有趣的 oAuth2 OpenID Connect
How to Think About OAuth
I’m not a deep OAuth 2.0 expert yet; at this point that label is reserved for the (substantial number of) people who wrote the specs. But I’ve worked with a few implementations and talked it over with smart people, and I have opinions. Summary: It’s a framework not a protocol, it has irritating problems, and it’s really very useful.
Real Internet Protocols · I mean things like HTTP and SMTP; plug a client and a server into each other and if it doesn’t Just Work, that’s surprising. ¶
OAuth 2.0 isn’t one of those; the language of the spec is full of “Out of scope” and “At the discretion of the implementor”. It’s not that a generic OAuth2 client might not interoperate with a generic server; it’s that there’s really no such thing as a “generic OAuth2 client” or “generic Oauth2 server”.
So, is it really a “Standard” in any useful sense? And should we invest in implementing it? Yes to both. OAuth2 is, for lack of a better word, a frameworkthat you can use to build actual real protocols.
For example, Google has an authorization protocol for accessing its APIsthat’s totally OAuth2. It meets our security needs and it’s been easy for us (and anyone else) to ship libraries for app builders to use, because there are starting to be common bits and pieces of framework implementation to use. And also because OAuth2 just isn’t that hard.
Another example would be OpenID Connect, OIDC for short. It’s trying really hard to be a real actual Internet Protocol; plug a client into a server and feel entitled to anger if it doesn’t Just Work. I’m super-interested in OIDC and starting to become a fan. In fact, it deserves its own space in ongoing, so let’s note that it’s built on OAuth2, push it on the stack, and return to it in another piece.
What OAuth2 Actually Does · Let’s work through it from back to front. The end-game of an OAuth2 invocation is an “Access Token”, just a string of characters. It’s called a “bearer token”, which means that you send it along with an HTTP request, either using the HTTP Authorization
header (which is the right way) or as an ?access_code=<token>
name/value pair tacked onto the end of a URI (which makes me nervous, and I wish people wouldn’t). ¶
Anyhow, the token represents the right for you to make that HTTP request to whatever the URI identifies. The tokens are fairly short-lived (an hour or less is typical) but can be refreshed. They can also be invalidated, in which case they stop working. For example, the string
ya29.AHES6ZQRUz_7TzCdPehdeGeh6g4yFIBZGOwi-nRJTlg3XoQ
was an access token that for an hour sometime last month represented the right for tbray@textuality.com to access the Google+ API.
OAuth2 also specifies how you go about getting a token; it’s a fairly involved HTTP dance involving several distinct servers, notably including:
One hosting the resource you’re trying to access,
one that can authenticate the person logged into the browser making the request, and
one that can issue and refresh the actual tokens.
Yes, it’s possible for some of them to be the same server, but whatever. The way it works is that the first redirects to the second redirects to the third and then you go back with your token to the first and do the actual work you started out trying to do.
The control can flow entirely back and forth through the browser, with simple-enough JavaScript, or through a back-channel between servers; the latter feels more natural and secure to me, but I guess I’m an old fogey who insufficiently worships all-browser-all-the-time logic.
The OAuth2 specs lay out how to build the target and redirect URIs and code the parameters and so on. They also specify that the app launching the dance has to be registered with the server-side logic in advance.
Anyhow, turn all those cranks and your token comes out of the machine and you’re off to the races. That’s about all there is to it; but it takes a whole lot of pages of specification-ware to describe all the pieces.
What’s Wrong With This Picture? · OAuth2 is controversial; the spec editor eventually got mad enough to stomp out of the room, and is now off in his own sandbox writing his own replacement for OAuth2. He (and others) have said these things about it: ¶
The spec suffers from enterprisey bloat; it’s too big and too complicated and can only be implemented by leviathans.
The notion of naked bearer token is insane; anyone who can eavesdrop on your HTTP conversation has the keys to the kingdom. The tokens need to be signed and/or encrypted and thus immune from tinkering.
The OAuth2 dance depends on Web-browser semantics with all those redirects, and thus isn’t really suitable for compiled mobile (as in iOS and Android) apps.
I think they’re all problems, but only one of them really costs me lost sleep. Let’s take them in order.
Is OAuth2 Too Big? · Yes, absolutely. It’s got way more stuff in it than, for example, an Internet company like Google needs; mostly things that are there to meet professed Enterprise requirements. The Working Group clearly needed more irritating loud-voiced minimalists stridently chanting YAGNI! YAGNI! YAGNI! ¶
The critics are right that it would be a big engineering challenge — maybe impossibly big — to build a quality implemention of the whole thing.
