KEMBAR78
O auth2 with angular js | PPTX
Bixlabs , profile picture
Uploaded byBixlabs
PPTX, PDF434 views

O auth2 with angular js

1. The implicit grant type is used for mobile apps and web applications where client secret confidentiality cannot be guaranteed. It returns the access token directly to the client instead of an authorization code. 2. The user is redirected to the authorization server to log in and authorize access. If approved, the access token is encoded in the redirect URI returned to the client. 3. The client extracts the token and can use it to access protected resources, without having to make a separate request to exchange an authorization code for a token. However, the token is exposed in the redirect URI, so it has a short lifetime.

Download to read offline
OAuth2 with AngularJS Bix Labs
Topics Introduction Authorization vs Authentication SSL (Secure Sockets Layer) Authentication Evolution Basic Authentication Form Based Authentication Failed Attempts OAuth2 Introduction What is OAuth 2.0
Introduction
Authorization vs Authentication Authentication verifies who you are In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, or decide to let it log in or not. Authorization verifies what you are authorized to do. In terms of web apps, is when you look up in your access control whether you allow the user to edit, delete or create content or execute specific actions or navigate to specific pages, depending on their current user or role permissions.
Secure Sockets Layer SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook). SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.
Secure Sockets Layer (II) Technically, SSL is a security protocol, it determines variables of the encryption for both the link and the data being transmitted. All browsers have the capability to interact with secured web servers using the SSL protocol. However, the browser and the server need what is called an SSL Certificate to be able to establish a secure connection. SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
Secure Sockets Layer (III) When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an “SSL Handshake”. Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa. Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.
Secure Sockets Layer (IV) 1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself. 2. Server sends a copy of its SSL Certificate, including the server’s public key. 3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key. 4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
Authentication evolution Over the years
Basic Authentication In the beginning, the web was all about open access. But as time went on, the Web became about "e-commerce," and e-commerce required security. SSL matured to ensure that sensitive traffic was encrypted all the way from the client to the server and back, and various schemes emerged to allow user authentication. The oldest format for web authentication is HTTP Basic Authentication. This is what you get when you visit a web site and a little browser window pops up requesting a username and password.
Basic Authentication (2) From a web design perspective, HTTP Basic Authentication has a big disadvantage in that it's implemented entirely by the browser, and can't be customized for each site. As the quality of graphic design improved on the web, designers soon realized that they didn’t want a generic little grey box on the screen, but a carefully-designed login page. The combination of HTTP Basic and HTML just didn't allow this. :-(
Form Based Authentication The next evolution step, caused by the desire to have beautiful login web pages was the introduction of what is called Form Based Authentication. This is what the vast majority of secure web sites use today. As a user, you visit a web page that prompts you for a username and password. If authentication is successful, then under the covers you are granted a unique cookie, which your web browser sends with each subsequent request. As a user you never see this -- it just looks like you logged in and now the site works. Both Basic and form-based authentication rely on SSL to create an encrypted tunnel between the client and server.
Form Based Authentication (II) Fortunately, SSL protects against this very well. However, developers sometimes neglect to use it, users neglect to ask for it and sometimes the traffic travels over unencrypted links behind the firewall of a large network.
Failed Attempts The web community attempted to counter this using HTTP Digest authentication. It encrypts the password using a one-way hash so it's impossible to reverse-engineer even if SSL is not used -- but it still must be implemented by the browser and can't be designed in to a nice UI. It never became popular enough. For a higher level of security, SSL has long supported two-way authentication. This requires that individual end users, request digital certificates for each site they plan to visit and install those signatures on their browsers. The overhead of issuing PKI credentials to end users was enormous and this never became popular enough either.
What is OAuth 2.0 Authorization framework Next evolution of the OAuth protocol Enables apps to obtain limited access to user accounts in other services Delegates authentication to the service that hosts the user account Authorizes third-party apps to access the user account Focuses on client developer simplicity Provides different approaches and guidelines to use while connecting from
OAuth2 Introduction
Roles Resource Owner User who authorizes an application to access their account Client Application that wants to access the user's account. To access it, it must be authorized by the user. The authorization must be validated by the API. Resource Server Hosts the protected user accounts.
Roles (II)
Registering your App Before using OAuth with your application, you must register your application with the service. Done through a registration form in the Developer or API service Site One must provide: Application Name Application Website Redirect URI or Callback URL After our App is registered, the service will give us Client Credentials
Client Id, Client Secret and Redirect URI Client Id Publicly exposed string that is used by the service API to identify the application. Used to build authorization URLs that are presented to users. Client Secret Used to authenticate the identity of the application to the service API. Must be kept private between the application and the API. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used. Redirect URI The service will only redirect users to a registered URI, which helps prevent some attacks. Any HTTP redirect URIs must be protected with TLS security So the service will only redirect to URIs beginning with "https" This prevents tokens from being intercepted during the authorization process.
