OAuth and third party authentication in Granite

  • Published on
    10-May-2015

  • View
    2.068

  • Download
    4

DESCRIPTION

Presentation OAuth and third party authentication in Granite by Antonio Sanso at CQCON2013 in Basel on 19 and 20 June 2013.

Transcript

  • 1. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Antonio Sanso | Software EngineerOAuth and third party authentication in Granite

2. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Agenda2 3. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Who is this guy, BTW?3{ Software Engineer Adobe Basel{ VP (Chair) Apache Oltu (OAuth protocol implementation inJava){ Committer for Apache Sling 4. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Why OAuth?4Several web sites offer you the chance to import the list of your contacts.It ONLY requires you giving your username and password. HOW NICE 5. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.A bit of history OAuth 1.0a5 6. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.A bit of history OAuth 2.062 yearsX 7. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.The good7{ OAuth 2.0 is easier to use and implement (compared to OAuth 1.0){ Wide spread and continuing growing{ Short lived Tokens{ Encapsulated Tokens* Image taken from the movie The Good, the Bad and the Ugly 8. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.The bad8{ No signature (relies solely on SSL ), Bearer Tokens{ No built-in security{ Can be dangerous if used from not experienced people{ Burden on the client* Image taken from the movie The Good, the Bad and the Ugly 9. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.The ugly9{ Too many compromises. Working group did not take clear decisions{ OAuth 2.0 spec is not a protocol, it is rather a framework - RFC 6749:The OAuth 2.0 Authorization Framework{ Not interoperable - from the spec: this specification is likely to producea wide range of non-interoperable implementations. !!{ Mobile integration (web views){ A lot of FUD* Image taken from the movie The Good, the Bad and the Ugly 10. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.So what should I use?10{ No many alternatives{ OAuth 1.0 does not scale (and it is complicated) 11. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.OAuth Actors11{ Resource Owner (Alice){ Client (Bob, worker at www.printondemand.biz ){ Server (Carol Mark, from Facebook)www.printondemand.biz 12. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.OAuth flows12{ Authorization Code Grant (aka server side flow) { Implicit Grant (aka Client side flow){ Resource Owner Password Credentials Grant{ Client Credentials Grant 13. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Traditional OAuth dance #1 - server side flow13www.printondemand.biz1. IwantanAuthzCode2. Printondemand wants an Authz Code3. Login and authorize4. Here the Authz Code5.Herewe go 14. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.OAuth entication orization{ OAuth is NOT an authentication protocol. It is an access delegationprotocol.{ It is/can-be-used as an authentication protocol{ BUT HANDLE WITH CARE14 15. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Authentication in Granite1. The client sends request with username and password2. SlingAuthenticator calls the AuthenticationHandler (the CQ default isTokenAuthenticationHandler )3. The AuthenticationHandler returns AuthenticationInfo with usernameand password4. SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to getresource resolver and validate the credentials (JackRabbit LoginModule)5. SlingAuthenticator callsAuthenticationFeedbackHandler#authenticationSucceeded which mayset cookies6. request continues to be processed (or is redirected)15 16. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Third party Authentication in Granite OAuth16 17. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Third party Authentication in Granite - LDAP, SAML, OAuth{ The client sends request with username and password{ In the case of OAuth no username and password are sent{ SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to getresource resolver and validate the credentials (JackRabbit LoginModule){ Which credentials?171. Login toFacebook? 18. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Third party authentication in Granite{ Trusted Credentials{ Custom (companion) LoginModule{ com.day.crx.security.token.TokenUtil#createCredentials18DEPRECATED. . .SimpleCredentials sc = new SimpleCredentials(userId, new char[0]);sc.setAttribute(TOKEN_ATTRIBUTE, "");userSession = adminSession.impersonate(sc)TokenCredentials tc = new TokenCredentials((String) sc.getAttribute(TOKEN_ATTRIBUTE));. . .TokenCookie.update(request, response, repositoryId, tc.getToken(),adminSession.getWorkspace().getName(), httpOnly); 19. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.Third party authentication in Granite19public AuthenticationInfo extractCredentials(final HttpServletRequest request, final HttpServletResponseresponse) {. . .final SimpleCredentials credentials =new SimpleCredentials(customerEmail,"no_password_needed".toCharArray() );credentials.setAttribute("TrustedInfo", SSO");authInfo = new AuthenticationInfo(SSO", customerEmail);authInfo.put("user.jcr.credentials", credentials);. . .final User cqUser = userManager.createUser(authInfo.getUser(), StringUtils.EMPTY,authInfo.getUser());. . .} 20. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.References{ Oauth 2 web site - http://oauth.net/2/{ Granite OAuth API -http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/auth/oauth/package-summary.html{ Social Login -http://dev.day.com/docs/en/cq/current/administering/social_communities/social_connect.html{ Some OAuth 2 attacks -http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-devil-wears.html{ Apache Oltu - http://oltu.apache.org/20 21. 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Recommended

View more >