That doesn’t bother me as a Googler because I don’t think we’re going to try. We’ve built the parts of the framework we need to implement the protocols that we want to support, and I can’t see us caring much about the rest.
This is a time-honored practice among implementors facing over-ambitious standards (which a majority of standards are).
I’m pretty convinced that there’s a 80/20 point there inside OAuth2 that provides real value and is pretty tractable to implement. It might make sense, with a couple years’ experience, to write that subset down and give it a name.
Are Bearer Tokens Sane? · No, unless you encrypt your transport, in which case they are. I start with a bit of a prejudice here, since I think thatall Internet traffic should be private by default, i.e. be conducted using HTTPS. ¶
It’s like this: If you’re sending data that needs authentication/authorization back and forth over channels that are subject to eavesdropping, stolen bearer tokens are going to be the least of your problems.
I acknowledge my prejudice; but my convictions are reinforced by the fact that Google’s security gorgons, who are an exceptionally paranoid bunch of people, are OK with bearer tokens too.
Also, while I never worked with an OAuth 1 implementation, I sure heard lots of complaints about how hard it was to get the encryption and signing to interoperate. I have worked with several OAuth2 services and it’s no biggie. People I respect say that in principle OAuth 1 shouldn’t be hard. Maybe it’s simply that OAuth 2 has had better libraries ship faster than its predecessor?
At this point, cue whining from people who say they can’t HTTPS because they need to do deep packet inspection for reasons of load balancing or regulatory compliance or whatever. I think they’re mostly just Doing It Wrong, but if the bottom line is those people can’t use OAuth2, well OK.
How About Mobile? · Yeah, it’s a problem. People who use Google apps right now on iOS know all about it; you’re always having a browser pop out at you and you have to type in your password way, way more than you should have to, which on a mobile device is basically never. (Yes, we know that we need to do something about this.) ¶
We’ve worked around it on Android and made it easy for apps to get OAuth2 bearer tokens, but we had to build great gobs of Android and back-end code that bridge across lots of different pieces of Google infrastructure and were a major pain in the butt to debug; I know because I helped.
But what we got provides a pretty decent outcome; you can use Google’s APIs, and authenticate users to your own back-ends, with good performance, good security, and really rather nice user experience. I don’t see any reason why anyone else shouldn’t be able to do the same.
So maybe, even though OAuth2 isn’t a great fit for mobile apps, the cost/benefit analysis is such that we server-side folks should just suck it up and build the back-end code to make it work.
Having said that, I’ll take a good close look at anything that promises to make life easier for mobile-app writers.
Comments on this fragment are closed.
Updated: 2013/01/26
Contributions
Comment feed for ongoing:
From: Dick Hardt (Jan 25 2013, at 09:39)
Great write up Tim! Agreed the final spec is more complicated than it shold be. Part of that was Eran insisting on the Bearer Token aspect be in a separate document.
[link]
From: Adrius42 (Jan 25 2013, at 13:30)
My sense is that any standard that necessarily allows "corporates" to insert their percieved needs will bloat, I watched that happen with X.400. Happily as a result of the bloated discussions some clever folks were able to distil out SMTP.
Perhaps we are simply on a journey (Highland Park, my favourite distilled product), with gallons of wort has to go through a wash back stage that often causes vibrations. It is arguable that there is no other way to achieve the finest distilled product.
Though a master distiller knows that it is the final "Ceremony" that they are aiming for... they have the knowledge and patience to go through the mash tun phase.
My favourite; Highland Park, takes 18 years from barley to lip. While it is possible to create lesser products more quickly from potatoe, they will always be just that ... lesser!
Here's to the journey! My only hope is that the Identity Master Distillers understand that their clients are NOT the corporates, but those that will consume what they produce. Here's to a final product that will have a fine nose and an excellent finish.
[link]
From: jrochkind (Jan 25 2013, at 15:50)
> That doesn’t bother me as a Googler because I don’t think we’re going to try. We’ve built the parts of the framework we need to implement the protocols that we want to support, and I can’t see us caring much about the rest.
Okay, what I'm not sure i see is what the actual _value_ of having a 'framework for building protocols' like this.
