apis seguras com oauth2
TRANSCRIPT
![Page 1: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/1.jpg)
APIs seguras comOAuth2
Maceió Dev Meetup #2
![Page 2: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/2.jpg)
Tony Messias
Desenvolvedor Web há +4 anos
Análise de Sistemas CESMAC
@tony0x01
![Page 3: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/3.jpg)
Cliente acessa recursos
usando um Access Token
obtido através de um
fluxo de autorização
![Page 4: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/4.jpg)
Fim :)
![Page 5: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/5.jpg)
OAuth2 > OAuth1(a)
![Page 6: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/6.jpg)
POST /resources HTTP/1.1
Host: api.example.com
Authorization: OAuth oauth_consumer_key="
lWsZaXcyujT8ErqdIlbr0Sn9LaFYNlE2eVCczyvsFKnmBHiBnVrY3xo64
ByB", oauth_nonce="0Sn9LaFYN", oauth_signature="
lWsZaXcyujT8ErqdIlbr0Sn9LaFY", oauth_signature_method="
HMAC-SHA1", oauth_timestamp="1418836421", oauth_token="
96403f692107210ef11f4a02cdbce4af", oauth_version="1.0"
Content-Type: application/json
{ "lorem" : "ipsum" }
![Page 7: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/7.jpg)
POST /resources HTTP/1.1
Host: api.example.com
Authorization: OAuth oauth_consumer_key="
lWsZaXcyujT8ErqdIlbr0Sn9LaFYNlE2eVCczyvsFKnmBHiBnVrY3xo64
ByB", oauth_nonce="0Sn9LaFYN", oauth_signature="
lWsZaXcyujT8ErqdIlbr0Sn9LaFY", oauth_signature_method="
HMAC-SHA1", oauth_timestamp="1418836421", oauth_token="
96403f692107210ef11f4a02cdbce4af", oauth_version="1.0"
Content-Type: application/json
{ "lorem" : "ipsum" }
![Page 8: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/8.jpg)
POST /resources HTTP/1.1
Host: api.example.com
Authorization: Bearer vr5HmMkz123aksdmMibiJUusZwZCHueHue
Content-Type: application/json
{ "lorem" : "ipsum" }
![Page 9: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/9.jpg)
POST /resources HTTP/1.1
Host: api.example.com
Authorization: Bearer vr5HmMkz123aksdmMibiJUusZwZCHueHue
Content-Type: application/json
{ "lorem" : "ipsum" }
![Page 10: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/10.jpg)
Mas o líder do projeto
(OAuth2) deixou o projeto
![Page 11: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/11.jpg)
Inseguro se não
usar SSL/TSL
![Page 12: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/12.jpg)
Inseguro se não
usar SSL/TSL
correto
!
![Page 13: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/13.jpg)
![Page 14: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/14.jpg)
Alguns termos:
![Page 15: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/15.jpg)
Resource Owner
também conhecido
como “usuário”
![Page 16: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/16.jpg)
Resource Server
a sua API
![Page 17: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/17.jpg)
Client
uma aplicação usando o
resource server a mando do
resource owner
![Page 18: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/18.jpg)
Client
sua aplicação {web,mobile}
que utiliza a API
![Page 19: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/19.jpg)
Authorization Server
Uma aplicação que fornece
os Access Tokens aos clients
![Page 20: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/20.jpg)
Fluxos de Autorização
![Page 21: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/21.jpg)
Authorization Code
o mais comum, com toda a
“dança” de redirects
![Page 22: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/22.jpg)
Bob usa
uma aplicação web
![Page 23: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/23.jpg)
Bob tem recursos
nessa aplicação web
![Page 24: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/24.jpg)
Bob quer usar esses
recursos em uma
aplicação de terceiros
![Page 25: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/25.jpg)
<a href=”https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos”>
Login with Facebook</a>
![Page 26: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/26.jpg)
![Page 27: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/27.jpg)
Bob é redirecionado de volta
para a aplicação com um
código
https://oauth2client.com/callback?code=AUTH_CODE_HERE
![Page 28: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/28.jpg)
A aplicação, então, utiliza
esse código para solicitar um
Access Token
![Page 29: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/29.jpg)
POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& client_secret=CLIENT_SECRET
Reponse:{ "access_token":"RsT5OjbzRn430zqMLgV3Ia"}
![Page 30: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/30.jpg)
Esse fluxo não é indicado
se o client for SEU
![Page 31: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/31.jpg)
Resource Owner
Credentials
![Page 32: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/32.jpg)
Mas o propósito do OAuth
não é nunca utilizar
credenciais do usuário?
