Secure web service with Oauth
Trang 1STUDENT SCIENTIFIC RESEARCH CONTEST
Year: 2012
Research name: Secure web service with Oauth
Supervisor: Dr.Vo Dinh Hieu
Trang 2TABLE OF CONTENT
I.SUMMARY 4
II.MOTIVATION 5
III.IMPLEMENTATION 6
2.1 W EB SERVICE 6 2.1.1 Definition 6
2.1.2 Characters and components of web service 7
2.1.2.1 Characters 7
2.1.2.2 Elements 8
A, SOAP 8
B WSDL 10
C XML 12
D Web API 13
2.1.3 WS security 14
E ND -U SER B ENEFITS : OA UTH ALLOWS YOU TO SHARE YOUR PRIVATE RESOURCES ( PHOTOS , VIDEOS , CONTACT LIST , BANK ACCOUNTS ) STORED ON ONE SITE WITH ANOTHER SITE WITHOUT HAVING TO HAND OUT YOUR USERNAME AND PASSWORD W HEN USE WEB SERVICE , USERS PUT THEMSELVES AT RISK SHARING THE SAME PRIVATE INFORMATION OA UTH IS THE RESCUE 16
B OTH THE VALET KEY AND ATM CARDS ARE GOOD METAPHORS FOR OA UTH FROM A USER PERSPECTIVE I NSTEAD OF GIVING YOUR ATM CARD AND PIN CODE , THE CARD CAN DOUBLE AS A CREDIT CARD WITH A SIGNATURE AUTHORIZATION J UST LIKE YOUR USERNAME AND PASSWORD PROVIDE FULL ACCESS TO YOUR RESOURCES , YOUR ATM CARD AND PIN CODE PROVIDE YOU WITH GREAT CONTROL OVER YOUR BANK ACCOUNTS – MUCH MORE THAN JUST CHARGING GOODS B UT WHEN YOU REPLACE THE PIN CODE WITH YOUR SIGNATURE , THE CARD BECOMES VERY LIMITED AND CAN ONLY BE USED FOR LIMITED ACCESS 16
U SERS DON ’ T CARE ABOUT PROTOCOLS AND STANDARDS – THEY CARE ABOUT BETTER EXPERIENCE WITH ENHANCED PRIVACY AND SECURITY T HIS IS EXACTLY WHAT OA UTH SETS TO ACHIEVE W ITH WEB SERVICES ON THE RISE , PEOPLE EXPECT THEIR SERVICES TO WORK TOGETHER IN ORDER TO ACCOMPLISH SOMETHING NEW I NSTEAD OF USING A SINGLE SITE FOR ALL THEIR ONLINE NEEDS , USERS USE ONE SITE FOR THEIR PHOTOS , ANOTHER FOR VIDEOS , ANOTHER FOR EMAIL , AND SO ON N O ONE SITE CAN DO EVERYTHING BETTER I N ORDER TO ENABLE THIS KIND OF INTEGRATION , SITES NEED TO ACCESS THE USER RESOURCES FROM OTHER SITES , AND THESE ARE OFTEN PROTECTED ( PRIVATE FAMILY PHOTOS , WORK DOCUMENTS , BANK RECORDS ) T HEY NEED A KEY TO GET IN 16
T HE KEY USED BY USERS IS USUALLY A COMBINATION OF USERNAME AND PASSWORD T HIS CAN BE AN O PEN ID OR ANY OTHER LOGIN CREDENTIAL B UT THIS KEY IS TOO POWERFUL AND UNRESTRICTED TO SHARE AROUND I T ALSO CANNOT BE UNSHARED ONCE HANDED OUT EXCEPT FOR CHANGING IT WHICH WILL VOID ACCESS TO EVERY SITE , NOT JUST THE ONE THE USER INTENDS TO BLOCK OA UTH ADDRESSES THAT BY ALLOWING USERS TO HAND OUT TOKENS INSTEAD E ACH TOKEN GRANTS ACCESS TO A SPECIFIC SITE ( A VIDEO EDITING SITE ) FOR SPECIFIC RESOURCES ( JUST VIDEOS FROM LAST WEEKEND ) AND FOR A DEFINED DURATION ( THE NEXT 2 HOURS ) 16
U NLIKE O PEN ID WHERE USERS MUST DO SOMETHING FIRST – GET AN O PEN ID IDENTITY THEY CAN USE TO SIGN - INTO SITES – OA UTH
IS COMPLETELY TRANSPARENT TO THE USERS I N MANY CASES ( IF DONE RIGHT ), THE END - USER WILL NOT KNOW ANYTHING ABOUT
OA UTH , WHAT IT IS OR HOW IT WORKS T HE USER EXPERIENCE WILL BE SPECIFIC TO THE IMPLEMENTATION OF BOTH THE SITE REQUESTING ACCESS AND THE ONE STORING THE RESOURCES , AND ADJUSTED TO THE DEVICE BEING USED ( WEB BROWSER , MOBILE
A TYPICAL EXAMPLE OFFERED BY THE SPEC IS WHEN A USER WANTS TO PRINT A PHOTO STORED ON ANOTHER SITE T HE INTERACTION GOES SOMETHING LIKE THIS : THE USER SIGNS INTO THE PRINTER WEBSITE AND PLACE AN ORDER FOR PRINTS T HE PRINTER WEBSITE ASKS WHICH PHOTOS TO PRINT AND THE USER CHOOSES THE NAME OF THE SITE WHERE HER PHOTOS ARE STORED ( FROM THE LIST OF SITES SUPPORTED BY THE PRINTER ) T HE PRINTER WEBSITE SENDS THE USER TO THE PHOTO SITE TO GRANT ACCESS A T THE PHOTO SITE THE USER SIGNS INTO HER ACCOUNT AND IS ASKED IF SHE REALLY WANTS TO SHARE HER PHOTOS WITH THE PRINTER I F SHE AGREES , SHE IS SENT BACK TO THE PRINTER SITE WHICH CAN NOW ACCESS THE PHOTOS A T NO POINT DID THE USER SHARE HER USERNAME AND PASSWORD WITH THE PRINTER SITE 17
