Đang tải... (xem toàn văn)
Secure web service with Oauth
VIETNAM NATIONAL UNIVERSITY, HANOI UNIVERSITY OF ENGINEERING AND TECHNOLOGY ====== STUDENT SCIENTIFIC RESEARCH CONTEST Year: 2012 Research name: Secure web service with Oauth Student name: Pham Cong Quang Gender: Male Class: QH-2008-I/CQ-CA Faculty: Computer Science Supervisor: Dr.Vo Dinh Hieu 2 TABLE OF CONTENT I.SUMMARY 4 II.MOTIVATION 5 III.IMPLEMENTATION 6 2.1 WEB SERVICE 6 2.1.1 Denion 6 2.1.2 Characters and components of web service 7 2.1.2.1 Characters 7 2.1.2.2 Elements 8 A, SOAP 8 B. WSDL 10 C. XML 12 D. Web API 13 2.1.3 WS security 14 2.2 OPEN ID 15 2.3 OAUTH 16 INTRODUCTION 16 END-USER BENEFITS: OAUTH ALLOWS YOU TO SHARE YOUR PRIVATE RESOURCES (PHOTOS, VIDEOS, CONTACT LIST, BANK ACCOUNTS) STORED ON ONE SITE WITH ANOTHER SITE WITHOUT HAVING TO HAND OUT YOUR USERNAME AND PASSWORD. WHEN USE WEB SERVICE, USERS PUT THEMSELVES AT RISK SHARING THE SAME PRIVATE INFORMATION. OAUTH IS THE RESCUE. 16 BOTH THE VALET KEY AND ATM CARDS ARE GOOD METAPHORS FOR OAUTH FROM A USER PERSPECTIVE. INSTEAD OF GIVING YOUR ATM CARD AND PIN CODE, THE CARD CAN DOUBLE AS A CREDIT CARD WITH A SIGNATURE AUTHORIZATION. JUST LIKE YOUR USERNAME AND PASSWORD PROVIDE FULL ACCESS TO YOUR RESOURCES, YOUR ATM CARD AND PIN CODE PROVIDE YOU WITH GREAT CONTROL OVER YOUR BANK ACCOUNTS – MUCH MORE THAN JUST CHARGING GOODS. BUT WHEN YOU REPLACE THE PIN CODE WITH YOUR SIGNATURE, THE CARD BECOMES VERY LIMITED AND CAN ONLY BE USED FOR LIMITED ACCESS. 16 USERS DON’T CARE ABOUT PROTOCOLS AND STANDARDS – THEY CARE ABOUT BETTER EXPERIENCE WITH ENHANCED PRIVACY AND SECURITY. THIS IS EXACTLY WHAT OAUTH SETS TO ACHIEVE. WITH WEB SERVICES ON THE RISE, PEOPLE EXPECT THEIR SERVICES TO WORK TOGETHER IN ORDER TO ACCOMPLISH SOMETHING NEW. INSTEAD OF USING A SINGLE SITE FOR ALL THEIR ONLINE NEEDS, USERS USE ONE SITE FOR THEIR PHOTOS, ANOTHER FOR VIDEOS, ANOTHER FOR EMAIL, AND SO ON. NO ONE SITE CAN DO EVERYTHING BETTER. IN ORDER TO ENABLE THIS KIND OF INTEGRATION, SITES NEED TO ACCESS THE USER RESOURCES FROM OTHER SITES, AND THESE ARE OFTEN PROTECTED (PRIVATE FAMILY PHOTOS, WORK DOCUMENTS, BANK RECORDS). THEY NEED A KEY TO GET IN. 16 THE KEY USED BY USERS IS USUALLY A COMBINATION OF USERNAME AND PASSWORD. THIS CAN BE AN OPENID OR ANY OTHER LOGIN CREDENTIAL. BUT THIS KEY IS TOO POWERFUL AND UNRESTRICTED TO SHARE AROUND. IT ALSO CANNOT BE UNSHARED ONCE HANDED OUT EXCEPT FOR CHANGING IT WHICH WILL VOID ACCESS TO EVERY SITE, NOT JUST THE ONE THE USER INTENDS TO BLOCK. OAUTH ADDRESSES THAT BY ALLOWING USERS TO HAND OUT TOKENS INSTEAD. EACH TOKEN GRANTS ACCESS TO A SPECIFIC SITE (A VIDEO EDITING SITE) FOR SPECIFIC RESOURCES (JUST VIDEOS FROM LAST WEEKEND) AND FOR A DEFINED DURATION (THE NEXT 2 HOURS). . 16 UNLIKE OPENID WHERE USERS MUST DO SOMETHING FIRST – GET AN OPENID IDENTITY THEY CAN USE TO SIGN-INTO SITES – OAUTH IS COMPLETELY TRANSPARENT TO THE USERS. IN MANY CASES (IF DONE RIGHT), THE END-USER WILL NOT KNOW ANYTHING ABOUT OAUTH, WHAT IT IS OR HOW IT WORKS. THE USER EXPERIENCE WILL BE SPECIFIC TO THE IMPLEMENTATION OF BOTH THE SITE REQUESTING ACCESS AND THE ONE STORING THE RESOURCES, AND ADJUSTED TO THE DEVICE BEING USED (WEB BROWSER, MOBILE PHONE, PDA, SET-TOP BOX). 17 A TYPICAL EXAMPLE OFFERED BY THE SPEC IS WHEN A USER WANTS TO PRINT A PHOTO STORED ON ANOTHER SITE. THE INTERACTION GOES SOMETHING LIKE THIS: THE USER SIGNS INTO THE PRINTER WEBSITE AND PLACE AN ORDER FOR PRINTS. THE PRINTER WEBSITE ASKS WHICH PHOTOS TO PRINT AND THE USER CHOOSES THE NAME OF THE SITE WHERE HER PHOTOS ARE STORED (FROM THE LIST OF SITES SUPPORTED BY THE PRINTER). THE PRINTER WEBSITE SENDS THE USER TO THE PHOTO SITE TO GRANT ACCESS. AT THE PHOTO SITE THE USER SIGNS INTO HER ACCOUNT AND IS ASKED IF SHE REALLY WANTS TO SHARE HER PHOTOS WITH THE PRINTER. IF SHE AGREES, SHE IS SENT