Abstract Protocol Flow 1. The application requests authorization to access service resources from the user 2. If the user authorized the request, the application receives an authorization grant 3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant 4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete. 5. The application requests the resource from the resource server (API) and presents the access token for authentication 6. If the access token is valid, the resource server (API) serves the resource to the application
Abstract Protocol - Obtain authorization To request an access token, the client obtains authorization from the resource owner. The authorization is expressed in the form of an authorization grant. The client uses an authorization grant to request the access token. As we will see in the next slide, there are 4 possible authorization grant types.
OAuth2 Grant Types
Authorization Code Used with server-side Applications Implicit Used with Mobile Apps or Web Applications Resource Owner Password Credentials Used with trusted Applications, such as those owned by the service itself Grant Types and their usage
Authorization code grant Used to obtain both access tokens and refresh tokens. Optimized for confidential clients. It’s the most commonly used because it is optimized for server-side apps Server-side, the source code is not publicly exposed (notice the difference with client apps) And so the Client Secret confidentiality can be maintained
Authorization code grant (2) Generic Steps
Authorization code grant (3) Specific Steps
Authorization code grant (4) 1 & 2 - User Authorization Request & User Authorizes Application From the Application Front End to the Auth Server 1. The user clicks the link or presses a button in the web browser. 2. Client constructs the request URI to send to the Auth Server, Server API Uses the following parameters: client_id: the application's client ID redirect_uri: where the service redirects the user-agent after an authorization code is granted response_type: “code” specifies that your application is requesting an authorization code grant scope: specifies the level of access that the application is requesting, for example: read, write, and so on. 3. They are redirected to a special page in the Auth Server, to authenticate them
Authorization code grant (5) 1 & 2 - User Authorization Request & User Authorizes Application Example URI: https://accounts.google.com/o/oauth2/auth?client_id=1046506418225- dgpu1935ji53o196us39t959oknt7s2h.apps.googleusercontent.com&redirect_uri=http://localhost:9000/&response_typ e=code&scope=read 4. Then they must first log in to the service, to authenticate their identity. 5. If they accept, they are prompted by the Auth Server to authorize or deny our Application access request to their accounts
Authorization code grant (6) 3 - Authorization Response (Code Grant) From the Auth Server to the Application Backend Server ● If the user clicked the Authorize Application in the previous step ... ● The Auth Server redirects the user-agent to the application redirect URI ○ This URL was set, when we registered our App, it is called the callback URL ○ The Auth Server also issues an authorization code and delivers it to the client app. ● This HTTP response uses the following parameters ○ code: MUST expire shortly after it is issued to mitigate the risk of leaks ○ state: (Optional) required if the "state" parameter was present in the client auth request ● Example URI: http://localhost:9000/callback?code=SplxlOBeZQQYbYS6WxSbIA
Authorization code grant (7) 4 - Access Token Request From the Application Backend Server, to the Auth Server ● A secure component, such as the Application Server Backend, requests an Access Token to the Auth Server. ○ It sends the authorization code, along with other app credentials against the auth server: ■ Client Id ■ Client Secret ○ Optionally, depending on the OAuth server, we may also receive a Refresh Token.
Authorization code grant (8) 4 (II) - Access Token Request ● This HTTP POST request uses the following parameters: ○ grant_type: Value MUST be set to "authorization_code". ○ code: The authorization code received from the authorization server. ○ client_id: the application's client ID. ○ client_secret: the application's client secret. ○ redirect_uri: where the service redirects the user-agent after an authorization code is granted. Example URI: https://accounts.google.com/o/oauth2/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&cli ent_id=1046506418225-
Authorization code grant (9) 5 - Access Token Grant (Response) From the the Auth Server to the Application Backend Server ● If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token. ● The optional refresh token can be used, to refresh the access token, without having to repeat the whole process to receive a new one. Example of a successful response: { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
Implicit grant Used for mobile apps and web applications, where the client secret confidentiality is not guaranteed. Similar to an authorization code grant, except the access token is returned to the client application already after the user has finished the authorization. The access token is returned when the browser is redirected to the redirect URI. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other apps residing on the same device.
Implicit grant (2) The access token is accessible in the user agent, or native application, which is why this is not secure. This because the access token is not stored securely on a web server. The access token is short lived, because if it is intercepted, the hacker can only use it for a short time. That’s why the protocol itself does not support the issuance of refresh tokens. The client application can only send its Client ID to the authorization server. If the client were to send its Client Secret too, the client secret would have to be stored in the user agent or native application too. That would make it vulnerable to hacking.
Implicit grant (3) Generic Steps ● The user is asked to authorize the application, then the authorization server passes the access token back to the user-agent, which passes it to the application.
Implicit grant (4) Specific Steps
Implicit grant (5) 1 & 2 - User Authorization Request & User Authorizes Application From the Application Front End to the Auth Server 1. The user clicks the link or presses a button in the web browser. 2. Client constructs the request URI to send to the Auth Server, Server API (Just like in the authorization code grant, except it is now requesting a token instead of a code.) Uses the following parameters client_id: the application's client ID. redirect_uri: where the service redirects the user-agent after an access token is granted. response_type: “token” specifies that your application is requesting an access token. scope: specifies the level of access that the application is requesting, for example: read, write, and so on.