It's not a protocol, there's no such thing as a 'generic implementation', it's a framework for building specific protocols. OP isn't bothered by the complexity, even though it would be infeasible to implement 'the whole thing', because they just build their own concrete much simpler protocol out of the framework, and only have to implement that, and their clients only have to implement clients for that.
Fair enough.. but what did the OAuth 'framework' actually _get anyone_ then? What value did it add?
* Would Google have found it much harder to implement the protocol from scratch, without the OAuth framework to guide the?
* Does it matter to anyone that the concrete protocol they devised is 'compliant' with the OAuth framework?
** If when devising their concrete protocol, they had decided it made more sense to do something that actually violated the OAuth framework (if that's even possible, it's so flexible)... would it matter? If so, why?
Unless the answer to any of these questions is 'yes'... or there's some other 'yes' question I'm not thinking of... I don't see what the point of having this generic monstrously flexible OAuth 'framework for building a protocol' is. Sure, it might not get in your way, but what does it help, how does it simplify rather than confuse?
[link]
From: ebenezer (Jan 26 2013, at 11:34)
“access the Gooogle+ API” was probably supposed to have been “access the Google+ API.” :)
[link]
From: Antonio (Jan 27 2013, at 03:17)
Great stuff Tim.
I do agree to any of your points.
I would add couple of new points though.
One more issue with the OAuth 2 framework is the lack of choices made from the editors (as mentioned also from Eran Hammer). You need to really be a security expert in order to make things right.
Another thing that "bothers" me is that a lot of "entities" used OAuth as an Authentication protocol (see also the very detailed article of Vittorio Bertucci from Microsoft [0]) and this can be an issue specially in the client side flow .
Google not surprisingly does it right (using open id connect) and there is a warning on the client side flow doc about the "confused deputy problem" but believe me, not many providers do it.
[0] http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
Antonio
[link]
From: Hannes Tschofenig (Jan 28 2013, at 04:02)
A short remark to a statement made by Adrius42:
"
My sense is that any standard that necessarily allows "corporates" to insert their percieved needs will bloat
"
Most people have to work for someone in order to earn money. Eran, for example, worked for Yahoo when he was working on the specification.
[link]
From: Hannes Tschofenig (Jan 28 2013, at 04:17)
You write: "Real Internet Protocols · I mean things like HTTP and SMTP. plug a client and a server into each other and if it doesn’t Just Work, that’s surprising. OAuth 2.0 isn’t one of those"
First, you have to describe what you call OAuth 2.0. There are various people who refer only the core spec, others use the term to refer to a specific deployment (such as Facebook's OAuth 2.0 implementation).
The comparison with HTTP and SMTP is also a bit challenging since in the case of OAuth you are talking about a multi-party security protocol.
Finally, you have to explain what you mean by "works". Is it that everyone is able to access everything?
Like with many security protocols you have to think about the treats you are concerned with, and what your security requirements are. It turns out that the security concerns that Eran had were quite different to other people and hence it was difficult to up with only one way to do it. Eran, for example, cared a lot about having the OAuth client implementation to actively participate in the cryptographic protocol exchange (via a keyed message digest) but he didn't care much about privacy or protecting the data that was exchanged as a result of a successful OAuth 2.0 authorization. His views were most likely driven by what Yahoo needed and those aspects weren't important to them (as it still seems). But not everyone has the same needs.
[link]
From: Prateek Mishra (Feb 06 2013, at 06:50)
Two comments -
1) I would be interested in learning more about Android utilities/libraries that make it easier to use OAuth 2.0 for applications on mobile devices. We also find this as an area of difficulty.
You mention investments that Google has made in this area. Are there any plans to make these generally available to the Android community?
2) Regarding the various flaws of OAuth 2.0, well, I believe these perceptions may be shaped by (lack of) experience with identity systems.
Use of bearer instruments (e.g., cookies) over TLS is the norm on the internet; application-level signature and encryption is MUCH more complex and error-prone. Finally, a comparison with the SAML 2.0 specifications (another multi-party protocol) would provide a fairer test to assess OAuth 2.0 complexity.
[link]
Truth · Biz · Tech
author · Dad · software ·colophon · rights
· Technology (74 fragments)
· · Identity (39 more)
· · Web (376 more)
By Tim Bray.
I work for Google, but the
opinions expressed here are
my own, and no other party
necessarily agrees with them.
A full disclosure of my
professional interests is
on the author page.
有趣的 oAuth2 OpenID Connect相关推荐
- 手机连接到linux,使用KDE Connect将Android手机连接到Linux
目的 在Linux和Android上安装和配置KDE Connect. 发行版 这几乎适用于所有Linux发行版. 要求 具有Plasma和root特权的有效Linux安装.另外,Android设 ...
- 解决navicat连接阿里云服务器的mysql报错:1130 . Host 16.8 85 isnot alowed to con nect to this MySQL server
解决navicat连接阿里云服务器的mysql报错:1130 . Host 16.8 85 isnot alowed to con nect to this MySQL server 报错效果 报错原 ...
- 认证与授权协议对比:OAuth2、OpenID、SMAL
认证授权是目前大多数系统都必须要实现都功能,认证就是验证用户都身份,授权就是验证身份后对受限资源的访问控制.最开始是单个平台要做,后来在互联网时代到来,一个账户可登陆多个平台,然后是各种开放平台账户共 ...
- 微信网页授权获取用户openid及用户信息
$code = $_GET["code"];//获取code $appid="xxxx";//公众号appid $APPSECRET="xxx&quo ...
- php获取微信小程序用户头像,微信小程序获取用户头像+昵称+openid,小程序登录!附前端后端源码!...
做一款小程序,如果需要判断用户,当然要获取一些基本信息,例如头像,昵称,openid.所以本次案例就直接上代码了. 小程序前端 index.wxml 获取头像昵称 {{userInfo.nickNam ...
- 微信公众号网页授权,获取用户信息以及openid -- PHP后台
微信公众号网页授权,获取用户信息以及openid 这几天做项目,想通过公众号的appid获取用户的openid就,然后在网上查资料,问朋友,最后找到了方法,就是这个网页授权. 起初一直很蒙,这个怎么弄 ...
- php微信获取openid_如何通过PHP获取微信用户的openid和基本信息
本篇讲解通过PHP获取微信用户的openid和基本信息的操作. 基本配置public function getcode(){ //基本配置 $appid=''; $redirect_uri=urlen ...
- 华为epg-sms 多cp_Linux桌面上的SMS,Linux 25岁生日以及更多开源新闻
华为epg-sms 多cp 在本周的开源新闻摘要中,我们介绍了Linux桌面上的SMS,Linux的25岁生日,廉价的生态家园等等. 2016年8月28日至9月3日的开源新闻摘要 KDE Conn ...
- adafruit1306_Adafruit的2015年最佳开源可穿戴设备
adafruit1306 过去一年中,可穿戴电子产品爆炸式增长. 现在市场上有无数的小型设备,不仅用于健身追踪,而且还用于改善姿势,防晒霜提醒,肌肉感应手势控制等等. 随着人体技术的普及比以往任何时候 ...
最新文章
- Python数据挖掘:数据转换-数据规范化
- Openstack组件部署 — Nova_Install and configure a compute node
- java 底层运行_从表面到底层丨Java和JVM的运行原理,现在带给你
- 2.5 matlab稀疏矩阵
- VNC viewer远程连接linux桌面
- 浙江工商大学计算机学院调剂录取,浙江工商大学2017年硕士研究生调剂拟录取名单公布(持续更新)...
- Python 文件读写操作-Python零基础入门教程
- 华为鸿蒙战略布局,继5G与鸿蒙后又一重要布局:华为发布计算战略
- 如何用PHP实现Socket服务器
- JavaScript简单入门教程学习篇
- 2016年计算机辅助设计试题,cad考试题「附答案」
- java为什么用咖啡?
- 制作字幕.html教程,如何制作电影字幕,视频字幕制作软件|免费给视频加字幕
- 9.23 未来的规划 BEC
- 返回结果集Result类
- 独立显卡的电脑找不到独立显卡该怎么办
- 【Vue项目复习笔记】详情页的展示
- UE《空山新雨后》总结笔记
- 初中 昆虫记思维导图_《昆虫记》的思维导图
- 博达网站服务器地址怎么查,路由器博达路由器配置经典教程
热门文章
- 神奇的计算机世界教案,神奇的计算机世界.doc
- 因果推理之霍克斯过程 Hawkes process
- 网络编程——TCP通信
- clickhouse-mysql数据同步
- Java job interview:实习生项目小程序架构研发系统集成技术
- Educational Codeforces Round 101 D. Ceil Divisions(构造)
- 软件版本阶段与语义化版本(SemVer)
- 6-2 综合成绩排名-结构体二 (100分)
- 【漆学军】MT4进阶到MT5速成之路(2)获取持仓
- python同义词替换(jieba分词)