SlideShare una empresa de Scribd logo

RFC6749 et alia 20130504

Mattias Jidhage
Mattias Jidhage

Presentation of RFC6749 given at Omegapoint conference OPKoKo 13.1

Tecnología
1 de 66
Descargar para leer sin conexión
The standard RFC6749
Checkpoint The problem The history
1.1 Roles resource owner resource server authorization server client @Override protected AuthorizationCodeFlow initializeFlow() throws IOException …
1.2 Flow Authorization Request @Override protectedAuthorizationCodeFlowinitializeFlow() throwsIOException… Authorization Grant Authorization Grant Access Token Access Token Protected Resource
1.3 Authorization Grant •  Four grant types – authorization code – implicit – resource owner password credentials – client credentials – (extension grants…)
1.4 Access Token •  a string representing an authorization – usually opaque to the client •  may denote an identifier used to retrieve the authorization information •  may self-contain the authorization information in a verifiable manner •  details in companion specifications
1.5 Refresh Token •  credentials used to obtain access tokens – when access token has expired – long lived (forever and ever) – only sent to authorization server – denotes an identifier used to retrieve the authorization information – OPTIONAL
2.0 Client Registration •  Needs to be done (client type, redirect URI, keys) •  Details out-of-scope for RFC6749 – Manual – OAuth 2.0 Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-09 – OpenID Connect Dynamic Client Registration 1.0 - draft 08
•  Real world examples – Google – Facebook – Twitter 2.0 Client Registration
2.1 Client types •  Confidential – web application •  Public – user-agent-based application – native application
2.2/3 Identifier & Auth •  Client Identifier – client_id (string, not secret) •  Client Authentication (confidential client type) – Basic Authentication (client_id:client_secret) •  And – Other Authentication Methods – Unregistered
3.0 Protocol Endpoints •  authorization server endpoints (URL:s) – Authorization endpoint – Token endpoint •  client endpoint – Redirection endpoint •  resource server – As required…
4.0 Obtaining Authorization •  Our main target is getting an Access Token – There are a couple of ways to do it •  depending on the client type
4.1 Authorization Code Grant Authorization Request Authorization Grant Authorization Grant Access Token Access Token Protected Resource @override Authentication
4.2 Implicit Grant Authorization Request Access Token Redirection URI Script Access Token Protected Resource @override Authentication @override resource
4.3 Resource Owner Password Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
4.4 Client Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth %3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3 RhbnQ9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant- type:saml2-bearer &assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ 9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
5. Issuing an Access Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
5.1 Successful response •  access_token –  REQUIRED •  token_type –  REQUIRED •  expires_in –  RECOMMENDED •  refresh_token –  OPTIONAL •  scope –  OPTIONAL/REQUIRED
6.0 Refreshing an Access Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
7. Accessing Protected Resources •  Present access token – How depends on token_type •  Server validates (out of scope) – Generally interaction with Authorization Server
7.1 Access Token Types •  What type of token? – Compare with concept of grant_type •  Not defined by OAuth2 – A registry is defined •  Contents – Bearer (RFC6750) – Mac (Oauth-HTTP-MAC)
Extensibility •  Defining Access Token Types •  Defining New Endpoint Parameters •  Defining New Authorization Grant Types •  Defining New Authorization Endpoint Response Type •  Defining Additional Error Codes
Critiscism •  Not that specified •  A consultants dream
Related Standards
‘oauth’ in ietf.org
Bearer Token Usage •  RFC6750 – Details on OAuth2 access_token – Defines token_type bearer (first) •  “A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of- possession).”
Bearer Token Usage •  does not specify the encoding or the contents of the token?? •  Methods – Authorization Request Header Field – Form-Encoded Body Parameter – URI Query Parameter
Mac Token •  draft-ietf-oauth-v2-http-mac-03 – access_token •  token_type = mac (second, not yet approved) – integrity
OAuth Assertions Framework •  draft-ietf-oauth-assertions-11 – Framework, needs instances •  ietf-oauth-saml2-bearer •  ietf-oauth-jwt-bearer
SAML2 Bearer Assertions Authorization Grant Access Token Access Token Protected Resource @override
SAML2 Bearer Assertion •  Note: ‘Bearer’ now used to describe assertion on Authorization Grant – not Access Token •  SAML2 Assertion – another possible grant_type
JWT Bearer Tokens Authorization Grant Access Token Access Token Protected Resource @override
JWT Bearer Tokens •  Similar to SAML2 •  grant_type: urn:ietf:params:oauth:grant- type:jwt-bearer
JWT Tokens •  JSON Web Token (JWT) is a compact means of representing claims to be transferred between two parties. – JSW (JSON Web Signature) – JWE (JSON Web Encryption) •  Enables MAC/signed/encrypted
OpenID Connect •  a simple identity layer on top of the OAuth 2.0 protocol. •  allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server
OpenID Connect: flow •  Authorization Code Flow – response_type = code id_token •  Implicit Flow (RECOMMENDED) – response_type = token id_token
OpenID Connect: scope •  openid - REQUIRED •  profile - OPTIONAL •  email - OPTIONAL •  address - OPTIONAL •  phone - OPTIONAL
additions •  response_type: id_token •  endpoint: /check_id, /userinfo •  id_token is returned •  send as access_token to /check_id •  control info returned •  send access_token to /userinfo •  user_info is returned
Recap Authorization Request @Override protectedAuthorizationCodeFlowinitializeFlow() throwsIOException… Authorization Grant Authorization Grant Access Token Access Token Protected Resource
?Thank You! @mjidhage www.sakerhetspodcasten.se
The actual problem 46 Lisa
47 Information Lisa
48 Lisa
49 Service Provider Lisa
50 Lisa
51 Consumer Lisa
52 Lisa
Why – the plot? 53 : Hmm, don’t know - could it be, lisa@hotmail.com? : h4pp1n3ss! : Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake : Ok, great! What’s your password?fake : Hi Lisa, what’s your username? fake
54 How? Authorization in 5 easy steps • Intent • Request Token • Authorize Request Token • Exchange Token • Access Data
55 : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from Step 1: Intent
56 Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! Step 2: Request Token
57 Step 3: Authorize Request Token : Sure, just redirect my browser and I will be done in a second! : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your .
58 Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed.
59 Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you!
60 Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you!
61 Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else?
62 Take Away •  No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. •  => Not an authentication protocol/standard/ technology •  API independent –  there are lots of different implementations on both client and server side The Standard
History
64 —  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. —  2007-04 A Google group started to write a draft protocol specification —  2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification When? t
65 • 2007-12 Initial version OAuth 1.0 ready • mainly based on the Flickr Auth API and Google AuthSub • 2009-06 Revised version 1.0a due to a security flaw • http://oauth.net/core/1.0a • 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” • OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 • New protocol, not backward compatible with OAuth1 • Simplify and create a better user experience • Less secure due to no digital signature? When? t
66 2011-05-06 The Standard

