Lecture 10 Flashcards
What is OAuth2?
An HTTP-based set of protocols to allow resource owners to delegate resource access. It uses a token based authorisation system, the tokens are similar to Kerberos tickets.
What does security capabilities refer to?
The abstract notion of an access control matrix, access control lists used to collect users per privilege, security capabilities instead collect privileges (for a user).
The permission to perform some action can be decoupled from identity, with the permission being stored in capabilities, which will be short lived compared to a user’s privilege. One of the primary benefits is to transfer a capability to some other principal.
How can security capabilities be provided to Oauth clients?
a token could be indirectly passed to the OAuth client through an intermediary authorisation service, this would require transport-level security, as the token is password equivalent.
It could also be done by encoding data that only the target service could decrypt.
How many participants are there in Oauth2 and Kerberos?
In Kerberos there are 3, a user agent, target service, and a security service.
OAuth2 has a resource owner.
A client, the software trying to access the resource owner’s data, a resource server, where the resource Owner’s data is stored.
An authorization server, that authenticates the resource owner, obtaining authorisation and issues access tokens to rhe client.
What are Session fixation attacks?
Session fixation attacks occur when an attacker sets the session of their victim, allowing the attacker to then join the session.
What is a CSRF?
Cross-Site Request forgery is an attack which works by skipping cryptography, an attacker embeds data on a.org which sends an HTTP request that targets b.org, if the victim still has a valid session on b.org the target site may honour the attacker’s request.
What is a nonce?
An arbitrary number that can be used only once in a cryptographic communication.
How does a client setup with OAuth 2.0?
OAuth 2.0 requires registration of the client application with the authorisation server, the means of this are not specified, and is one-time, it does not mention the resource owner. This registration will involve specifying the client type, providing redirection URIs(uniform resource identifies).
The authorisation Service then provides to record of registration, a client ID (identifies the application), and a client secret. Clients are of two types, they can be confidential, in which case they can keep secrets, or they are public, meaning they can’t keep secrets.
What are the steps for authorisation in OAuth?
- Client presents login URL to resource owner.
- The Resource Owner visits the URL, authenticates, and approves to the authorization server.
- The authorisation server uses the clients redirect URI.
- The resource Owner provides the client the authorization code.
- The Client presents the authorization code to the authorization server.
- The Client receives an access token form the authoirzation server.
- The client presents the access token to the Resource Server.
- The resource is provided to the client.
What is an OAuth 2 grant type? What are the main ones?
Grant types provide different ways to acquire access tokens.
The four main ones are:
Authorization code, for apps on a web server, in this the authorization server is an intermediary between the client and resource owner, this means the RO’s credentials and Client’s credentials are never shared.
Implicit, for browser-based or mobile apps. In this the authorisation code step is skipped, the token is delivered straight ot the client, without requiring a client secret.
RO Password Credentials, for gaining RO’s login. The client receives the resource owner’s username and password, this requires a lot of trust in the client. It still creates tokens from the RO’s password so can be used as a transition layer.
Client credentials, for application access. For when the client is not acting on behalf of the resource owner.
What occurs when a request for an access token is valid? What are the two types?
The response will add JSON to an HTTP 200 body, this will contain the access_token, and a token_type. Is may also contain expires_in, the lifetime of the token in seconds
refresh_token(a renewable ticket), and scope(the client will request some scope, which the resource server can restrict).
The token type could be a bearer, meaning if the client bears the token they are authorised or MAC, in which case the client must demonstrate it has the symmetric session key, which is shared with the resource server. The lcient uses the session key ot encrypt data which the resource server can check.