Implicit grant (6) 1 & 2 - User Authorization Request & User Authorizes Application From the User Agent (Web Browser) to the Auth Server 3. They are redirected to a special page in the Auth Server, to authenticate them 4. They must first log in to the service, to authenticate their identity. 5. If they accept, they are prompted by the Auth Server to authorize or deny our Application access request to their accounts
Implicit grant (7) 3 - Redirect URI with Access Token From the Auth Server to the User Agent (Web Browser) ● If the user clicked the Authorize Application in the previous step ... ● The Auth Server redirects the user-agent to the application redirect URI ○ This URL was set, when we registered our App, it is called the callback URL ○ The Auth Server also issues an access token and delivers it to the user agent, as a parameter in the callback URI. Example callback URI: http://localhost:9000/callback#token=2YotnFZFEjr1zCsicMWpAA
Implicit grant (8) 3 - Redirect URI with Access Token (II) ● This HTTP response uses the following parameters ○ access_token: The access token issued by the authorization server. ○ token_type: The type of the token issued. Value is case insensitive. ○ expires_in: The lifetime in seconds of the access token. ○ scope: Optional if identical to the scope requested by the client ○ state (Optional): It is required if the "state" parameter was present in the client authorization request.
Implicit grant (9) 4 - Follow Redirect URI (Retain Token) From the User Agent (Web Browser) to the Application Front End ● The user-agent follows the redirect URI but retains the access token.
Implicit grant (10) 5 - Send Token Extract Script From the Application Front End to the User Agent (Web Browser). ● The application returns a webpage that contains a script that can extract the access token from the full redirect URI that the user-agent has retained. ● In AngularJS we can do this in the config function of a module, by adding javascript code in the $routeProvider behavior, when a route of the form of /callback is detected, as we will see afterwards.
Implicit grant (11) 6 - Access Token Passed to Application From the User Agent (Web Browser) to the Application Front End. ● The user-agent executes the provided script and passes the extracted access token to the application. ● Now the application is authorized! It may use the token to access the user's account via the service API.
Using Implicit Grant with AngularJs ● In order to be able to log in to a third party server such as Google or Facebook, we have to first register our App in the Google or Facebook Developer Site and then program two things in different parts of the AngularJs Application: 1. Register the Application name, callback URI and receive a Client Id, that identify our app. 2. In the AngularJs app, we have to implement the user redirection to the OAuth 2 Authentication Server (Facebook, Google) and then retrieve the access token and store it somewhere. 3. Also, in the AngularJs app, we have to implement the way we use the access token, in order to authenticate the logged in user via OAuth2, against a REST Web Api, for example. ● We can find a sample project of how to do this here: https://github.com/bixlabs/oauth-angular-client
Using Implicit Grant with AngularJs (2) Step 1, as discussed previously in the “Registering your App” slide. Done through a registration form in the Developer or API service Site One must provide: Application Name Application Website Redirect URI or Callback URL After our App is registered, the service will give us Client Credentials Client Identifier (Client ID)
Using Implicit Grant with AngularJs (3) ● Step 2: Implement the user redirection to the OAuth 2 Authentication Server (Facebook, Google) and then retrieve the access token and store it somewhere. First, we have to add authentication redirection to the resource owner, in a login function, called from a link or button: angular.module('app') .controller('MainCtrl', function ($scope) { $scope.login=function() { var client_id="your client id"; var scope="email"; var redirect_uri="http://localhost:9000"; var response_type="token"; var url="https://accounts.google.com/o/oauth2/auth?scope="+scope+"&client_id="+client_id+"&redirect_uri="+redirect_uri+"&respons e_type="+response_type window.location.replace(url); };
Using Implicit Grant with AngularJs (4) ● Step 2 (continuation): Then, should the authentication be successful, we have to add route configuration in order to obtain and parse the authentication token: angular.module('app', []) .config(function ($routeProvider) { $routeProvider .when('/access_token=:accessToken', { template: '', controller: function ($location, $rootScope) { /* Obtain, parse and split the Query String */ var hash = $location.path().substr(1); var splitted = hash.split('&'); var params = {}; …. …. /* Get the access token parameter and save it somewhere, like rootscope */ for (var i = 0; i < splitted.length; i++) { var param = splitted[i].split('='); var key = param[0]; var value = param[1]; params[key] = value; $rootScope.accesstoken = params; } // Finally redirect the user to the main view $location.path("/main"); }})});
Using Implicit Grant with AngularJs (5) ● Step 3: We can use the transformRequest property of $http to modify every subsequent request made and append your token automatically. angular.module('myApp',myDependanciesArray) .config(['$routeProvider', function($routeProvider) { $routeProvider.when('/entity/:id', {templateUrl: 'partials/template.html', controller: 'EntityCtrl'}); }) .run(['$rootScope', '$injector', function($rootScope, $injector) { $injector.get("$http").defaults.transformRequest = function(data, headersGetter) { /* Inject Authorization header including access token for each http response */ if ($rootScope.oauth) headersGetter()['Authorization'] = 'Bearer ' +$rootScope.oauth.access_token; if (data) { return angular.toJson(data); } }; } });
Using Implicit Grant with AngularJs (6) ● Step 3 (continuation): In order to deal with Token Expiracy or revokation, we’ll have to intercept those HTTP responses from the Web API that include a 401 Unauthorized - error status, and then do one of both things: 1) Resolution without taking into account that many requests may have failed a) Ask for an access token to the Authorization Server API again b) Re-send the http request that failed with the 401 Error Status again, with the newly acquired access token. 2) Resolution, taking into account that many requests have failed and we want to resend them in order a) Send all the failing http request with 401 error to a queue b) Ask for an access token to the Authorization Server API
References ● https://developers.google.com/identity/protocols/OAuth2 ● https://github.com/bixlabs/oauth-angular-client ● http://tools.ietf.org/html/rfc6749 ● http://apigee.com/about/blog/technology/short-history-api-authentication-and-where-its-going-http-basic-oauth-20 ● https://www.digicert.com/ssl.htm ● http://www.cyberciti.biz/faq/authentication-vs-authorization/ ● https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 ● http://engineering.talis.com/articles/elegant-api-auth-angular-js/