BACK TO THE PRINTER SITE WHICH CAN NOW ACCESS THE PHOTOS. AT NO POINT DID THE USER SHARE HER USERNAME AND PASSWORD WITH THE PRINTER SITE. 17 SCOPE 17 WHAT IS PUBLICLY KNOWN AS ‘OAUTH’ IS REALLY THE ‘OAUTH CORE 1.0’ SPECIFICATION. THE CORE DESIGNATION IS USED TO STRESS THAT THIS IS THE SKELETON OTHER EXTENSIONS AND PROTOCOLS CAN BUILD UPON. OAUTH CORE 1.0 DOES NOT BY ITSELF 3 PROVIDE MANY DESIRED FEATURES SUCH AS AUTOMATED DISCOVERY OF ENDPOINTS, LANGUAGE SUPPORT, SUPPORT FOR XML-RPC AND SOAP, STANDARD DEFINITION OF RESOURCE ACCESS, OPENID INTEGRATION, A FULL RANGE OF SIGNING ALGORITHMS, AND MANY OTHER GREAT IDEAS 17 THIS WAS INTENTIONAL AND IS VIEWED BY THE AUTHORS AS A BENEFIT. AS THE NAME IMPLIES, CORE DEALS WITH THE MOST FUNDAMENTAL ASPECTS OF THE PROTOCOL: 17 • ESTABLISH A MECHANISM FOR EXCHANGING A USERNAME AND PASSWORD FOR A TOKEN WITH DEFINED RIGHTS 17 • PROVIDE TOOLS TO PROTECT THESE TOKENS 17 IT IS IMPORTANT TO UNDERSTAND THAT SECURITY AND PRIVACY ARE NOT GUARANTEED BY THE PROTOCOL. IN FACT, OAUTH BY ITSELF PROVIDES NO PRIVACY AT ALL AND DEPENDS ON OTHER PROTOCOLS TO ACCOMPLISH THAT (SUCH AS SSL). WITH THAT SAID, OAUTH CAN BE IMPLEMENTED IN A VERY SECURE MANNER AND THE SPECIFICATION INCLUDES A GOOD AMOUNT OF SECURITY CONSIDERATIONS TO TAKE INTO ACCOUNT WHEN WORKING WITH SENSITIVE RESOURCES. JUST LIKE USING PASSWORDS TOGETHER WITH USERNAMES TO GAIN ACCESS, SITES WILL USE TOKENS TOGETHER WITH SECRETS TO ACCESS RESOURCES. AND JUST LIKE PASSWORDS, SECRETS MUST BE PROTECTED. 18 DEFINITIONS 18 SECTION 3 CONTAINS DEFINITIONS TO FUNDAMENTAL PROTOCOL CONCEPTS REFERENCED THROUGHOUT THE SPEC. BECAUSE UNDERSTANDING OAUTH DEPENDS ON THESE TERMS, THEY DESERVE SOME EXPLANATION: 18 • SERVICE PROVIDER – THE SERVICE PROVIDER CONTROLS ALL ASPECTS OF THE OAUTH IMPLEMENTATION. THE SERVICE PROVIDER IS THE TERM USED TO DESCRIBE THE WEBSITE OR WEB-SERVICE WHERE THE RESTRICTED RESOURCES ARE LOCATED. IT CAN BE A PHOTO SHARING SITE WHERE USERS KEEP ALBUMS, AN ONLINE BANK SERVICE, A MICROBLOGGING SITE, OR ANY OTHER SERVICE WHERE ‘USER’S PRIVATE STUFF’ IS KEPT. OAUTH DOES NOT MANDATE THAT THE SERVICE PROVIDER WILL ALSO BE THE IDENTITY PROVIDER WHICH MEANS THE SERVICE PROVIDER CAN USE ITS OWN USERNAMES AND PASSWORDS TO AUTHENTICATE USERS, OR USE OTHER SYSTEMS SUCH AS OPENID. 18 • USER – THE USER IS WHY OAUTH EXISTS AND WITHOUT USERS, THERE IS NO NEED FOR OAUTH. THE USERS HAVE ‘STUFF’ THEY DON’T WANT TO MAKE PUBLIC ON THE SERVICE PROVIDER, BUT THEY DO WANT TO SHARE IT WITH ANOTHER SITE. IN OAUTH, THE PROTOCOL STOPS WITHOUT MANUAL INTERACTION WITH THE USER AT LEAST ONCE TO RECEIVE PERMISSION TO GRANT ACCESS. 18 • CONSUMER – THIS IS A FANCY NAME FOR AN APPLICATION TRYING TO ACCESS THE USER’S RESOURCES. THIS CAN BE A WEBSITE, A DESKTOP PROGRAM, A MOBILE DEVICE, A SET-TOP BOX, OR ANYTHING ELSE CONNECTED TO THE WEB. THE CONSUMER IS THE ONE GETTING PERMISSION TO ACCESS RESOURCES AND THE CONSUMER IS WHERE THE USEFUL PART OF OAUTH HAPPENS. OAUTH DEFINES ‘CONSUMER DEVELOPER’ AS THE ENTITY WRITING CODE TO INTERACT WITH THE SERVICE PROVIDER. ‘CONSUMER KEY’ AND ‘CONSUMER SECRET’ WILL BE EXPLAINED LATER. 18 • PROTECTED RESOURCES: THE ‘STUFF’ OAUTH PROTECTS AND ALLOW ACCESS TO. THIS CAN BE DATA (PHOTOS, DOCUMENTS, CONTACTS), ACTIVITIES (POSTING BLOG ITEM, TRANSFERRING FUNDS) OR ANY URL WITH A NEED FOR ACCESS RESTRICTIONS. 18 • TOKENS – ARE USED INSTEAD OF USER CREDENTIALS TO ACCESS RESOURCES. A TOKEN IS GENERALLY A RANDOM STRING OF LETTERS AND NUMBERS (BUT NOT LIMITED TO) THAT IS UNIQUE, HARD TO GUESS, AND PAIRED WITH A SECRET TO PROTECT THE TOKEN FROM BEING ABUSED. OAUTH DEFINES TWO DIFFERENT TYPES OF TOKENS: REQUEST AND ACCESS. THIS ARE EXPLAINED LATER IN GREATER DETAILS. 19 2.4 COMPARISON BETWEEN OAUTH AND OPENID 19 2.5 COMBINE OPENID AND OAUTH FOR SECURING WEB SERVICE 21 CONCLUSION 26 REFERENCES 27 4 I . Summary Today, internet is developing very fast and it is being popular all over the world. Therefore, software engineering has a lot of changes. Desktop application now is replaced by web application. With computer connected internet and any browser, you can use a lot of application. For examples, we can use Google docs to create and edit documents, or use Google calendar to manage time, events or use Flick to store, share, edit your pictures…We ever heard something about cloud computing, web service…Web services can easily understood that they can convert your applications into web applications and they are published, found and used through the Web. Web service now become popular so improving it is important and difficult work especially in security problems. Hence, Oauth (Open Authorization) protocol was developed and first published in 2007 quickly become standard authorization protocol in web service security. It allows users use third party application without share username and password. In this document we will understand about Oauth definition and the way to apply it into building web service. 5 I I. Motiv ation Today internet develop very fast, especially in Viet Nam in recent year, internet become popular. The quality of internet also increases considerably. Therefore, web applications gradually become familiar with people using internet. Today, only with any browser connected internet, we can use a huge number application that in the old days we can only use in desktop environment. We do not need to install into computer, hardware requirement is not too high, so clearly web applications have a lot of advantages. Certainly, we ever used many famous web applications like Google docs where we can create, edit, and store our documents, or Flick where we can upload and share our pictures, or many social network pages like Facebook, Twitter…also are web applications. We can call them are web services and with the quick increment of web services, security problems become the most important thing because almost security problem come from internet. We can see that a lot of internet users lost their account, control…by hackers. Therefore, the requirement for new protocol for web service that has advantages for both users and developers appeared: Oauth. This protocol quickly became standard for authorization of web service. A lot of web services applied Oauth like Facebook, Twitter, Google, Yahoo…and it also important with developers…In Viet Nam, securing web service with Oauth is very important. 6 I II. I mplementation In this part, we will understand many related thing to solve our problem 2.1 Web service 2.1.1 Definition Firstly, we need to know what web service is. Web services come into being long times go. They have a lot of application in many fields. Web service is place that store data and implement data. A lot of users can use web service for create their own applications. Using web services we can save a lot of time and force and applications also are better. Follow wiki A Web service is a method of communication between two electronic devices over the web (internet). In the summary, web service can understood like these thing • Web services are application components • Web services communicate using open protocols • Web services are self-contained and self-describing • Web services can be discovered using UDDI • Web services can be used by other applications • XML is the basis for Web services How does it work? The basic Web services platform is XML + HTTP. XML provides a language which can be used between different platforms and programming languages and still express complex messages and functions. The HTTP protocol is the most used Internet protocol. 