileage.
As OAuth 2.0 continues to gain adoption, and more and more services become available for developers to integrate with and leverage, I'm hoping that this book will allow you to be able to comfortably dive in and start building the next generation of world-class applications and technologies!
What this book covers
Chapter 1, Why Should I Care About OAuth 2.0?, introduces the OAuth 2.0 protocol, and discusses its purpose, prevalence, and importance.
Chapter 2, A Bird's Eye View of OAuth 2.0, takes a high-level look at the OAuth 2.0 protocol and the different workflows it describes.
Chapter 3, Four Easy Steps, enumerates the simple steps necessary to integrate with a service provider using the OAuth 2.0 protocol.
Chapter 4, Register Your Application, details the first of these four steps which covers registering your application with the service provider.
Chapter 5, Get an Access Token with the Client-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call an untrusted client.
Chapter 6, Get an Access Token with the Server-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call a trusted client.
Chapter 7, Use Your Access Token, outlines the process for exercising access to a resource once it has been granted to you.
Chapter 8, Refresh Your Access Token, talks about the process of refreshing your access once it expires.
Chapter 9, Security Considerations, discusses the many important security considerations to be made in your application. This is an important topic for any application, but is especially important given the power that this protocol allows.
Chapter 10, What About Mobile?, is a chapter dedicated to the topic of mobile devices, including phones and tablets, and all of the considerations that come with it.
Chapter 11, Tooling and Troubleshooting, talks about how to troubleshoot issues with your integration as well as how to appropriately handle errors so as to minimize user interaction.
Chapter 12, Extensions to OAuth 2.0, looks at the various ways OAuth 2.0 can be extended to satisfy a multitude of use cases.
Appendix A, Resource Owner Password Credentials Grant, takes a look at one of the supplemental supported flows in the book.
Appendix B, Client Credentials Grant, takes a look at another of the supplemental supported flows in the book.
Appendix C, Reference Specifications, enumerates the various open specifications that are referenced throughout the book.
What you need for this book
To create the sample applications described in this book, you will need Java 8, Apache Maven 3, a modern web browser (such as Google Chrome, Microsoft Edge, or Mozilla Firefox), and a text editor of your choice. Several libraries and command-line utilities will be utilized as well, including JQuery, Apache HTTPClient, and cURL. A basic understanding of programming and OAuth is recommended.
Who this book is for
This book is written for application developers, software architects, security engineers, and casual programmers alike, looking to leverage the power of OAuth 2.0 in their own services and applications. It covers basic topics such as registering your application and choosing an appropriate workflow, and advanced topics such as security considerations and extensions to the specification. This book has something for everyone.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. Why Should I Care About OAuth 2.0?
As an application developer, you may have heard the term OAuth 2.0 thrown around a lot. OAuth 2.0 has gained wide adoption by web service and software companies around the world, and is integral to the way these companies interact and share information. But what exactly is it? In a nutshell…
OAuth 2.0 is a protocol that allows distinct parties to share information and resources in a secure and reliable manner.
This is the major tenet of the OAuth 2.0 protocol, which we will spend the rest of the book learning about and utilizing. Also, in this chapter, we will introduce the sample application that we will be building throughout this book, The World's Most Interesting Infographic Generator.
Note
What about OAuth 1.0?
Built with the same motivation, OAuth 1.0 was designed and ratified in 2007. However, it was criticized for being overly complex and also had issues with imprecise specifications, which led to insecure implementations. All of these issues contributed to poor adoption for OAuth 1.0, and eventually led to the design and creation of OAuth 2.0. OAuth 2.0 is the successor to OAuth 1.0.
It is also important to note that OAuth 2.0 is not backwards compatible with OAuth 1.0, and so OAuth 2.0 applications cannot integrate with OAuth 1.0 service providers.
Authentication versus authorization
Before we dive into our discussion of OAuth 2.0, it is important to first define some terms. There are two terms in particular that are pivotal to our understanding of OAuth 2.0 and its uses: authentication and authorization. These terms are often conflated and sometimes interchanged, but they actually represent two distinct concepts, and their distinction is important to understand before continuing our discussion of OAuth 2.0.
