Authentication and authorization in res tful infrastructures
1 like291 views
The document discusses authentication and authorization in RESTful infrastructures, focusing on various methods such as basic authentication, token-based authentication, and OAuth2 for controlling access to resources. It highlights how these systems can be implemented for machine-to-machine communication and the significance of scopes in managing permissions. Additionally, it covers token generation, lifespan, and usage within distributed environments to enhance security and privacy.
![FileSystem as a Service
$fileMetadata = new Google_Service_Drive_DriveFile([
'name' => 'photo.jpg'
]);
$file = $driveService->files->create($fileMetadata, [
'data' => file_get_contents("/tmp/photo.jpg"),
'mimeType' => 'image/jpeg',
'uploadType' => 'multipart',
'fields' => 'id'
]);](https://image.slidesharecdn.com/authenticationandauthorizationinrestfulinfrastructures-170703061522/85/Authentication-and-authorization-in-res-tful-infrastructures-6-320.jpg)
![The most simple way to authenticate is:
Basic Authentication
Example:
BASE64({username}:{password})
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF-8
Content-Length: 2
Connection: close
X-Records-Count: 0
X-Records-Page: 1
X-Records-Total: 0
[]](https://image.slidesharecdn.com/authenticationandauthorizationinrestfulinfrastructures-170703061522/85/Authentication-and-authorization-in-res-tful-infrastructures-12-320.jpg)
![If you allows multiple passwords you have a token
based authentication system
Create a login endpoint [POST /v1/login]
User send username and password
A new password (randomly generated) is created
This randomly generated password is an authentication
token
So the token is used as a validation mechanism
We can integrate JWT to wrap the base token
You can add: expire, refresh, revoke features to complete your auth system
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Bearer 35deb6aab84648dc2423cb61d3fceaa6c869a7aa](https://image.slidesharecdn.com/authenticationandauthorizationinrestfulinfrastructures-170703061522/85/Authentication-and-authorization-in-res-tful-infrastructures-14-320.jpg)
![4 [5] ways to get an authorization token
Authorization code
Implicit (javascript
clients)
Password
Client credentials
Refresh token
A token, access or refresh it doesn't matter, must expires in an amount of time and
those tokens can also be revoked by the resource owner.](https://image.slidesharecdn.com/authenticationandauthorizationinrestfulinfrastructures-170703061522/85/Authentication-and-authorization-in-res-tful-infrastructures-30-320.jpg)
Authentication and authorization in res tful infrastructures
- 1. Authentication & Authorization RESTful infrastructures APIConf 2017 - Turin @_CloudConf_ - #apiconf2017
- 3. corley.it
- 4. APIs immediately creates a new building block for any application
- 5. I want to add lesystem feature to my application? https://developers.google.com/drive/v3/web/about-sdk Manage Files and Folders Enable collaboration Detect changes and revisions Using Google Drive features
- 6. FileSystem as a Service $fileMetadata = new Google_Service_Drive_DriveFile([ 'name' => 'photo.jpg' ]); $file = $driveService->files->create($fileMetadata, [ 'data' => file_get_contents("/tmp/photo.jpg"), 'mimeType' => 'image/jpeg', 'uploadType' => 'multipart', 'fields' => 'id' ]);
- 7. Or think about AWS services: S3 lesystem Lambda code as a service: image cropping etc... ElasticTranscoder video encoding SQS distributed queues SNS distributed noti cations
- 8. Or think about Docker an API wraps completely the Docker Engine Code as a service Background tasks as a service Think how much Docker is di erent thanks to its own API system than other services that you cannot control programmatically
- 9. API to turn ON/OFF a light bulb Now a simple light bulb have a unique address in the world (URI) Continuous Integration - Turn ON on errors Crepuscular relay for home automation ... POST /light/1 {"high": true} POST /light/1 {"high": false} GET /light/1
- 10. So we can decouple our system to di erent and reusable parts (services)
- 11. So now we have a machine-to-machine system, how we can authenticate and authorize actions?
- 12. The most simple way to authenticate is: Basic Authentication Example: BASE64({username}:{password}) GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Content-Length: 2 Connection: close X-Records-Count: 0 X-Records-Page: 1 X-Records-Total: 0 []
- 13. If i change the password the basic token changes, or if a never change a password the token never change (expire)...
- 14. If you allows multiple passwords you have a token based authentication system Create a login endpoint [POST /v1/login] User send username and password A new password (randomly generated) is created This randomly generated password is an authentication token So the token is used as a validation mechanism We can integrate JWT to wrap the base token You can add: expire, refresh, revoke features to complete your auth system GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer 35deb6aab84648dc2423cb61d3fceaa6c869a7aa
- 16. With this authentication scheme, can we handle the authorization? Yes, typically role based (ADMIN, USER, etc)
- 17. This authorization scheme works well with tiny application with a limited API access or reserved API With this scheme we grant authorizations over a given resource per user role and not with a ne grained method $this->denyUnlessAuthorized($user, $resource));
- 18. if i want to grant only limited authorizations to external applications? How to handle the privacy problem and grant only a limited set of privileges?
- 19. Third party applications? With the basic auth i have to pass my credential to that application! With token auth i cannot control the data access because external application use my current role! We join di erent APIs togheter right?
- 21. OAuth2 is related to Authorization and not Authentication User centered (focus on third party application data access) Scope based authorization Di erent token scheme generation Secured via HTTPs (like basic auth, token auth...) Mainly for distributed infrastructures SOA, microservices...
- 23. OAuth2 scheme allows clients (third party application) to access to the user information only after a user grant User (is you) Client (third-party) Resource (information owned by you) Authorization grant (that you give to the client)
- 24. OAuth2 You grant a limited set of privileges (scopes) to a resource (that you own) to an external application (the client)
- 25. With OAuth2, the token is linked with a list of scopes and who have that token can access to resources in a limited way, depening on the scope list.
- 26. Scopes: - GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1 }
- 27. Scopes: email GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com" }
- 28. Scopes: email pro le:read GET /user HTTP/1.1 Host: api.walterdalmut.com Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz... HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00" }
- 29. Scopes: email pro le:read invoice:read HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Encoding: UTF-8 Connection: close { "id": 1, "username": "walter.dalmut@gmail.com", "firstname": "Walter", "lastname": "Dal Mut", "avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro", "jobPosition": "Engineer", "signupDate": "2017-04-05T14:49:26+00:00", "invoiceInfo": { "id": 1, "fiscalName": "Corley SRL", "taxCode": "10669790015", "fiscalCode": "10669790015", "address": "P.za Statuto 10", "zipCode": "10122", "city": "Torino", "country": "Italy", "province": "TO" } }
- 30. 4 [5] ways to get an authorization token Authorization code Implicit (javascript clients) Password Client credentials Refresh token A token, access or refresh it doesn't matter, must expires in an amount of time and those tokens can also be revoked by the resource owner.
- 31. Authorization code exchange AngularJs is not able to keep the OAuth2 credential as a secret so the App Server (Third Party app) will keep it and exchange the authorization code with a token using also the client credentials
- 35. Implicit ow Used by Javascript client that cannot use a backed server for client validation
- 36. Password ow Tipically used by privileged client to simplify the token generation
- 37. It is a privileged application in our network that allows user credentials sharing to simplify the user login procedure (with backend support) academy.corley.it (example of password ow)
- 38. Client credentials ow Tipically only for client related jobs (no user resources but client resources)
- 39. OAuth2 will generate 2 tokens: access_token and refresh_token. The refresh token is not used to access to resources but only to generate a new token without the whole generation handshake. access_token (expires in 1 hour) refresh_token (expires in 1 month)