Mobile authentication and authorisation: OpenID and OAuth

Mobile authentication

and authorisation:

OpenID and OAuth

SecureApps user group meeting

27/05/2014

2

Overview

• Motivation

• OpenID

• OAuth

• On the mobile

o OpenID

o OAuth

o Getting the user name and password

• Conclusion: the difference

3

• Knowing your user

o Attribute-based access control (e.g. age verification)

o Personalisation (e.g. location-based services)

• Modern services and mobile apps:

o … blend different resources (pictures, social network posts, documents, geographical

data,…)

o … which are spread across providers

• Can our app access the user’s resources

o … on his behalf?

o … without asking for his credentials!

o … with fine-grained permissions?

Motivation

4

OpenID: what is it?

• Authentication and single sign-on protocol

• 2009: > 1 billion

OpenID-enabled accounts

• Many identity providers Google, Yahoo, Paypal,

AOL, Wordpress,…

• Alternative: SAML-based

setups

o Belgian eGov Login

o Shibboleth

4

Identity

provider Service

providers

User

5

OpenID: how does it work?

User User’s browser Identity provider (IdP) Service provider

1. Request

service

5. Prompt for authentication

6. Authenticate

4. Redirect to IdP

7. Assert attributes

and redirect

8. Grant access

2. Prompt for IdP URI

3. Provide IdP URI

IdP discovery step

6

OpenID: trust establishment

• Why?

o IdP: who may request user data?

o SP: which IdP’s info can I rely on?

• SAML

o Offline mutual trust agreement

o Digitally signed assertions

• OpenID

o Initially: none (full user control)

o Now: unilateral trust of SPs

in major IdPs

https://www.google.com/account

7

OAuth 2.0: what is it?

• Authorisation protocol

• IETF RFC 6749

• Resource access

o on behalf of the user

o with consent of the user

o limited in time and scope

• Widely-supported Amazon, Dropbox, Facebook, Flickr,

Google, LinkedIn, Netflix, PayPal,…

• Plain HTTP requests

7

8

Resource provider

OAuth: protocol flow

5: Authorisation code grant

6: Access token

7: Access token

8: Protected resource

Resource owner

Authorisation

server

Resource

server

Client

9

Resource provider

OAuth: protocol flow

5: Authorisation code grant

6: Access token

7: Access token

8: Protected resource

Resource owner

Authorisation

server

Resource

server

Client

• Client never sees user name and

password

• Access token

• transferred and stored securely

• limited in time and scope

10

Resource provider

OAuth: protocol flow

5: Authorisation code grant

6: Access token

7: Access token

8: Protected resource

Resource owner

Authorisation

server

Resource

server

Client

4 grant types

• Authorisation code grant

• Resource owner password credentials

• Implicit grant

• Client credentials grant

11

OpenID in a mobile app

• Only few mobile uses:

o Browser-based single sign-on, same as non-mobile

o Can be used to authenticate within OAuth, but most

logins proprietary

• How to integrate (same flow as browser SSO):

o as in-app library

o as in-app Web View

o in a centralised account repository

• Android: Account Management API

• iOS: Accounts Framework

Protocol deployment and implementation differences

12

OpenID in a mobile app

• Only few mobile uses:

o Browser-based single sign-on, same as non-mobile

o Can be used to authenticate within OAuth, but most

logins proprietary

• How to integrate (same flow as browser SSO):

o as in-app library

o as in-app Web View

o in a centralised account repository

• Android: Account Management API

• iOS: Accounts Framework

Protocol deployment and implementation differences

13

OpenID in a mobile app

• Only few mobile uses:

o Browser-based single sign-on, same as non-mobile

o Can be used to authenticate within OAuth, but most

logins proprietary

• How to integrate (same flow as browser SSO):

o as in-app library

o as in-app Web View

o in a centralised account repository

• Android: Account Management API

• iOS: Accounts Framework

Protocol deployment and implementation differences

14

Resource provider

5: Authorisation code grant

6: Access token

7: Access token

8: Protected resource

Authentication

component

Authorisation

server

Resource server

OAuth in a mobile app

Client app

Resource owner

Mobile device

15

OAuth in a mobile app

• Use cases:

o Resource retrieval at own service

o Resource retrieval at 3rd party service

o Authentication to Client

• No proof of identity or account ownership!

• No standardised mechanism for attribute provisioning

• How to integrate:

o centralised account repository

o libs by resource providers

o 3rd-party libs

o own implementation

16

Getting the user name and password

Authentication

component

Browser

invocation

Web View In-app

credential input

Centralised

account repo

Minimises typing? Yes, if used

with password

manager

No Yes, if used with

secure storage

Yes, if used with

secure storage

Centralised, reusable

component?

Yes No No Yes

Trust in client app for

credential input?

No Yes Yes No

Eavesdropping by

malware/greyware?

Yes (Android) No No No

TLS indicators

(address bar,

padlock)?

Yes No No No, but

component

assumed trusted

17

Conclusion: the difference

OpenID OAuth

Involved actors • User

• Identity provider

• Service provider

• User (resource owner)

• Client

• Resource provider

What happens? • User authentication to identity

provider

• Identity provider asserts user info to

service provider

• User authentication to resource

provider

• Client retrieves resource from

resource provider on behalf of user

Used for • Authentication

• Personalisation

Delegation of resource access

Result Assertion of user info Access token, limited in

• time

• scope (accessible resource)

Example

scenarios

• Gambling site with age verification

• Localised news

• Post on Facebook from other website

• Access Google+ Photos from mobile

app

18

Q&A

19

References

• OpenID and OAuth

o http://www.slideshare.net/rohitsghatol/oauth-20-in-depth

o http://openid.net/specs/openid-authentication-2_0.html

o http://tools.ietf.org/html/draft-ietf-oauth-v2-31

o http://prezi.com/2uxj3_30cts1/oauth-20-2014/

o http://www.slideshare.net/jcleblanc/securing-restful-apis-

using-oauth-2-and-openid-connect

o http://www.slideshare.net/jreffell/oauth-openid-facebook-

connect-authentication-design-best-practices

19

20

References

• Android Account Management APIs

o http://udinic.wordpress.com/2013/04/24/write-your-own-

android-authenticator/

o http://nelenkov.blogspot.be/2012/11/android-online-

account-management.html

o http://developer.android.com/reference/android/account

s/AccountManager.html

o http://developer.android.com/reference/android/account

s/AbstractAccountAuthenticator.html

20

21

References

• iOS accounts framework

https://developer.apple.com/library/ios/documentation/Acco

unts/Reference/AccountsFrameworkRef/_index.html

• OAuth and OpenID on the mobile

o http://www.slideshare.net/briandavidcampbell/is-that-a-

token-in-your-phone-in-your-pocket-or-are-you-just-

glad-to-see-me-oauth-20-and-mobile-devices

o http://stuff.mit.edu/afs/sipb/project/android/docs/training/

id-auth/authenticate.html

21

22

References

• Criticism

o http://hueniverse.com/2012/07/26/oauth-2-0-and-the-

road-to-hell/

o http://www.tetraph.com/blog/2014/05/covert-redirect-

vulnerability-related-oauth-2-0-openid-covert-redirect-

vulnerability-related-oauth-2-0-openid-%E4%B8%8E-

oauth-2-0-openid-

%E6%9C%89%E5%85%B3%E7%9A%84-covert-

redirect/

22