More Related Content

PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
PDF
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
Deciphering 'Claims-based Identity'
byOliver Pfaff
 
KEY
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
PDF
RESTful Day 5
byAkhil Mittal
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
Deciphering 'Claims-based Identity'
byOliver Pfaff
 
LinkedIn OAuth: Zero To Hero
byTaylor Singletary
 
RESTful Day 5
byAkhil Mittal
 

What's hot

PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PPT
Linkedin & OAuth
byUmang Goyal
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
Creating a Sign On with Open id connect
byDerek Binkley
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
PDF
Spring security oauth2
byaxykim00
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
PPTX
How to deploy SharePoint 2010 to external users?
byrlsoft
 
PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PPTX
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
byAaron Parecki
 
PDF
OAuth2 and LinkedIn
byKamyar Mohager
 
PDF
OAuth2 and Spring Security
byOrest Ivasiv
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
byBrian Culver
 
PPTX
Oauth 2.0
byManish Kumar Singh
 
PDF
Authentication through Claims-Based Authentication
byijtsrd
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
Linkedin & OAuth
byUmang Goyal
 
OAuth 2
byChrisWood262
 
Creating a Sign On with Open id connect
byDerek Binkley
 
OAuth 2.0
byUwe Friedrichsen
 
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
Spring security oauth2
byaxykim00
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
How to deploy SharePoint 2010 to external users?
byrlsoft
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
byAaron Parecki
 
OAuth2 and LinkedIn
byKamyar Mohager
 
OAuth2 and Spring Security
byOrest Ivasiv
 
Demystifying OAuth 2.0
byKarl McGuinness
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
byBrian Culver
 
Oauth 2.0
byManish Kumar Singh
 
Authentication through Claims-Based Authentication
byijtsrd
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 

Similar to O auth2 with angular js

PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PPTX
Api security
byteodorcotruta
 
PPTX
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PPTX
O auth
byAshok Kumar N
 
PPTX
OAuth
byTom Elrod
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PDF
Spring Security
byKnoldus Inc.
 
PDF
Oauth Behind The Scenes
byThang Tran Duc
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
O auth 2.0 authorization framework
byJohn Temoty Roca
 
KEY
OAuth 2.0
byAlex Bilbie
 
PDF
Securing APIs with OAuth 2.0
byKai Hofstetter
 
PPTX
(1) OAuth 2.0 Overview
byanikristo
 
PDF
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Api security
byteodorcotruta
 
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
OAuth2
bySPARK MEDIA
 
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
OAuth2 + API Security
byAmila Paranawithana
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
O auth
byAshok Kumar N
 
OAuth
byTom Elrod
 
Single-Page-Application & REST security
byIgor Bossenko
 
Spring Security
byKnoldus Inc.
 
Oauth Behind The Scenes
byThang Tran Duc
 
Securing RESTful API
byMuhammad Zbeedat
 
O auth 2.0 authorization framework
byJohn Temoty Roca
 
OAuth 2.0
byAlex Bilbie
 
Securing APIs with OAuth 2.0
byKai Hofstetter
 
(1) OAuth 2.0 Overview
byanikristo
 
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 

Recently uploaded

DOCX
98.8 Best sites To Buy Twitter Accounts .docx
bymarketing
 
PDF
15 Best Conference Room Cameras of 2025: for Clearer Meetings and Seamless Co...
bySpaceMazing
 
DOCX
Best Websites for Purchasing Aged Buy Telegram accounts (1)..docx
byBEST IT SMM
 
PPTX
原版一样(Tokyo Tech毕业证书)日本东京工业大学毕业证复刻学位证成绩单学历认证
by学位证书昆特兰理工大学学历认证【Q微号:1954 292 140】KPU毕业证成绩单
 
PPTX
一比一原版(SUNY Poly毕业证)美国纽约州立大学理工学院毕业证如何办理学历认证
by办密封成绩单申请学校俄勒冈州立大学学历认证【Q微号:1954 292 140】OSU毕业证成绩单
 
PPTX
在线订购布莱德福德大学毕业证,buy UoB diploma成绩单怎么购买在读证明学历认证
by西澳大利亚大学学历认证【Q微号:1954 292 140】办理学位证(UWA毕业证成绩单)
 
PPTX
加拿大北阿尔伯塔理工学院毕业证书文凭定制NAIT成绩单硕士学位证在读证明学历认证
by南洋理工大学学历认证【Q微号:1954 292 140】英文版NTU毕业证成绩单
 