W HAT IS PUBLICLY KNOWN AS ‘OA UTH ’ IS REALLY THE ‘OA UTH C ORE 1.0’ SPECIFICATION T HE C ORE DESIGNATION IS USED TO STRESS THAT THIS IS THE SKELETON OTHER EXTENSIONS AND PROTOCOLS CAN BUILD UPON OA UTH C ORE 1.0 DOES NOT BY ITSELF
Trang 3PROVIDE MANY DESIRED FEATURES SUCH AS AUTOMATED DISCOVERY OF ENDPOINTS , LANGUAGE SUPPORT , SUPPORT FOR XML-RPC AND SOAP, STANDARD DEFINITION OF RESOURCE ACCESS , O PEN ID INTEGRATION , A FULL RANGE OF SIGNING ALGORITHMS , AND
T HIS WAS INTENTIONAL AND IS VIEWED BY THE AUTHORS AS A BENEFIT A S THE NAME IMPLIES , C ORE DEALS WITH THE MOST
• E STABLISH A MECHANISM FOR EXCHANGING A USERNAME AND PASSWORD FOR A TOKEN WITH DEFINED RIGHTS 17
I T IS IMPORTANT TO UNDERSTAND THAT SECURITY AND PRIVACY ARE NOT GUARANTEED BY THE PROTOCOL I N FACT , OA UTH BY ITSELF PROVIDES NO PRIVACY AT ALL AND DEPENDS ON OTHER PROTOCOLS TO ACCOMPLISH THAT ( SUCH AS SSL) W ITH THAT SAID , OA UTH CAN BE IMPLEMENTED IN A VERY SECURE MANNER AND THE SPECIFICATION INCLUDES A GOOD AMOUNT OF SECURITY
CONSIDERATIONS TO TAKE INTO ACCOUNT WHEN WORKING WITH SENSITIVE RESOURCES J UST LIKE USING PASSWORDS TOGETHER WITH USERNAMES TO GAIN ACCESS , SITES WILL USE TOKENS TOGETHER WITH SECRETS TO ACCESS RESOURCES A ND JUST LIKE
‘ USER ’ S PRIVATE STUFF ’ IS KEPT OA UTH DOES NOT MANDATE THAT THE S ERVICE P ROVIDER WILL ALSO BE THE IDENTITY PROVIDER WHICH MEANS THE S ERVICE P ROVIDER CAN USE ITS OWN USERNAMES AND PASSWORDS TO AUTHENTICATE USERS , OR USE OTHER
• U SER – THE USER IS WHY OA UTH EXISTS AND WITHOUT USERS , THERE IS NO NEED FOR OA UTH T HE USERS HAVE ‘ STUFF ’ THEY DON ’ T WANT TO MAKE PUBLIC ON THE S ERVICE P ROVIDER , BUT THEY DO WANT TO SHARE IT WITH ANOTHER SITE I N OA UTH , THE PROTOCOL STOPS WITHOUT MANUAL INTERACTION WITH THE USER AT LEAST ONCE TO RECEIVE PERMISSION TO GRANT ACCESS 18
• C ONSUMER – THIS IS A FANCY NAME FOR AN APPLICATION TRYING TO ACCESS THE U SER ’ S RESOURCES T HIS CAN BE A WEBSITE , A DESKTOP PROGRAM , A MOBILE DEVICE , A SET - TOP BOX , OR ANYTHING ELSE CONNECTED TO THE WEB T HE C ONSUMER IS THE ONE GETTING PERMISSION TO ACCESS RESOURCES AND THE C ONSUMER IS WHERE THE USEFUL PART OF OA UTH HAPPENS OA UTH DEFINES
‘C ONSUMER D EVELOPER ’ AS THE ENTITY WRITING CODE TO INTERACT WITH THE S ERVICE P ROVIDER ‘C ONSUMER K EY ’ AND
‘C ONSUMER S ECRET ’ WILL BE EXPLAINED LATER 18
• P ROTECTED R ESOURCES : THE ‘ STUFF ’ OA UTH PROTECTS AND ALLOW ACCESS TO T HIS CAN BE DATA ( PHOTOS , DOCUMENTS , CONTACTS ), ACTIVITIES ( POSTING BLOG ITEM , TRANSFERRING FUNDS ) OR ANY URL WITH A NEED FOR ACCESS RESTRICTIONS 18
• T OKENS – ARE USED INSTEAD OF U SER CREDENTIALS TO ACCESS RESOURCES A T OKEN IS GENERALLY A RANDOM STRING OF LETTERS AND NUMBERS ( BUT NOT LIMITED TO ) THAT IS UNIQUE , HARD TO GUESS , AND PAIRED WITH A S ECRET TO PROTECT THE
T OKEN FROM BEING ABUSED OA UTH DEFINES TWO DIFFERENT TYPES OF T OKENS : R EQUEST AND A CCESS T HIS ARE EXPLAINED LATER
2.5 C OMBINE O PEN ID AND O AUTH FOR SECURING WEB SERVICE 21
CONCLUSION 26 REFERENCES 27
Trang 4I Summary
Today, internet is developing very fast and it is being popular all over the world.Therefore, software engineering has a lot of changes Desktop application now isreplaced by web application With computer connected internet and any browser, you canuse a lot of application For examples, we can use Google docs to create and editdocuments, or use Google calendar to manage time, events or use Flick to store, share,edit your pictures…We ever heard something about cloud computing, web service…Webservices can easily understood that they can convert your applications into webapplications and they are published, found and used through the Web Web service nowbecome popular so improving it is important and difficult work especially in securityproblems Hence, Oauth (Open Authorization) protocol was developed and firstpublished in 2007 quickly become standard authorization protocol in web servicesecurity It allows users use third party application without share username and password
In this document we will understand about Oauth definition and the way to apply it intobuilding web service
Trang 5II Motivation
Today internet develop very fast, especially in Viet Nam in recent year, internet becomepopular The quality of internet also increases considerably Therefore, web applicationsgradually become familiar with people using internet Today, only with any browserconnected internet, we can use a huge number application that in the old days we canonly use in desktop environment We do not need to install into computer, hardwarerequirement is not too high, so clearly web applications have a lot of advantages.Certainly, we ever used many famous web applications like Google docs where we cancreate, edit, and store our documents, or Flick where we can upload and share ourpictures, or many social network pages like Facebook, Twitter…also are webapplications We can call them are web services and with the quick increment of webservices, security problems become the most important thing because almost securityproblem come from internet We can see that a lot of internet users lost their account,control…by hackers Therefore, the requirement for new protocol for web service thathas advantages for both users and developers appeared: Oauth This protocol quicklybecame standard for authorization of web service A lot of web services applied Oauthlike Facebook, Twitter, Google, Yahoo…and it also important with developers…In VietNam, securing web service with Oauth is very important
Trang 6III Implementation
In this part, we will understand many related thing to solve our problem
2.1 Web service
2.1.1 Definition
Firstly, we need to know what web service is
Web services come into being long times go They have a lot of application in manyfields Web service is place that store data and implement data A lot of users can useweb service for create their own applications Using web services we can save a lot oftime and force and applications also are better
Follow wiki A Web service is a method of communication between two electronic
devices over the web (internet)
In the summary, web service can understood like these thing
• Web services are application components
• Web services communicate using open protocols
• Web services are self-contained and self-describing
• Web services can be discovered using UDDI
• Web services can be used by other applications
• XML is the basis for Web services
How does it work?
The basic Web services platform is XML + HTTP
XML provides a language which can be used between different platforms and
programming languages and still express complex messages and functions
The HTTP protocol is the most used Internet protocol
Trang 7Web services platform elements:
• SOAP (Simple Object Access Protocol)
• UDDI (Universal Description, Discovery and Integration)
• WSDL (Web Services Description Language)
2.1.2 Characters and components of web service
2.1.2.1 Characters
• Interoperability has Highest Priority
When all major platforms could access the Web using Web browsers, different platformscould interact For these platforms to work together, Web-applications were developed
Web-applications are simply applications that run on the web These are built around theWeb browser standards and can be used by any browser on any platform
• Web Services take Web-applications to the Next Level
By using Web services, your application can publish its function or message to the rest ofthe world
• Web services use XML to code and to decode data, and SOAP to transport it (using open protocols)
• Web Services have Two Types of Uses
– Reusable application-components
– Connect existing software
Web services can help to solve the interoperability problem by giving different
applications a way to link their data
With Web services you can exchange data between different applications and different platforms
Trang 82.1.2.2 Elements
A, SOAP
SOAP is an XML-based protocol to let applications exchange information over HTTP
Or more simple: SOAP is a protocol for accessing a Web Service
• SOAP stands for Simple Object Access Protocol
• SOAP is a communication protocol
• SOAP is a format for sending messages
• SOAP is designed to communicate via Internet
• SOAP is platform independent
• SOAP is language independent
• SOAP is based on XML
• SOAP is simple and extensible
• SOAP allows you to get around firewalls
• SOAP is a W3C standard
Why SOAP?
It is important for application development to allow Internet communication betweenprograms Today's applications communicate using Remote Procedure Calls (RPC)between objects like DCOM and CORBA, but HTTP was not designed for this RPCrepresents a compatibility and security problem; firewalls and proxy servers willnormally block this kind of traffic
A better way to communicate between applications is over HTTP, because HTTP issupported by all Internet browsers and servers SOAP was created to accomplish this
SOAP provides a way to communicate between applications running on differentoperating systems, with different technologies and programming languages
More about SOAP we can find in http://w3school.com/soap
A SOAP Example
Trang 9In the example below, a GetStockPrice request is sent to a server The request has aStockName parameter, and a Price parameter that will be returned in the response Thenamespace for the function is defined in "http://www.example.org/stock".
Trang 10</soap:Envelope>
B WSDL
WSDL is an XML-based language for locating and describing Web services
• WSDL stands for Web Services Description Language
• WSDL is used to describe Web services
• WSDL is used to locate Web services
• WSDL is a W3C standard
WSDL is a document written in XML The document describes a Web service Itspecifies the location of the service and the operations (or methods) the service exposes
The WSDL Document Structure
A WSDL document describes a web service using these major elements:
<types> The data types used by the web service
<message> The messages used by the web service
<portType> The operations performed by the web service
<binding> The communication protocols used by the web service
The main structure of a WSDL document looks like this:
Trang 12The "getTerm" operation has an input message called "getTermRequest" and an output
messagecalled "getTermResponse".
The <message> elements define the parts of each message and the associated data types.
Compared to traditional programming, glossaryTerms is a function library, "getTerm" is
a function with "getTermRequest" as the input parameter, and getTermResponse as thereturn parameter
C XML
What is XML?
• XML stands for EXtensible Markup Language
• XML is a markup language much like HTML
• XML was designed to carry data, not to display data
• XML tags are not predefined You must define your own tags
• XML is designed to be self-descriptive
The Difference between XML and HTML that XML is not a replacement for HTML and XML and HTML were designed with different goals:
• XML was designed to transport and store data, with focus on what data is
• HTML was designed to display data, with focus on how data looks
HTML is about displaying information, while XML is about carrying information
Maybe it is a little hard to understand, but XML does not DO anything XML was created
to structure, store, and transport information
Some characters of XML we should care about
• With XML You Invent Your Own Tags
• XML is Not a Replacement for HTML
• XML is a software- and hardware-independent tool for carrying information XML is now as important for the Web as HTML was to the foundation of the Web
Trang 13• XML is the most common tool for data transmissions between all sorts of
applications
• XML Separates Data from HTML
• XML Simplifies Data Sharing
• XML Simplifies Data Transport
• XML Simplifies Platform Changes
• XML Makes Your Data More Available
• XML is used to Create New Internet Languages
• A lot of new Internet languages are created with XML
Web services in a service oriented architecture
Web API is a development in Web services (in a movement called Web 2.0) whereemphasis has been moving away from SOAP based services towards representational