OAuth 2.0 Identity and Access Management Patterns A practical hands-on guide to implementing secure API authorization flow scenarios with OAuth 2.0 Martin Spasovski BIRMINGHAM - MUMBAI OAuth 2.0 Identity and Access Management Patterns Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: November 2013 Production Reference: 1181113 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.. ISBN 978-1-78328-559-4 www.packtpub.com Cover Image by Abhishek Pandey ([email protected]) Credits Author Project Coordinator Martin Spasovski Amigya Khurana Akash Poojary Reviewers Charles Bihis Proofreader Max Countryman Lawrence A. Herman Acquisition Editor Indexer Vinay Argekar Mehreen Deshmukh Commissioning Editor Graphics Mohammed Fahad Yuvraj Mannari Abhinash Sahu Technical Editors Rosmy George Production Coordinator Arwa Manasawala Melwyn D'sa Cover Work Melwyn D'sa About the Author Martin Spasovski is a software development professional involved in developing JVM-based enterprise solutions. He has been working with various back-end technologies and architectures, and with various front-end technologies (from RCP to modern JavaScript web applications), and knows how to integrate both sides well. He mostly likes to work in the domain of data processing, software optimization, and providing custom solutions. He is a vocal open source and open standards supporter, and a member of the local Java User Group named JUGMK, and likes to research on emerging technologies and give internal presentations at Seavus, the company that he works for. He can be found at http://thisismartin.com, where his blog, contact info, and links to public project repositories can be found. I'd like to thank the team at Packt Publishing for giving me the opportunity to write this book and for their guidance. I'd also like to thank my close ones (Biljana, Stefan, and my parents) for the support given and enthusiasm shared. About the Reviewers Charles Bihis is a technologist and entrepreneur. He earned his degree in computer science from The University of British Columbia, where he specialized in software engineering. He is known for his open source contributions as well as his work in the identity space. His areas of interest include algorithms and data structures, graph theory, and distributed systems. He is currently working as a Computer Scientist at Adobe Systems where he focuses on solving the latest problems in the identity and security space. You can reach him through his website at www.whoischarles.com. Max Countryman is a polyglot, full-stack programmer with extensive experience in building highly-available web server applications. He is an active member of the Python and Clojure communities and spends his free time working on open source projects. www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books. Why Subscribe? • Fully searchable across every book published by Packt • Copy and paste, print and bookmark content • On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Table of Contents Preface 1 Chapter 1: Need for OAuth 2.0 7 Why OAuth 2.0? 8 Benefits of OAuth 2.0 9 API security 9 Internal enterprise applications 10 Service integration and authorization delegation 10 Federated identity 11 Easier service monitoring 11 Summary 11 Chapter 2: Terms You Need To Know 13 Roles 13 Resource owner 13 Authorization server 14 Resource server 14 Client 15 Authorization flow 15 Abstract example 15 OAuth 2.0 grant flows 16 Tokens 17 Access token 17 Refresh token 18 Clients and endpoints 19 Client types and profiles 19 Endpoints 20 Access scope 20 Summary 21 Table of Contents Chapter 3: First Step for Your Application 23 Client registration 23 Summary 28 Chapter 4: OAuth for Web Server Applications 29 Authorization code grant 29 Requesting the authorization code 31 Making the request 31 Successful authorization 33 Authorization error 33 Requesting the access token 34 Making the request 35 Successful response 35 Practical example 36 Summary 43 Chapter 5: OAuth for Client-side Applications 45 Implicit grant 45 Requesting authorization 47 Successful authorization 48 Authorization error 49 Practical example 50 Summary 54 Chapter 6: OAuth for Mobile Applications 55 Custom URL scheme 55 Android 56 iOS 57 Implicit grant example 57 Requesting authorization 58 Successful authorization 58 Authorization error 58 Summary 59 Chapter 7: OAuth for Trusted Applications 61 Resource owner password credentials grant 62 Requesting authorization 63 Successful authorization 64 Authorization error 65 Client credentials grant 66 Requesting authorization 67 Successful authorization 68 Authorization error 68 [ ii ] Table of Contents Practical example 68 Resource owner password credentials grant 72 Client credentials grant 74 Summary 76 Chapter 8: Security Considerations 77 What is there to be protected 77 OAuth 2.0 security features 78 Scope 78 Token lifetime 79 The refresh token 79 Authorization code 80 Redirect URI 80 State 81 Client identifier 82 Security considerations 82 Use TLS 82 Ensure web server application protection 84 Ensure mobile and desktop application protection 85 Utilize the state parameter 86 Use refresh tokens when available 86 Request the needed scope only 87 Summary 87 Chapter 9: Additional Security with SAML 89 SAML (2.0) 89 OAuth 2.0 assertions 90 Other assertion based specifications 91 OAuth 2.0 SAML bearer assertion grant flow 91 Preparing assertion 92 Requesting authorization 94 Successful authorization 94 Authorization error 95 OAuth 2.0 SAML assertions for client authentication 95 Requesting the access token 96 Authentication error 96 Summary 97 Chapter 10: Common Tools and Libraries 99 Tools 99 OAuth 2.0 Playground 99 RESTClient 100 Postman 100 [ iii ]