PPTX
法国塞吉巴黎大学理工学院毕业证成绩单范本{CY Tech offer CY Tech文凭}学历认证
by加拿大卡莫森学院学历认证办理【Q微号:1954 292 140】CC毕业证成绩单
 
PPTX
Inroduction_to_microprocessors_main.pptx
byf3500596
 
PDF
lec 2 Types of the Microscop.pdf Microscopy The science of investigating smal...
byalaaaldoori
 
PDF
REVIEW OF NANO TECHNOLOGY DEVELOPMENT IN TEXTILE INDUSTRY AND THE ROLE OF R &...
byANTJJOURNAL2
 
PDF
LR750 Elevator Battery Backup and Rescue Power Unit by Dynavect LLC
byh79133000
 
PPTX
Arduino_presentation_ For_Beginners.pptx
bymithunloor
 
PPTX
Uusuusysshdgdgdyydgdgdtetetwwiqiqygstssg
byMohamedOsmanMohamud1
 
PPTX
最新版西班牙加泰罗尼亚理工大学毕业证(UPC毕业证书)原版定制文凭学历认证
by皇家山大学学历认证【Q微号:1954 292 140】MRU毕业证成绩单
 
PPTX
Arduino_presentation_Basics_For_Beginners.pptx
bymithunloor
 
PPTX
630896946-Basic-Electronics-PPT-Escorel-v2-pptx.pptx
bysurajmore2368
 
98.8 Best sites To Buy Twitter Accounts .docx
bymarketing
 
15 Best Conference Room Cameras of 2025: for Clearer Meetings and Seamless Co...
bySpaceMazing
 
Best Websites for Purchasing Aged Buy Telegram accounts (1)..docx
byBEST IT SMM
 
原版一样(Tokyo Tech毕业证书)日本东京工业大学毕业证复刻学位证成绩单学历认证
by学位证书昆特兰理工大学学历认证【Q微号:1954 292 140】KPU毕业证成绩单
 
一比一原版(SUNY Poly毕业证)美国纽约州立大学理工学院毕业证如何办理学历认证
by办密封成绩单申请学校俄勒冈州立大学学历认证【Q微号:1954 292 140】OSU毕业证成绩单
 
在线订购布莱德福德大学毕业证,buy UoB diploma成绩单怎么购买在读证明学历认证
by西澳大利亚大学学历认证【Q微号:1954 292 140】办理学位证(UWA毕业证成绩单)
 
加拿大北阿尔伯塔理工学院毕业证书文凭定制NAIT成绩单硕士学位证在读证明学历认证
by南洋理工大学学历认证【Q微号:1954 292 140】英文版NTU毕业证成绩单
 
法国塞吉巴黎大学理工学院毕业证成绩单范本{CY Tech offer CY Tech文凭}学历认证
by加拿大卡莫森学院学历认证办理【Q微号:1954 292 140】CC毕业证成绩单
 
Inroduction_to_microprocessors_main.pptx
byf3500596
 
lec 2 Types of the Microscop.pdf Microscopy The science of investigating smal...
byalaaaldoori
 