Authentication
Authentication is the process of validating whether a person (or system) is actually who they say they are.
An example of this is when you go to the bank to withdraw money, and you provide your bank card and PIN to the teller. In some cases, the teller may ask for additional identification, such as your driver's license, to verify your identity. You may recognize this in other instances when you provide your username and password to a website, say, to view a document.
Authorization
Authorization is the process of determining what actions you are allowed to perform once you have been authenticated.
Referring to our previous bank example, once the teller has verified who you are, they can then proceed to fulfill your request to withdraw money. In order to do this, they must check whether you are allowed to withdraw money from the account that you are requesting (that is, you are actually the owner of the account). Relating to our website example, once you have authenticated by providing your username and password, the website will then check to see whether you are indeed allowed to see the document that you are requesting. This is usually done by looking up your permissions in some access control list.
Now that we have established the distinction between these two important concepts, we can look at what OAuth 2.0 actually is and the problems it solves.
What problems does it solve?
Have you ever logged into a site using your Google account? Have you ever posted to Pinterest and Instagram at the same time? Have you ever shared a link to your wall from any application other than Facebook? These are all examples of OAuth 2.0 in use!
At a high level, the OAuth 2.0 protocol allows two parties to exchange information securely and reliably. In more practical terms, you'll find that the most common uses of OAuth 2.0 involve two things:
Both of these combine to allow the creation of powerful applications that can all integrate with each other.
Tip
Both of the scenarios mentioned in the preceding list are actually really the same scenario. In both, the user is accessing a protected resource on behalf of another party. In the first example, the protected resource is the user's account information, while in the second example the protected resource is the user's Facebook photos. This will become clearer as we explore the details of how the OAuth 2.0 protocol handles these situations.
Federated identity
Federated identity is an important concept in identity management. It refers to the concept that allows one service provider to allow authentication of a user using their identity with another service provider. For instance, imagine a user that logs into Foursquare and Amazon with their Facebook credentials. In this example, the user only needs to maintain a single user account, their Facebook account, which gives them access to several service providers; in this case, Facebook itself, plus Foursquare, and Amazon. They don't need to create individual accounts on Foursquare or Amazon, and therefore, don't need to maintain three separate passwords. In this sense, the user's identities across these sites are federated, as in, they are made to act as one.
Tip
The OAuth 2.0 Authorization Framework
Strictly speaking, the OAuth 2.0 protocol is actually an authorization protocol and not an authentication protocol. Because of this, OAuth 2.0 alone cannot provide federated identity. However, when used in a certain way, and in conjunction with other protocols, OAuth 2.0 can provide federated authentication, which is a key component to federated identity systems.
See the OpenID Connect section in Chapter 12, Extensions to OAuth 2.0, to see how the OAuth 2.0 protocol can be combined with OpenID to provide an authentication layer on top of the authorization framework described by the OAuth 2.0 specification.
Delegated authority
Delegated authority is another important concept in the identity space. It refers to the ability for a service or application to gain access to a user's resources on their behalf. Take, for instance, LinkedIn, which can suggest contacts for you to add by looking at your Google contact list. In this example, LinkedIn will be able to view your Google contact list on your behalf. Permission to access your Google contacts has been delegated to LinkedIn.
Real-life examples of OAuth 2.0 in action
Now that we understand the basic principles of OAuth 2.0, let's take a look at some everyday, real-life examples of OAuth 2.0 in action:
As you can see, if you've ever done any of these things, or anything similar, you have probably already used OAuth 2.0.
How does OAuth 2.0 actually solve the problem?
In order to see how OAuth 2.0 solves this problem of sharing resources, let's look at how this problem was solved before OAuth 2.0 was created.
Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
Imagine that you have just signed up for the service GoodApp. As a new user, you don't have any contacts. GoodApp wants to suggest contacts for you to add by looking at your Facebook friends. If any of your Facebook friends are on GoodApp, it will suggest that you add them.
Before the creation of OAuth 2.0, this was solved in a very insecure way. GoodApp would ask you for your username and password for Facebook. GoodApp would then log into Facebook on your behalf to get your friends. This interaction can be looked at like this:
Here is how it works:
Why is this a bad idea? There are five key reasons:
