Thanks to all that attended last week's webinar: OAuth: The Big Picture (slides and video here).
There were great questions - here are thoughts on those we didn't have time to discuss.
Q: Would you recommend only using oauth for passwords and usernames? What about more confidential items like card numbers? (John G)
I'm not sure I completely understand - but are you asking - if a user can authenticate to OAuth using a credit card number rather than a username/password?
That's theoretically possible but I'm not sure it's a good idea. Also, keep in mind that most credit-card authorization systems use a unique ID to map your transaction to an actual credit card, and for PCI compliance the actual number itself is stored in a PCI-compliant card system. In other words, I'm not sure that OAuth would be solving a new problem here.
Q: Can you talk about the practices around validity periods of tokens, given that their decoupled from password validity? (Eve Maler)
Sure. First, why do OAuth tokens need to be refreshed at all?
For one, when an OAuth 1.0a or 2.0 "mac" signature is used without the benefit of SSL, it could theoretically be cracked given enough time and computing resources. However when SSL is in use, you can't do this by just sniffing the network, although if you can intercept a request some other way then you could theoretically do this. So, one reason to refresh the token is so that it can't be cracked.
Another reason is just because as users pass their computers around, phones, etc, it's possible that they won't realize that they contain OAuth tokens. This is a much more subtle and undefined reason than the first.
Some applications give out tokens that never expire, which leads to the theoretical "cracking" example if you are not using SSL. On the other hand, I've seen applications with tokens that expire in 15 minutes, which is not very user-friendly. I don't have a specific recommendation right now and I'm not sure if I have seen another as well.
I actually think that this is a good area for some new research if there's someone out there looking for a project -- I don't think that we've quantified this well.
Q: If the user is entering the user/pass on the browser, even though it may be a trusted website URL, it is still vulnerable for some client to sniff the credentials as it is on the machine itself!! (Kaushik)
Sure -- nothing on a computer can be completely trusted, and the person operating the machinery can be trusted least of all!
What OAuth does for a web app, is keep the passwords from the server that you are using and prevents your password from being spread around the Internet from server to server. Given the number of security breaches in which servers are compromised and user accounts exposed, this fixes a big problem.
What OAuth does for a mobile app is keep the password from the application that you are running. I think you can trust the browser embedded in your OS more than you can trust the application built by a developer that you don't know, but I know that others here disagree. (And yes, I realize that an app can put up a fake browser screen. I wonder if such an app can get through the Apple App Store? Does anyone have knowledge about how real a threat this is?)
Q: What options does Apigee support for server-to-server API calls where we want to verify the caller is a valid caller? i.e. request signature? (Mark Visosky)
We can support two-way SSL, WS-Security with UserNameToken profile or X.509 profile, SAML, XML encryption / digital signatures, and of course HTTP basic authentication.
Q: if i change my password on twitter, then try to use a previously working app, it makes me reauth (Daniel)
I didn't know that about Twitter and should have tried before the call.
Q: Thanks for the webinar, you've clearly thought a lot about authentication and security issues. However, I cannot grant you the point that opening up a web browser where you enter your password to the service provider keeps the user's password secure. A malicious desktop or mobile application will be able to trick the user into divulging their password by spoofing the oAuth page in some way. oAuth sign in page, I mean (Kevin)
Thanks for the questions. There are certainly other ways to trick a user into divulging their password even beyond what you suggest... That doesn't mean that we have yet abandoned passwords completely.
However, an API provider that DOES want to abandon passwords and replace them with some sort of multi-factor authentication, VPN, SAML, hardware dongle, whatever, can do that by replacing the authentication screen in OAuth with one that requires whatever that API provider wants WITHOUT requiring any change at all on the client. This is a lot harder to do once there are clients out there that have hard-coded username/password authentication.
Q: if it again asks for reauth then does that mean it is using the changed password somehow..? (Kaushik)
An API has the option of revoking the OAuth tokens at any time, and some may choose to revoke them whenever the password is changed. However, OAuth doesn't require or specify that.
Q: Isn't the full OAuth dance only necessary if a user needs to authorize another application to perform actions on their behalf? i.e. giving authorization to bit.ly to submit tweets through my twitter account. What about API's where we just want to validate callers are who they say they are but no end-user is involved. (Mark V)
For server-to-server communications, two-way SSL, or "regular" SSL with HTTP Basic and a long, random password are fine ways to solve this IMHO.
For applications that need to authenticate themselves as "the app" rather than as a particular user, you can assign each app a unique and random "application key" and include that in each request. Use SSL as well if keeping the app key a secret is important to your business.
Q: Do services need to store/control which third-parties can retrieve your OAuth credentials? Or is it generally the rule that if you expose OAuth, any app can use it? (Kenneth)
In order to build an application that uses an API via OAuth, the application needs a set of application credentials -- that's the case for OAuth 1.0 and 2.0.
Q: i want to write an OAuth2 *provider* - what libraries are available to me? (Kevin H)
There is a long list of open-source projects at oauth.net under "Code." It's not something that can usually be just "plugged in" to a server, however, because it depends on how you want to authenticate users, where you want to store credentials, etc. At this point in time I should mention that an API gateway product such as Apigee Enterprise is one great way to get it done quickly.
Q: If oAuth requires SSL in 2.0, the request signing step becomes useless, no? (Kevin W)
When OAuth 2.0 is used with a "bearer token," then there is no secret and no request signing -- you use SSL instead. When OAuth 2.0 is used with a "Mac token" then it is just like 1.0a.
Q: Are the specs for SSL ,SAML assertion available to be used or implemented for my server..? (Kaushik R)
Absolutely. Check ietf.orf and search for "OAuth." There are active groups working on all these specs.
Q: If you're requiring SSL, why not just trade un/pw for a token set and be done with it? This assumes that the oAuth sign in page is security theater, which I maintain that it is. (Kevin)
@Eve but you can use any RSA spec, as long as the client and server know what to do. (Dan)
un/pw/api key or whatever? (Kevin)
Even the father of OAuth, Eran Hammer-Lahav, says using SSL as a means of authentication is broken (ie, OAuth 2.0 is broken) - (Dan)
Yes, he is wary of SSL. That's why he personally ensured that OAuth 2.0 also includes the "mac token" option, which is a way to use OAuth 2.0 with a signature and without SSL, just like 1.0a. This particular spec is newer and changing more quickly but it'll be an important option soon. Given the amount of work he is doing on the spec I don't think he thinks it's broken.
Q: How complex it is to implement OAuth in our own servers..? (Kaushik)
The hard part is integrating the OAuth flow with your existing authentication mechanisms, so that the browser is redirected and all that. There is also a bunch of work involved in implementing the various authentication flows, and there are quite a few of them. I think there are much more complex things to implement but OAuth does have its challenges.
Q: Where is the OAuth token stored? is it Server side in your example Twitter, or client side BIT.LY or BOTH? I think you mentioned in case of mobile apps it is stored on mobile. (Arpit)
It depends who is accessing the API on your behalf. The bit.ly web site, for instance, must store them on the server since it's a web site. The Twitter mobile apps, however, store it on the mobile device itself.
Q: So are they saying that banks shouldn't use OAuth for banking transactions? (Kenneth K)
If a bank has a fiduciary responsibility, for example, to sign every transaction with an RSA key that is stored on a hardware key store and managed by a PKI with tight policies and procedures around key distribution, then OAuth isn't going to be used in such an environment any more than plain old username / password combinations. That's the case for financial applications that deal with individual transactions worth millions or billions of dollars.
Seeing that many of us bank on our mobile phones or web browsers using just a username and password for authentication, I think that OAuth is just fine for a wide variety of other financial apps.
Q: The oAuth login screen is security theater - I can spoof it or otherwise trick the user if I am a malicious mobile or desktop app developer. If you can't force me (the third party app developer) to NOT store the un/pw, why make me goof around with an embedded browser page in my desktop/mobile app? Thoughts? (Kevin)
I think I tried to answer this elsewhere, but in general if you really want to do this then OAuth 2.0 actually includes an authentication flow that lets you get a token by simply sending the username / password to the server.
Q: oAuth gives a false sense that your transactions is secure, but the spec really does not mandate any message level security?? (Praveen)
Well the spec strongly recommends it but the spec can't force it -- it is up to each individual API to require message-level security in the right places.
Q: Advanced talk should have a topic on usage of the "SCOPE" parameter (Vladimir)
I think that the whole "scope" thing would be an interesting seminar, yes. Let's consider it, but we'll need a lot of good examples!
Thanks again to everyone and hope to see you on our next webinar: "Boss, we need an API!"