7 Web services platform elements: • SOAP (Simple Object Access Protocol) • UDDI (Universal Description, Discovery and Integration) • WSDL (Web Services Description Language) 2.1.2 Characters and components of web service 2.1.2.1 Characters • Interoperability has Highest Priority When all major platforms could access the Web using Web browsers, different platforms could interact. For these platforms to work together, Web-applications were developed. Web-applications are simply applications that run on the web. These are built around the Web browser standards and can be used by any browser on any platform • Web Services take Web-applications to the Next Level By using Web services, your application can publish its function or message to the rest of the world. • Web services use XML to code and to decode data, and SOAP to transport it (using open protocols) • Web Services have Two Types of Uses – Reusable application-components. – Connect existing software. Web services can help to solve the interoperability problem by giving different applications a way to link their data. With Web services you can exchange data between different applications and different platforms. 8 2.1.2.2 Elements A, SOAP SOAP is an XML-based protocol to let applications exchange information over HTTP. Or more simple: SOAP is a protocol for accessing a Web Service. • SOAP stands for Simple Object Access Protocol • SOAP is a communication protocol • SOAP is a format for sending messages • SOAP is designed to communicate via Internet • SOAP is platform independent • SOAP is language independent • SOAP is based on XML • SOAP is simple and extensible • SOAP allows you to get around firewalls • SOAP is a W3C standard Why SOAP? It is important for application development to allow Internet communication between programs. Today's applications communicate using Remote Procedure Calls (RPC) between objects like DCOM and CORBA, but HTTP was not designed for this. RPC represents a compatibility and security problem; firewalls and proxy servers will normally block this kind of traffic. A better way to communicate between applications is over HTTP, because HTTP is supported by all Internet browsers and servers. SOAP was created to accomplish this. SOAP provides a way to communicate between applications running on different operating systems, with different technologies and programming languages. More about SOAP we can find in http://w3school.com/soap A SOAP Example 9 In the example below, a GetStockPrice request is sent to a server. The request has a StockName parameter, and a Price parameter that will be returned in the response. The namespace for the function is defined in "http://www.example.org/stock". A SOAP request: POST /InStock HTTP/1.1 Host: www.example.org Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> The SOAP response: HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.example.org/stock"> <m:GetStockPriceResponse> <m:Price>34.5</m:Price> </m:GetStockPriceResponse> 10 </soap:Body> </soap:Envelope> B. WSDL WSDL is an XML-based language for locating and describing Web services. • WSDL stands for Web Services Description Language • WSDL is based on XML • WSDL is used to describe Web services • WSDL is used to locate Web services • WSDL is a W3C standard WSDL is a document written in XML. The document describes a Web service. It specifies the location of the service and the operations (or methods) the service exposes. The WSDL Document Structure A WSDL document describes a web service using these major elements: Element Defines <types> The data types used by the web service <message> The messages used by the web service <portType> The operations performed by the web service <binding> The communication protocols used by the web service The main structure of a WSDL document looks like this: <definitions> <types> definition of types </types> <message> definition of a message </message> [...]