Recomendados

TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 

Recomendados

TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Mattias Jidhage
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Mattias Jidhage
 

Más contenido relacionado

La actualidad más candente

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 

La actualidad más candente (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 

Destacado

Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Mattias Jidhage
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Mattias Jidhage
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Wolters Kluwer Belgium
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerablemrlanrat
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

Destacado (7)

Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419
 
Who Are You 20120922
Who Are You 20120922Who Are You 20120922
Who Are You 20120922
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerable
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Similar a RFC6749 et alia 20130504

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorizationMithun Shanbhag
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 

Similar a RFC6749 et alia 20130504 (20)

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorization
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Full stack security
Full stack securityFull stack security
Full stack security
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Api security
Api security Api security
Api security
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

RFC6749 et alia 20130504

  • 2.
  • 4.
  • 5. 1.1 Roles resource owner resource server authorization server client @Override protected AuthorizationCodeFlow initializeFlow() throws IOException …
  • 7. 1.3 Authorization Grant •  Four grant types – authorization code – implicit – resource owner password credentials – client credentials – (extension grants…)
  • 8. 1.4 Access Token •  a string representing an authorization – usually opaque to the client •  may denote an identifier used to retrieve the authorization information •  may self-contain the authorization information in a verifiable manner •  details in companion specifications
  • 9. 1.5 Refresh Token •  credentials used to obtain access tokens – when access token has expired – long lived (forever and ever) – only sent to authorization server – denotes an identifier used to retrieve the authorization information – OPTIONAL
  • 10. 2.0 Client Registration •  Needs to be done (client type, redirect URI, keys) •  Details out-of-scope for RFC6749 – Manual – OAuth 2.0 Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-09 – OpenID Connect Dynamic Client Registration 1.0 - draft 08
  • 11. •  Real world examples – Google – Facebook – Twitter 2.0 Client Registration
  • 12. 2.1 Client types •  Confidential – web application •  Public – user-agent-based application – native application
  • 13. 2.2/3 Identifier & Auth •  Client Identifier – client_id (string, not secret) •  Client Authentication (confidential client type) – Basic Authentication (client_id:client_secret) •  And – Other Authentication Methods – Unregistered
  • 14. 3.0 Protocol Endpoints •  authorization server endpoints (URL:s) – Authorization endpoint – Token endpoint •  client endpoint – Redirection endpoint •  resource server – As required…
  • 15. 4.0 Obtaining Authorization •  Our main target is getting an Access Token – There are a couple of ways to do it •  depending on the client type
  • 16. 4.1 Authorization Code Grant Authorization Request Authorization Grant Authorization Grant Access Token Access Token Protected Resource @override Authentication
  • 17. 4.2 Implicit Grant Authorization Request Access Token Redirection URI Script Access Token Protected Resource @override Authentication @override resource
  • 18. 4.3 Resource Owner Password Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
  • 19. 4.4 Client Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
  • 20. 4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth %3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3 RhbnQ9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
  • 21. 4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant- type:saml2-bearer &assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ 9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
  • 22. 5. Issuing an Access Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  • 23. 5.1 Successful response •  access_token –  REQUIRED •  token_type –  REQUIRED •  expires_in –  RECOMMENDED •  refresh_token –  OPTIONAL •  scope –  OPTIONAL/REQUIRED
