7. 1.3 Authorization Grant
• Four grant types
– authorization code
– implicit
– resource owner password credentials
– client credentials
– (extension grants…)
8. 1.4 Access Token
• a string representing an authorization
– usually opaque to the client
• may denote an identifier used to retrieve
the authorization information
• may self-contain the authorization
information in a verifiable manner
• details in companion specifications
9. 1.5 Refresh Token
• credentials used to obtain access tokens
– when access token has expired
– long lived (forever and ever)
– only sent to authorization server
– denotes an identifier used to retrieve the
authorization information
– OPTIONAL
24. 6.0 Refreshing an Access
Token
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
25. 7. Accessing Protected
Resources
• Present access token
– How depends on token_type
• Server validates (out of scope)
– Generally interaction with Authorization Server
26. 7.1 Access Token Types
• What type of token?
– Compare with concept of grant_type
• Not defined by OAuth2
– A registry is defined
• Contents
– Bearer (RFC6750)
– Mac (Oauth-HTTP-MAC)
27. Extensibility
• Defining Access Token Types
• Defining New Endpoint Parameters
• Defining New Authorization Grant Types
• Defining New Authorization Endpoint
Response Type
• Defining Additional Error Codes
31. Bearer Token Usage
• RFC6750
– Details on OAuth2 access_token
– Defines token_type bearer (first)
• “A security token with the property that any party in
possession of the token (a "bearer") can use the token in
any way that any other party in possession of it can.
Using a bearer token does not require a bearer to prove
possession of cryptographic key material (proof-of-
possession).”
32. Bearer Token Usage
• does not specify the encoding or the
contents of the token??
• Methods
– Authorization Request Header Field
– Form-Encoded Body Parameter
– URI Query Parameter
36. SAML2 Bearer Assertion
• Note: ‘Bearer’ now used to describe
assertion on Authorization Grant – not
Access Token
• SAML2 Assertion – another possible
grant_type
38. JWT Bearer Tokens
• Similar to SAML2
• grant_type: urn:ietf:params:oauth:grant-
type:jwt-bearer
39. JWT Tokens
• JSON Web Token (JWT) is a compact
means of representing claims to be
transferred between two parties.
– JSW (JSON Web Signature)
– JWE (JSON Web Encryption)
• Enables MAC/signed/encrypted
40. OpenID Connect
• a simple identity layer on top of the OAuth
2.0 protocol.
• allows Clients to verify the identity of the
End-User based on the authentication
performed by an Authorization Server
43. additions
• response_type: id_token
• endpoint: /check_id, /userinfo
• id_token is returned
• send as access_token to /check_id
• control info returned
• send access_token to /userinfo
• user_info is returned
53. Why – the plot?
53
: Hmm, don’t know - could it be, lisa@hotmail.com?
: h4pp1n3ss!
: Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we
find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake
: Ok, great! What’s your password?fake
: Hi Lisa, what’s your username?
fake
55. 55
: Hi, ! I would like to order printouts of some of my
on , they are marked as private.
Could you please print them?
: Sure, we just need to ask permission from
Step 1: Intent
56. 56
Hi ! This is speaking! Can I have a Request Token?
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”
: Thanks!
Step 2: Request Token
57. 57
Step 3: Authorize Request Token
: Sure, just redirect my browser and I will be
done in a second!
: Hi , could you please go to to authorize
the Request Token:9iKot2y5UQTDlS2V?
When you have made the authorization, I can
fetch your .
58. 58
Step 3, Continued
: , I would like to authorize 9iKot2y5UQTDlS2V
: Sure - to be on the safe side; you are allowing to read your
private pictures? We trust them, so there are no issues from our
side.
: Yes, that is correct!
: Ok, good. Now get back too and tell them it is ok to proceed.
59. 59
Step 3, Optional Notify
: Hi , I just told that you are allowed to access my
private pictures and they told me the pictures are ready for
you to access them.
: Perfect, thank you!
60. 60
Step 4: Exchange Token
: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V
for an Access Token? HMAC-SHA1 (Yours Truly, Moo.)
: Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”
: Perfect, thank you!
61. 61
Step 5: Access Data
: Hi , I would like to fetch the private pictures owned by
94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.)
: Here they are , anything else?
62. 62
Take Away
• No information on the identity of Lisa is passed to
Moo and Moo have no idea of what Lisas
credentials on Flickr is.
• => Not an authentication protocol/standard/
technology
• API independent
– there are lots of different implementations on both client and
server side
The Standard
64. 64
— 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.
— 2007-04 A Google group started to write a draft protocol specification
— 2007-06 A first draft was ready and the group was opened for everyone interested in
contributing to the specification
When?
t
65. 65
• 2007-12 Initial version OAuth 1.0 ready
• mainly based on the Flickr Auth API and Google AuthSub
• 2009-06 Revised version 1.0a due to a security flaw
• http://oauth.net/core/1.0a
• 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”
• OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31
• New protocol, not backward compatible with OAuth1
• Simplify and create a better user experience
• Less secure due to no digital signature?
When?
t