REVIEW OF NANO TECHNOLOGY DEVELOPMENT IN TEXTILE INDUSTRY AND THE ROLE OF R &...
byANTJJOURNAL2
 
LR750 Elevator Battery Backup and Rescue Power Unit by Dynavect LLC
byh79133000
 
Arduino_presentation_ For_Beginners.pptx
bymithunloor
 
Uusuusysshdgdgdyydgdgdtetetwwiqiqygstssg
byMohamedOsmanMohamud1
 
最新版西班牙加泰罗尼亚理工大学毕业证(UPC毕业证书)原版定制文凭学历认证
by皇家山大学学历认证【Q微号:1954 292 140】MRU毕业证成绩单
 
Arduino_presentation_Basics_For_Beginners.pptx
bymithunloor
 
630896946-Basic-Electronics-PPT-Escorel-v2-pptx.pptx
bysurajmore2368
 

O auth2 with angular js

  • 1.
  • 2.
    Topics Introduction Authorization vs Authentication SSL(Secure Sockets Layer) Authentication Evolution Basic Authentication Form Based Authentication Failed Attempts OAuth2 Introduction What is OAuth 2.0
  • 3.
  • 4.
    Authorization vs Authentication Authenticationverifies who you are In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, or decide to let it log in or not. Authorization verifies what you are authorized to do. In terms of web apps, is when you look up in your access control whether you allow the user to edit, delete or create content or execute specific actions or navigate to specific pages, depending on their current user or role permissions.
  • 5.
    Secure Sockets Layer SSL(Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook). SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.
  • 6.
    Secure Sockets Layer(II) Technically, SSL is a security protocol, it determines variables of the encryption for both the link and the data being transmitted. All browsers have the capability to interact with secured web servers using the SSL protocol. However, the browser and the server need what is called an SSL Certificate to be able to establish a secure connection. SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
  • 7.
    Secure Sockets Layer(III) When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an “SSL Handshake”. Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa. Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.
  • 8.
    Secure Sockets Layer(IV) 1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself. 2. Server sends a copy of its SSL Certificate, including the server’s public key. 3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key. 4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  • 9.
  • 10.
    Basic Authentication In thebeginning, the web was all about open access. But as time went on, the Web became about "e-commerce," and e-commerce required security. SSL matured to ensure that sensitive traffic was encrypted all the way from the client to the server and back, and various schemes emerged to allow user authentication. The oldest format for web authentication is HTTP Basic Authentication. This is what you get when you visit a web site and a little browser window pops up requesting a username and password.
  • 11.
    Basic Authentication (2) Froma web design perspective, HTTP Basic Authentication has a big disadvantage in that it's implemented entirely by the browser, and can't be customized for each site. As the quality of graphic design improved on the web, designers soon realized that they didn’t want a generic little grey box on the screen, but a carefully-designed login page. The combination of HTTP Basic and HTML just didn't allow this. :-(
  • 12.
    Form Based Authentication Thenext evolution step, caused by the desire to have beautiful login web pages was the introduction of what is called Form Based Authentication. This is what the vast majority of secure web sites use today. As a user, you visit a web page that prompts you for a username and password. If authentication is successful, then under the covers you are granted a unique cookie, which your web browser sends with each subsequent request. As a user you never see this -- it just looks like you logged in and now the site works. Both Basic and form-based authentication rely on SSL to create an encrypted tunnel between the client and server.
  • 13.
    Form Based Authentication(II) Fortunately, SSL protects against this very well. However, developers sometimes neglect to use it, users neglect to ask for it and sometimes the traffic travels over unencrypted links behind the firewall of a large network.
  • 14.
    Failed Attempts The webcommunity attempted to counter this using HTTP Digest authentication. It encrypts the password using a one-way hash so it's impossible to reverse-engineer even if SSL is not used -- but it still must be implemented by the browser and can't be designed in to a nice UI. It never became popular enough. For a higher level of security, SSL has long supported two-way authentication. This requires that individual end users, request digital certificates for each site they plan to visit and install those signatures on their browsers. The overhead of issuing PKI credentials to end users was enormous and this never became popular enough either.
  • 15.
    What is OAuth2.0 Authorization framework Next evolution of the OAuth protocol Enables apps to obtain limited access to user accounts in other services Delegates authentication to the service that hosts the user account Authorizes third-party apps to access the user account Focuses on client developer simplicity Provides different approaches and guidelines to use while connecting from
  • 16.
  • 17.
    Roles Resource Owner User whoauthorizes an application to access their account Client Application that wants to access the user's account. To access it, it must be authorized by the user. The authorization must be validated by the API. Resource Server Hosts the protected user accounts.
  • 18.
  • 19.
    Registering your App Beforeusing OAuth with your application, you must register your application with the service. Done through a registration form in the Developer or API service Site One must provide: Application Name Application Website Redirect URI or Callback URL After our App is registered, the service will give us Client Credentials
  • 20.
    Client Id, ClientSecret and Redirect URI Client Id Publicly exposed string that is used by the service API to identify the application. Used to build authorization URLs that are presented to users. Client Secret Used to authenticate the identity of the application to the service API. Must be kept private between the application and the API. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used. Redirect URI The service will only redirect users to a registered URI, which helps prevent some attacks. Any HTTP redirect URIs must be protected with TLS security So the service will only redirect to URIs beginning with "https" This prevents tokens from being intercepted during the authorization process.
  • 21.
    Abstract Protocol Flow1. The application requests authorization to access service resources from the user 2. If the user authorized the request, the application receives an authorization grant 3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant 4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete. 5. The application requests the resource from the resource server (API) and presents the access token for authentication 6. If the access token is valid, the resource server (API) serves the resource to the application
