Security in OCC Layer is a very important aspect. We may have many API that we want to secure and give access to only authorized entity. The Security layer in OCC is managed by highly configured spring security mechanism. Our application may be access by a real user or an external system like backend or any frond end system or a mobile application. The one which gain access to our system are know as principal.

There are 2 important aspect of security in OCC Layer i.e. Authentication & Authorization.

Authentication : It means checking the credential’s provided by user or external system. If the credentials are validated successfully the user is allow to enter into the application.

Authorization: Authorization is an another important factor determining the access for the resource. After authentication its authorization which allows a customer or external user if they can access particular resource or not. On the basis of authentication a roles got assigned to the user which further authorized them to access the resource.

To achieve the above 2 fundamental principal or security, OCC use the standard OAuth2 protocol.

Spring Security in OCC Layer

Spring security comes into the picture with beloe configurational file :

/ycommercewebservices/web/webroot/WEB-INF/config/common/security-spring.xml

/ycommercewebservices/web/webroot/WEB-INF/config/v2/security-v2-spring.xml - for V2

springSecurityFilterChain – this filter in OCC filter chain enables the spring security in OCC restful calls.

@Secured annotation indicated the whether the request mapping or API need authentication/authorization or not

Detail about OAuth in Hybris

As per OAuth2 official site

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

To Enable the usage of OAuth 2 feature, a core extension oauth2 is included in localextension.xml It enable the Authorization Server.

The Configuration for OAuth 2 are stored in platform extension and its server setting can be managed using properties mentioned in project.properties.

Role of Authorization Server in OAuth

Once we add OAuth extension in our localextension file authorization server gets enabled. It is used to 2 major purpose i.e. Token generation and then this token validation. Authorization server exposes 2 end points :

• /oauth/token
• /oauth/authorize

An OAuth token can be generated using below URL:

Method type : POST

URL : https://localhost:9002/authorizationserver/oauth/token?grant_type=password&scope=extended&username=TEST&password=12341234&client_id=truested_client&client_secret=1234

More details about the parameter used in above url are listed in below OAuth Client Details section.

The response for above URL will looks like :

{
“access_token”: “2390gft2-60dt-4650-h61b-9hy3563d309d”,
“expires_in”: “3600”,
“refresh_token”: “g7gc7020-40gb-43b6-g76a-33091c4de3cz”,
“scope”: “extended”,
“token_type”: “bearer”
}

OAuth Client Details

INSERT_UPDATE OAuthClientDetails;clientId[unique=true] ;resourceIds ;scope ;authorizedGrantTypes ;authorities ;clientSecret ;registeredRedirectUri
;client-side ;hybris ;basic ;implicit,client_credentials ;ROLE_CLIENT ;secret ;http://localhost:9001/authorizationserver/oauth2_implicit_callback;
;mobile_android ;hybris ;basic

• Authorities — is to set what authority to be associated with the client, for e.g. ROLE_TRUSTED_CLIENT, ROLE_ADMIN or ROLE_CLIENT
• Authorized Grant Types: Grant types includes the access available for client for example: refresh_token, password [we need to pass username and credentials for the customer we want to access the resource], authorization_code, client_credentials. It decides, which getting token flow can be used by this client.
• Scopes: List of scopes to which the client is limited.
• Access Token Validity Seconds: The access token validity provided in seconds
• Refresh Token Validity Seconds: It represents the validity of refresh token and its values are saved in seconds

Refresh Token in OAuth

By providing the refresh token client does not have to remember the credentials. They only has to remember the tokens. To generate the refresh token the grant type needs to be “refresh_token“. It indicates the exchange of refresh token for a new access token. The Server response would look like below:

{"access_token":"f60aeeb9-9095-4899-9480-5gth432436hc","token_type":"bearer","refresh_token":"90f0d5te-62hf-423d-8d6d-60a3bfe780d9","expires_in":43199,"scope":"customer"}

Token Revocation

/revoke endpoint in the oauth2 extension is used to revoke issued tokens. We can use below url to revoke the token

-X POST -H “Authorization: Bearer d7689e7c-957e-46ea-949b-c39afb1c9935” https://localhost:9002/authorizationserver/oauth/revoke -d “token=d7689e7c-957e-46ea-949b-c39afb1c9935” —insecure

Important OAuth2 Properties in Hybris

webservicescommons.required.channel
oauthauthorizationserver.tokenServices.reuseRefreshToken
oauth2.supportRefreshToken - It indicates if refresh token is supported or not
oauth2.refreshTokenValiditySeconds - It indicates the validity of refresh token
oauth2.cleanupAccessToken.maxRows
oauth2.accessTokenValiditySeconds - It indicates the validity of access token in seconds
oauth2.maxAuthenticationAttempts - it is used to prevent the brute force attack. its default value is 10