From 9d619641b3f07b4bd073209acb2650240a536c0b Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Fri, 4 Dec 2020 18:19:39 +0200 Subject: add: work talk on oauth2 --- 2020-12-07-oauth2.md | 213 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 2020-12-07-oauth2.md diff --git a/2020-12-07-oauth2.md b/2020-12-07-oauth2.md new file mode 100644 index 0000000..c684da1 --- /dev/null +++ b/2020-12-07-oauth2.md @@ -0,0 +1,213 @@ +# Introduction + +* OAuth 2.0: Something I implemented in a previous job. + +* A common, almost fundamental protocol on the web, especially + for APIs. + + - See: OKAPI + +* Solves a common problem: letting one site act on behalf of an end + user on another site. + +----------------------------------------------------------------------------- + +# Basic concepts + +* Identification "who are you?" + + - all the relevant things others need to know about you + - name, date of birth, contact info, DNS sample, ... + - often just "this user account on this service" + +* Authentication: "how do I know it's really you?" + + - something you know, something you have, something you are + - passwords + - hardware security tokens + - biometrics + - possibly several, depending + +* Authorization: "what should I allow you to do?" + + - who said you can? + +----------------------------------------------------------------------------- + +# What OAuth2 is for? + +* Client authorization by end-user. + +* NOT end-user identification. + +* NOT end-user authentication. + +* NOT end-user authorization. + +* NOT client identification. + +* NOT client authentication. + +----------------------------------------------------------------------------- + +I hereby authorize this specific third party to access these bits of +my data stored on this particular service. The third party has only +specific, limited access, possibly for a limited time. I may withdraw +my authorization at any time. + +----------------------------------------------------------------------------- + +# Example + +* Alice uses an email service, AMail. + +* Alice wants to have a book printed with all her emails. A + beautifully typeset, illustrated, color-printed, leather-bound, hard + cover book. An heirloom. + +* Book printing service, MailBooks, can do this, but needs to access + AMail to download all of Alice's emails. + +* How can this be done securely? + +----------------------------------------------------------------------------- + +# Not this way + +Alice gives MailBooks her username and password at AMail. + +MailBooks solemnly promises to not delete anything and to not send any +mail, and to forget the password after they've got what they need for +producing the book. + +Yeah right. + +----------------------------------------------------------------------------- + +# Not this way either + +MailBooks and AMail have a special agreement. + +AMail will give all the emails MailBooks asks for. MailBooks promises +to only ask for email of people who say they want a book. MailBooks +asks its customers to not lie about who they are. + +There is no way in which this might go badly. + +----------------------------------------------------------------------------- + +# No, just no + +Alice forwards each email to MailBooks. All 1.3 million of them. + +----------------------------------------------------------------------------- + +# OAuth2: Overview + +* Alice asks MailBooks for a book. + +* MailBooks tells her to authorize them on AMail. + +* Alice logs into AMail and clicks a button to authorize MailBooks. + AMail creates an **access token**. + +* Alice gives the access token to MailBooks. + +* MailBooks gives the access token to AMail and says it wants a copy + of every one of Alice's email. + +* AMail checks the token and responds with all a copy of all the emails. + +* MailBooks prints and sends the book to Alice. + +----------------------------------------------------------------------------- + +~~~plantuml +@startuml +actor Alice +entity "Book service" as Booksite +database "Email service" as Email + +Alice -> Booksite: Want book! +Booksite -> Email: May I get emails? +Email -> Alice: OK to give emails to Booksite? +Alice -> Email: Sure! +Email -> Booksite: Have an access token +Booksite -> Email: Emails please +Booksite -> Alice: Your book, bitte +@enduml +~~~ + + +----------------------------------------------------------------------------- + +# Details + +* HTTPS: always when credentials or tokens are transmitted +* access and **refresh tokens**: may be opaque to clients + - but JWT is common +* tokens are for a specific client and service +* tokens specify a **scope**: what operations they allow +* tokens expire → refresh tokens +* endpoint discovery: originally unspecified + +----------------------------------------------------------------------------- + +# Transaction 1: four specified grant variants + +* authorization code: OKish, but security can be improved + + * a lot of HTTP redirects + +* client credentials: bots without end users + +* implicit: don't use, trusts browser too much + +* resource owner password credentials: NO, JUST NO! + +* any of these may of course fail + +----------------------------------------------------------------------------- + +# Transaction 2: use access token + +* send request + token to resource provider (server) + + +----------------------------------------------------------------------------- + +# Transaction 3: get new access token + +* When access token expires. + +* Or when a client wants to give another client an access token, + possibly with less scope. + +----------------------------------------------------------------------------- + +# SEE ALSO + + +* [RFC 6749](https://tools.ietf.org/html/rfc6749) +* [OAuth website](https://oauth.net/) +* [Yuck](https://yuck.liw.fi/) + + +----------------------------------------------------------------------------- + +# Legalese + +Copyright 2020 Wikimedia Foundation + +This content is licensed under the Creative Commons +Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence. + +[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/ + + +--- +title: "The OAuth 2.0 Protocol" +subtitle: "EngProd paper club: RFC 6749" +author: "Lars Wirzenius" +date: "2020-12-07" +... -- cgit v1.2.1