Embed Size (px)
Citation preview
OAuth 2.0 for developers - the technology you need but never really learnedMikkel Flindt Heisterberg
OnTime® by IntraVision
Agenda• The problem we are trying to solve• Demo (OAuth for users i.e. almost real people)• The flow…• OAuth for administrators• OAuth for developers i.e. real people• Demo w/ code• Q&A
Mikkel Flindt Heisterberg
Twitter: @lekkimE-mail: [email protected]://lekkimworld.comhttp://slideshare.net/lekkim
The problem we are trying to solve
The problem we are trying to solve Give me your Social
site username and password and we can
play…
The problem we are trying to solve
Doesn’t really trust that shiny new site – or IBM Connections for that matter…
Give me your Social site username and
password and we can play…
The problem we are trying to solve I support OAuth 2.0
and don’t want your credentials – just
authorize me to work on your behalf…
The problem we are trying to solve
1
2
3
it’s about letting a service access user data without
knowing the users credentials... - or without the user being
there...
demo
Demo safety
it’s not as simple as that but almost...
The flow…
CLIENT
PROVIDER
USER
1
The flow…
CLIENT
PROVIDER
USER
2
The flow…
CLIENT
PROVIDER
USER
3
The flow…
CLIENT
PROVIDER
USER
4
The flow…
CLIENT
PROVIDER
USER
5
The flow…
CLIENT
PROVIDER
USER
6
The flow…
CLIENT
PROVIDER
USER
7
The flow…
CLIENT
PROVIDER
USER
8
The flow…
CLIENT
PROVIDER
USER
9
but less cartoony and with real words this time...
1) User accesses site and logs in
CLIENT
PROVIDER
USER
1
2) The site checks to see if it has Tokens for the Provider in its credential store
CLIENT
PROVIDER
USER
2
3) The site sends a redirection to the client telling it to go authorize it at the Provider. The URL contains the Client redirect_uri and client_id
CLIENT
PROVIDER
USER
3
4) The user use the redirect URL and go the Provider and logs in if not already logged in. Then he authorizes the Client
CLIENT
PROVIDER
USER
4
5) The Provider returns a time limited authorization_code in a redirection URL to the user
CLIENT
PROVIDER
USER
5
6) The User sends the authorization_code to the Client
CLIENT
PROVIDER
USER
6
7) Out-of-band the Client sends the authorization_code, it’s client_id, redirect_uri and secret to the Provider
CLIENT
PROVIDER
USER
7
8) The Provider exchange the authorization_code for a short lived access_token (yellow) and a longer lived refresh_token (blue)
CLIENT
PROVIDER
USER
8
9) When the User now access the site it can use the access_token to work as the User. Even if the user is not there i.e. not logged into the site…
CLIENT
PROVIDER
USER
9
If not you should ask now…
Application registration
WSADMINCOMING UP
On-premises
OAuth for administrators
• IBM Connections use the built in OAuth provider from WebSphere Application Server
• Administrators are responsible for registering the app with the OAuth provider
• You use – you guessed it – wsadmin commands to do it…
On-premises
OAuth for administratorsexecfile(”oauthAdmin.py”)OAuthApplicationRegistrationService.addApplication(”myapp1”, ”My App1", "https://www.renovations.com/oauth/redirect")OAuthApplicationRegistrationService.browseApplications()[{display_name=My App1, client_id=myapp1, client_secret=xxxxxxxxxxxxxxxxxxxxxxxxxx, redirect_uri=https://www.renovations.com/oauth/redirect}]OAuthApplicationRegistrationService.deleteApplication(”myapp1”)The application with the id myapp1 was deleted successfully.
https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/r_admin_common_oauth_manage_list.dita
On-premises
IBM Connections Cloud Cloud
IBM Connections Cloud Cloud
I’M ADEVELOPER
OAuth for developersGenerate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window.
Syntaxhttps://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_type=code&client_id=<client_id>&callback_uri=<callback_uri>
Examplehttps://social.example.com/oauth2/endpoint/connectionsProvider/authorize?response_type=code&client_id=myapp1&callback_uri=https://myapp.shinysite.com/oauth20_cb
OAuth for developersGenerate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window.
Syntaxhttps://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_type=code&client_id=<client_id>&callback_uri=<callback_uri>
Examplehttps://social.example.com/oauth2/endpoint/connectionsProvider/authorize?response_type=code&client_id=myapp1&callback_uri=https://myapp.shinysite.com/oauth20_cb
Must match exactly what the Provider have on record…
OAuth for developersThe user logs in to the Provider (if not already) and authorizes your app… Hopefully...
OAuth for developersThe Provider sends back a redirection URL to the User containing an authorization code causing the User to send it to the Client
Syntaxhttps://<client_redirection_uri>?code=<authorization_code>https://<client_redirection_uri>?oauth_error=<error_code>
Examplehttps://myapp.shinysite.com/oauth20_cb ?code=user_specific_auth_code
OAuth for developersClient POST’s the authorization code, client ID, redirection URI and client secret to the Provider out-of-band (server to server, not through User)SyntaxPOST /oauth2/endpoint/connectionsProvider/token HTTP/1.0Host: <hostname>Content-Length: <length>Connection: Closeclient_secret=<client_secret>&client_id=<client_id>&grant_type=authorization_code&code=<auth_code>&callback_uri=<callback_uri>
ExamplePOST /oauth2/endpoint/connectionsProvider/token HTTP/1.0Host: social.example.comContent-Length: 161Connection: Closeclient_secret=my_secret_string&client_id=myapp1&grant_type=authorization_code&code=user_specific_auth_code&callback_uri=https://myapp.shinysite.com/oauth20_cb
OAuth for developersProvider responds with (JSON) response with access token, refresh token and expiry info. It would be wise that the client saves the tokens…
Example{ "access_token”: "d86o7UP0gj2c...GVzTPADsFv7”, "token_type": "Bearer", "expires_in": 43200, "scope": "", "refresh_token": "EWcVt5uaaXC9Pc...pTTgvrLRrs56gR”}
Response format is Provider specific i.e. IBM Connections Cloud returns tokens in plain text format…
OAuth for developersTo make requests on behalf of the User the Client needs to set the access token in an Authorization header
ExampleGET /connections/opensocial/oauth/rest /activitystreams/@me/@all/@all HTTP/1.0Host: social.example.comAuthorization: Bearer d86o7UP0gj2c...GVzTPADsFv7Connection: Close
If the Client use an access token and receive a 401 back from the Provider it should attempt to refresh the access token.
OAuth for developersYou can refresh the tokens i.e. if a call using the access token returns a 401 from the Provider by using the refresh_token. If that also fails the user probably revoked your authorization.
SyntaxPOST /oauth2/endpoint/connectionsProvider/token HTTP/1.0Host: <hostname>Content-Length: <length>Connection: Closeclient_secret=<client_secret>&client_id=<client_id>&grant_type=refresh_token&refresh_token=<refresh_token>
ExamplePOST /oauth2/endpoint/connectionsProvider/token HTTP/1.0Host: social.example.comContent-Length: 104Connection: Closeclient_secret=my_secret_string&client_id=myapp1&grant_type=refresh_token&refresh_token=my_refresh_token
Demo
Mikkel Flindt Heisterberg
Twitter: @lekkimE-mail: [email protected]://lekkimworld.comhttp://slideshare.net/lekkim
Dev04 – XPages & Office 365 by Marky Roden
