_________________________________________________ CSC427 Authentication and Authorization Tutorial By Brian and Arslan _________________________________________________ 1. What is the difference between authentication and authorization? 2. You are trying to implement 3-factor authentication, but you exclude the location factor. Provide three examples of elements that would fulfill this 3FA. Beside each element, write down the associated factor category (knowledge, possession, inherence). 3. Why is SMS Two-Factor Authentication not secure? Provide at least two reasons. 4. What is the difference between TOTP-based authentication and Push-based authentication in terms of the network connection between client and server? Why is it that TOTP-based authentication is able to do this? 5. What is the most important aspect of OAuth 2.0 that protects the privacy of user accounts being accessed by third parties? ------------------------------------------------- ************************** PLEASE READ THE FOLLOWING ************************** As an extra precaution for the following exercise, PLEASE USE A GOOGLE ACCOUNT THAT YOU KNOW IS DISPOSABLE, OR SIMPLY CREATE A NEW DISPOSABLE GOOGLE ACCOUNT. This is because you will be granting Google OAuth 2.0 Playground access to data from a variety of APIs associated with the Google account (Ex. Google Docs, Google Calendar, Youtube Data, etc.). IF YOU DO DECIDE TO USE YOUR PERSONAL GOOGLE ACCOUNT, YOU DO SO AT YOUR OWN RISK. Make sure you are logged out of your personal Google account before proceeding. ------------------------------------------------- In this exercise, you will be looking at the exchanges between an OAuth 2.0 client and OAuth 2.0 server. Be mindful about which role the websites (developers.google.com, accounts.google.com) that you visit play. Visit the following website https://developers.google.com/oauthplayground/ **NOTE: If you need to reset everything and start from the beginning, press the x symbol beside the "OAuth 2.0 Playground" heading -Under Step 1, select the dropdown for "Calendar API v3" -In the dropdown, select "https://www.googleapis.com/auth/calendar.readonly" and press the "Authorize APIs" button below. -When prompted to enter Google account credentials, use your disposable account. -Press the "Allow" button on the following authorization screen. -You should be redirected back to OAuth 2.0 Playground with new Requests/Responses displayed on the right. -The redirect_uri, client_id, and scope should be parameters in the request. 1. Look at the GET response. What is the parameter "code" supposed to represent? How will it be used? -Press the "Exchange" button under Step 2. -The Request/Response section on the right should be updated with a POST and 200 OK status. -Here, the response holds the access_token and refresh_token in a JSON object. 2. In the POST, there is a redirect_uri parameter. What is it used for in this context? -Open Step 2 again. Notice the red timer indicating access token expiry. 3. How much time was the access token valid for initially? Where was the JSON object sent to: client or server? 4. Copy and paste the "access_token" value from the JSON object below. -Press the "Exchange" button again. Observe that the authorization code is not accepted anymore, since that stage in the OAuth 2.0 process has passed. -Press the "Refresh access token" button. The Request/Response section will be updated again. 5. Copy and paste the "access_token" value from the JSON object below. Observe the difference with the token from question 4, as well as the resetting of the expiration timer. -Next, open Step 3. Press "List possible operations". Select an operation and press "Send the request". -Observe how the access token is sent in the GET request, and how the data requested is stored in a JSON object in the response. 6. Which website (developers.google.com, accounts.google.com) was acting as the OAuth client, and which was acting as the OAuth provider? -Experiment with different operations and APIs if you would like. Otherwise, you are finished with the tutorial!