  • 22.
    Abstract Protocol -Obtain authorization To request an access token, the client obtains authorization from the resource owner. The authorization is expressed in the form of an authorization grant. The client uses an authorization grant to request the access token. As we will see in the next slide, there are 4 possible authorization grant types.
  • 23.
  • 24.
    Authorization Code Used withserver-side Applications Implicit Used with Mobile Apps or Web Applications Resource Owner Password Credentials Used with trusted Applications, such as those owned by the service itself Grant Types and their usage
  • 25.
    Authorization code grant Usedto obtain both access tokens and refresh tokens. Optimized for confidential clients. It’s the most commonly used because it is optimized for server-side apps Server-side, the source code is not publicly exposed (notice the difference with client apps) And so the Client Secret confidentiality can be maintained
  • 26.
    Authorization code grant(2) Generic Steps
  • 27.
    Authorization code grant(3) Specific Steps
  • 28.
    Authorization code grant(4) 1 & 2 - User Authorization Request & User Authorizes Application From the Application Front End to the Auth Server 1. The user clicks the link or presses a button in the web browser. 2. Client constructs the request URI to send to the Auth Server, Server API Uses the following parameters: client_id: the application's client ID redirect_uri: where the service redirects the user-agent after an authorization code is granted response_type: “code” specifies that your application is requesting an authorization code grant scope: specifies the level of access that the application is requesting, for example: read, write, and so on. 3. They are redirected to a special page in the Auth Server, to authenticate them
  • 29.
    Authorization code grant(5) 1 & 2 - User Authorization Request & User Authorizes Application Example URI: https://accounts.google.com/o/oauth2/auth?client_id=1046506418225- dgpu1935ji53o196us39t959oknt7s2h.apps.googleusercontent.com&redirect_uri=http://localhost:9000/&response_typ e=code&scope=read 4. Then they must first log in to the service, to authenticate their identity. 5. If they accept, they are prompted by the Auth Server to authorize or deny our Application access request to their accounts
  • 30.
    Authorization code grant(6) 3 - Authorization Response (Code Grant) From the Auth Server to the Application Backend Server ● If the user clicked the Authorize Application in the previous step ... ● The Auth Server redirects the user-agent to the application redirect URI ○ This URL was set, when we registered our App, it is called the callback URL ○ The Auth Server also issues an authorization code and delivers it to the client app. ● This HTTP response uses the following parameters ○ code: MUST expire shortly after it is issued to mitigate the risk of leaks ○ state: (Optional) required if the "state" parameter was present in the client auth request ● Example URI: http://localhost:9000/callback?code=SplxlOBeZQQYbYS6WxSbIA
  • 31.
    Authorization code grant(7) 4 - Access Token Request From the Application Backend Server, to the Auth Server ● A secure component, such as the Application Server Backend, requests an Access Token to the Auth Server. ○ It sends the authorization code, along with other app credentials against the auth server: ■ Client Id ■ Client Secret ○ Optionally, depending on the OAuth server, we may also receive a Refresh Token.
  • 32.
    Authorization code grant(8) 4 (II) - Access Token Request ● This HTTP POST request uses the following parameters: ○ grant_type: Value MUST be set to "authorization_code". ○ code: The authorization code received from the authorization server. ○ client_id: the application's client ID. ○ client_secret: the application's client secret. ○ redirect_uri: where the service redirects the user-agent after an authorization code is granted. Example URI: https://accounts.google.com/o/oauth2/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&cli ent_id=1046506418225-
  • 33.
    Authorization code grant(9) 5 - Access Token Grant (Response) From the the Auth Server to the Application Backend Server ● If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token. ● The optional refresh token can be used, to refresh the access token, without having to repeat the whole process to receive a new one. Example of a successful response: { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
  • 34.
    Implicit grant Used formobile apps and web applications, where the client secret confidentiality is not guaranteed. Similar to an authorization code grant, except the access token is returned to the client application already after the user has finished the authorization. The access token is returned when the browser is redirected to the redirect URI. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other apps residing on the same device.
  • 35.
    Implicit grant (2) Theaccess token is accessible in the user agent, or native application, which is why this is not secure. This because the access token is not stored securely on a web server. The access token is short lived, because if it is intercepted, the hacker can only use it for a short time. That’s why the protocol itself does not support the issuance of refresh tokens. The client application can only send its Client ID to the authorization server. If the client were to send its Client Secret too, the client secret would have to be stored in the user agent or native application too. That would make it vulnerable to hacking.
  • 36.
    Implicit grant (3) GenericSteps ● The user is asked to authorize the application, then the authorization server passes the access token back to the user-agent, which passes it to the application.
  • 37.
  • 38.
    Implicit grant (5) 1& 2 - User Authorization Request & User Authorizes Application From the Application Front End to the Auth Server 1. The user clicks the link or presses a button in the web browser. 2. Client constructs the request URI to send to the Auth Server, Server API (Just like in the authorization code grant, except it is now requesting a token instead of a code.) Uses the following parameters client_id: the application's client ID. redirect_uri: where the service redirects the user-agent after an access token is granted. response_type: “token” specifies that your application is requesting an access token. scope: specifies the level of access that the application is requesting, for example: read, write, and so on.
  • 39.
    Implicit grant (6) 1& 2 - User Authorization Request & User Authorizes Application From the User Agent (Web Browser) to the Auth Server 3. They are redirected to a special page in the Auth Server, to authenticate them 4. They must first log in to the service, to authenticate their identity. 5. If they accept, they are prompted by the Auth Server to authorize or deny our Application access request to their accounts
  • 40.