![Page 33: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/33.jpg)
Mais ou menos…
![Page 34: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/34.jpg)
O propósito, na verdade, é
você não precisar fornecer
seu username e password
para terceiros
![Page 35: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/35.jpg)
Mas e quando VOCÊ que
desenvolveu o client que
consome a SUA API?
![Page 36: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/36.jpg)
Não faz sentido ter um
botão “login with X” quando
o X é a sua própria aplicação
![Page 37: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/37.jpg)
![Page 38: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/38.jpg)
Alice fornece seu
usuário e senha
![Page 39: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/39.jpg)
O client (aplicação web)
utiliza essas credenciais para
conseguir um Access Token
![Page 40: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/40.jpg)
POST https://api.oauth2server.com/token grant_type=password& username=USERNAME& password=PASSWORD& client_id=CLIENT_ID
Response:{
“access_token”: “RsT5OjbzRn430zqMLgV3Ia”}
![Page 41: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/41.jpg)
É isso! Sem mais redirects.
![Page 42: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/42.jpg)
Client Credentials
as máquinas também
precisam de autorização!
![Page 43: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/43.jpg)
Paracido com o Resource
Owner Credentials, mas para
aplicações
![Page 44: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/44.jpg)
Exemplo: Microserviços
POST https://api.oauth2server.com/token? grant_type=client_credentials& client_id=CLIENT_ID& client_secret=CLIENT_SECRET
![Page 45: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/45.jpg)
Refresh Token
porque Access Token deve
ter um tempo de vida
![Page 46: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/46.jpg)
Você pode fornecer, junto
com o Access Token, um
Refresh Token e um TTL
![Page 47: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/47.jpg)
Adiciona mais
complexidade aos clients
![Page 48: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/48.jpg)
POSTahttps://api.oauth2server.com/token?
grant_type=refresh_token&refresh_token=TOKEN
{
"access_token": “ACCESS_TOKEN”,
"expires_at": timestamp,
"refresh_token": “REFRESH_TOKEN”
}
![Page 49: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/49.jpg)
Sugestões
![Page 50: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/50.jpg)
Envie os Access Token
via Header
![Page 51: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/51.jpg)
![Page 52: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/52.jpg)
Cuidado com
Single Page Apps
![Page 53: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/53.jpg)
fim!
agora é sério!
![Page 54: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/54.jpg)
Referências
➔ https://speakerdeck.com/jacksonj04/oauth-101
➔ https://leanpub.com/build-apis-you-wont-hate
➔ http://tools.ietf.org/html/rfc6749
➔ http://alexbilbie.com/
➔ http://oauth2.thephpleague.com/
➔ https://github.com/reddit/reddit/wiki/OAuth2
![Page 55: APIs seguras com OAuth2](https://reader034.vdocuments.pub/reader034/viewer/2022050805/55ac51531a28abf0118b46f5/html5/thumbnails/55.jpg)
Referências
➔ https://aaronparecki.
com/articles/2012/07/29/1/oauth2-simplified
➔ http://bshaffer.github.io/oauth2-server-php-
docs/overview/grant-types/
➔ http://pt.slideshare.net/TiagoMarchettiDolphi/oauth2-
uma-abordagem-para-segurana-de-aplicaes-e-apis-
rest-devcamp-2014