... become so popular Therefore, web services also increase quickly We can list many familiar web services like zing me, go.vn, and a lot of other social network also other services Hence, for the developers easy to develop application, many web services should provide web API and also support many security protocol like OpenID and Oauth Work to apply OpenID and Oauth into web services is very good decision... composite Web services, each sub service can be considered autonomous The user has no control over these services Also the Web services themselves are not reliable; the service provider may remove, change or update their services without giving notice to users The reliability and fault tolerance is not well supported; faults may happen during the execution Exception handling in the context of Web services... understanding OAuth depends on these terms, they deserve some explanation: • Service Provider – the Service Provider controls all aspects of the OAuth implementation The Service Provider is the term used to describe the website or web- service where the restricted resources are located It can be a photo sharing site where users keep albums, an online bank service, a microblogging site, or any other service. .. based services towards representational 14 state transfer (REST) based communications REST services do not require XML, SOAP, or WSDL service- API definitions Web APIs allow the combination of multiple Web services into new applications known as mashups When used in the context of Web development, Web API is typically a defined set of Hypertext Transfer Protocol (HTTP) request messages along with a... APIs 2.5 Combine OpenID and Oauth for securing web service As we can see a lot of thing above, OpenID and Oauth for authentication and authorization in web service are the secure methods Therefore, we will find the way to apply both of them to protect our service, maybe it is combination between these protocols into only one extension This extension describes how to embed an OAuth approval request into... languages are created with XML An Example XML Document XML documents use a self-describing and simple syntax: Tove Jani Reminder Don't forget me this weekend! D Web API Web services in a service oriented architecture Web API is a development in Web services (in a movement called Web 2.0) where... paired with a Secret to protect the Token from being abused OAuth defines two different types of Tokens: Request and Access This are explained later in greater details 2.4 Comparison between Oauth and OpenID OAuth, OpenID…they sound like the same thing and they kind of do vaguely similar things But OAuth is not Open ID They have a different purpose To start with, here’s what OAuth does have in common with. .. code provide you with great control over your bank accounts – much more than just charging goods But when you replace the PIN code with your signature, the card becomes very limited and can only be used for limited access Users don’t care about protocols and standards – they care about better experience with enhanced privacy and security This is exactly what OAuth sets to achieve With web services on the... of messages • Integrity of messages Each of challenges in web service security problems has their own methods but not always they are all good Work to find the best solution for security of web service is now still hard job But we temporary do not care about other thing In this document I will show you Oauth protocol for authorization in web service It is quite safe and trusty 15 2.2 Open ID OpenID... private stuff’ is kept OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID • User – the user is why OAuth exists and without users, there is no need for OAuth The users have ‘stuff’ they don’t want to make public on the Service Provider, but