    Implicit grant (7) 3- Redirect URI with Access Token From the Auth Server to the User Agent (Web Browser) ● If the user clicked the Authorize Application in the previous step ... ● The Auth Server redirects the user-agent to the application redirect URI ○ This URL was set, when we registered our App, it is called the callback URL ○ The Auth Server also issues an access token and delivers it to the user agent, as a parameter in the callback URI. Example callback URI: http://localhost:9000/callback#token=2YotnFZFEjr1zCsicMWpAA
  • 41.
    Implicit grant (8) 3- Redirect URI with Access Token (II) ● This HTTP response uses the following parameters ○ access_token: The access token issued by the authorization server. ○ token_type: The type of the token issued. Value is case insensitive. ○ expires_in: The lifetime in seconds of the access token. ○ scope: Optional if identical to the scope requested by the client ○ state (Optional): It is required if the "state" parameter was present in the client authorization request.
  • 42.
    Implicit grant (9) 4- Follow Redirect URI (Retain Token) From the User Agent (Web Browser) to the Application Front End ● The user-agent follows the redirect URI but retains the access token.
  • 43.
    Implicit grant (10) 5- Send Token Extract Script From the Application Front End to the User Agent (Web Browser). ● The application returns a webpage that contains a script that can extract the access token from the full redirect URI that the user-agent has retained. ● In AngularJS we can do this in the config function of a module, by adding javascript code in the $routeProvider behavior, when a route of the form of /callback is detected, as we will see afterwards.
  • 44.
    Implicit grant (11) 6- Access Token Passed to Application From the User Agent (Web Browser) to the Application Front End. ● The user-agent executes the provided script and passes the extracted access token to the application. ● Now the application is authorized! It may use the token to access the user's account via the service API.
  • 45.
    Using Implicit Grantwith AngularJs ● In order to be able to log in to a third party server such as Google or Facebook, we have to first register our App in the Google or Facebook Developer Site and then program two things in different parts of the AngularJs Application: 1. Register the Application name, callback URI and receive a Client Id, that identify our app. 2. In the AngularJs app, we have to implement the user redirection to the OAuth 2 Authentication Server (Facebook, Google) and then retrieve the access token and store it somewhere. 3. Also, in the AngularJs app, we have to implement the way we use the access token, in order to authenticate the logged in user via OAuth2, against a REST Web Api, for example. ● We can find a sample project of how to do this here: https://github.com/bixlabs/oauth-angular-client
  • 46.
    Using Implicit Grantwith AngularJs (2) Step 1, as discussed previously in the “Registering your App” slide. Done through a registration form in the Developer or API service Site One must provide: Application Name Application Website Redirect URI or Callback URL After our App is registered, the service will give us Client Credentials Client Identifier (Client ID)
  • 47.
    Using Implicit Grantwith AngularJs (3) ● Step 2: Implement the user redirection to the OAuth 2 Authentication Server (Facebook, Google) and then retrieve the access token and store it somewhere. First, we have to add authentication redirection to the resource owner, in a login function, called from a link or button: angular.module('app') .controller('MainCtrl', function ($scope) { $scope.login=function() { var client_id="your client id"; var scope="email"; var redirect_uri="http://localhost:9000"; var response_type="token"; var url="https://accounts.google.com/o/oauth2/auth?scope="+scope+"&client_id="+client_id+"&redirect_uri="+redirect_uri+"&respons e_type="+response_type window.location.replace(url); };
  • 48.
    Using Implicit Grantwith AngularJs (4) ● Step 2 (continuation): Then, should the authentication be successful, we have to add route configuration in order to obtain and parse the authentication token: angular.module('app', []) .config(function ($routeProvider) { $routeProvider .when('/access_token=:accessToken', { template: '', controller: function ($location, $rootScope) { /* Obtain, parse and split the Query String */ var hash = $location.path().substr(1); var splitted = hash.split('&'); var params = {}; …. …. /* Get the access token parameter and save it somewhere, like rootscope */ for (var i = 0; i < splitted.length; i++) { var param = splitted[i].split('='); var key = param[0]; var value = param[1]; params[key] = value; $rootScope.accesstoken = params; } // Finally redirect the user to the main view $location.path("/main"); }})});
  • 49.
    Using Implicit Grantwith AngularJs (5) ● Step 3: We can use the transformRequest property of $http to modify every subsequent request made and append your token automatically. angular.module('myApp',myDependanciesArray) .config(['$routeProvider', function($routeProvider) { $routeProvider.when('/entity/:id', {templateUrl: 'partials/template.html', controller: 'EntityCtrl'}); }) .run(['$rootScope', '$injector', function($rootScope, $injector) { $injector.get("$http").defaults.transformRequest = function(data, headersGetter) { /* Inject Authorization header including access token for each http response */ if ($rootScope.oauth) headersGetter()['Authorization'] = 'Bearer ' +$rootScope.oauth.access_token; if (data) { return angular.toJson(data); } }; } });
  • 50.
    Using Implicit Grantwith AngularJs (6) ● Step 3 (continuation): In order to deal with Token Expiracy or revokation, we’ll have to intercept those HTTP responses from the Web API that include a 401 Unauthorized - error status, and then do one of both things: 1) Resolution without taking into account that many requests may have failed a) Ask for an access token to the Authorization Server API again b) Re-send the http request that failed with the 401 Error Status again, with the newly acquired access token. 2) Resolution, taking into account that many requests have failed and we want to resend them in order a) Send all the failing http request with 401 error to a queue b) Ask for an access token to the Authorization Server API
  • 51.
    References ● https://developers.google.com/identity/protocols/OAuth2 ● https://github.com/bixlabs/oauth-angular-client ●http://tools.ietf.org/html/rfc6749 ● http://apigee.com/about/blog/technology/short-history-api-authentication-and-where-its-going-http-basic-oauth-20 ● https://www.digicert.com/ssl.htm ● http://www.cyberciti.biz/faq/authentication-vs-authorization/ ● https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 ● http://engineering.talis.com/articles/elegant-api-auth-angular-js/

Editor's Notes

  • #11 SSL explicar.
  • #12 Esto se traduce en un header en los http responses.del servidor al browser.
  • #19 Verlo en un diagrama ( digital ocean? )
  • #20 poner screenshot regitro de app en google, porque se hace esto?
  • #27 Mergear pasos 1 y 2.
  • #28 Mergear pasos 1 y 2.
  • #30 Anadir snapshot de login a google o facebook para el paso 3
  • #47 poner screenshot regitro de app en google, porque se hace esto?