  • 24. 6.0 Refreshing an Access Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
  • 25. 7. Accessing Protected Resources •  Present access token – How depends on token_type •  Server validates (out of scope) – Generally interaction with Authorization Server
  • 26. 7.1 Access Token Types •  What type of token? – Compare with concept of grant_type •  Not defined by OAuth2 – A registry is defined •  Contents – Bearer (RFC6750) – Mac (Oauth-HTTP-MAC)
  • 27. Extensibility •  Defining Access Token Types •  Defining New Endpoint Parameters •  Defining New Authorization Grant Types •  Defining New Authorization Endpoint Response Type •  Defining Additional Error Codes
  • 28. Critiscism •  Not that specified •  A consultants dream
  • 31. Bearer Token Usage •  RFC6750 – Details on OAuth2 access_token – Defines token_type bearer (first) •  “A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of- possession).”
  • 32. Bearer Token Usage •  does not specify the encoding or the contents of the token?? •  Methods – Authorization Request Header Field – Form-Encoded Body Parameter – URI Query Parameter
  • 33. Mac Token •  draft-ietf-oauth-v2-http-mac-03 – access_token •  token_type = mac (second, not yet approved) – integrity
  • 34. OAuth Assertions Framework •  draft-ietf-oauth-assertions-11 – Framework, needs instances •  ietf-oauth-saml2-bearer •  ietf-oauth-jwt-bearer
  • 35. SAML2 Bearer Assertions Authorization Grant Access Token Access Token Protected Resource @override
  • 36. SAML2 Bearer Assertion •  Note: ‘Bearer’ now used to describe assertion on Authorization Grant – not Access Token •  SAML2 Assertion – another possible grant_type
  • 37. JWT Bearer Tokens Authorization Grant Access Token Access Token Protected Resource @override
  • 38. JWT Bearer Tokens •  Similar to SAML2 •  grant_type: urn:ietf:params:oauth:grant- type:jwt-bearer
  • 39. JWT Tokens •  JSON Web Token (JWT) is a compact means of representing claims to be transferred between two parties. – JSW (JSON Web Signature) – JWE (JSON Web Encryption) •  Enables MAC/signed/encrypted
  • 40. OpenID Connect •  a simple identity layer on top of the OAuth 2.0 protocol. •  allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server
  • 41. OpenID Connect: flow •  Authorization Code Flow – response_type = code id_token •  Implicit Flow (RECOMMENDED) – response_type = token id_token
  • 42. OpenID Connect: scope •  openid - REQUIRED •  profile - OPTIONAL •  email - OPTIONAL •  address - OPTIONAL •  phone - OPTIONAL
  • 43. additions •  response_type: id_token •  endpoint: /check_id, /userinfo •  id_token is returned •  send as access_token to /check_id •  control info returned •  send access_token to /userinfo •  user_info is returned
  • 53. Why – the plot? 53 : Hmm, don’t know - could it be, lisa@hotmail.com? : h4pp1n3ss! : Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake : Ok, great! What’s your password?fake : Hi Lisa, what’s your username? fake
  • 54. 54 How? Authorization in 5 easy steps • Intent • Request Token • Authorize Request Token • Exchange Token • Access Data
  • 55. 55 : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from Step 1: Intent
  • 56. 56 Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! Step 2: Request Token
  • 57. 57 Step 3: Authorize Request Token : Sure, just redirect my browser and I will be done in a second! : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your .
  • 58. 58 Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed.
  • 59. 59 Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you!
  • 60. 60 Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you!
  • 61. 61 Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else?
  • 62. 62 Take Away •  No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. •  => Not an authentication protocol/standard/ technology •  API independent –  there are lots of different implementations on both client and server side The Standard
  • 64. 64 —  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. —  2007-04 A Google group started to write a draft protocol specification —  2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification When? t
  • 65. 65 • 2007-12 Initial version OAuth 1.0 ready • mainly based on the Flickr Auth API and Google AuthSub • 2009-06 Revised version 1.0a due to a security flaw • http://oauth.net/core/1.0a • 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” • OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 • New protocol, not backward compatible with OAuth1 • Simplify and create a better user experience • Less secure due to no digital signature? When? t