40. Core response_type = token
Resource Owner Client Authorization Server
Initiate
client_id=...&
response_type=token&
redirect_uri=https://...
Require Approval
Approve
All clients MUST pre-register “redirect_uri”
Access Token
OpenID TechNight #7
11 9 8
41. Core Notes
For Servers
Do you support public clients?
Do you need iPhone/Android apps support?
Require full redirect URI registration
Narrower scopes / shorter lifetime for public clients
For Clients
Don’t include client secret in your mobile app
OpenID TechNight #7
11 9 8
42. Core Security Considerations
Don’t issue “client_secret” to public clients
“redirect_uri” verification is important especially for
public clients
Consider security policy per client type
Use “state” param against CSRF / code injection attack
etc.
OpenID TechNight #7
11 9 8
44. Attacker Client Authorization Server
Initiate
Require Approval
Approve
Allow attacker to login
Code
with attacker’s Twitter account
Code
Code
Code
Access Token
OpenID TechNight #7
11 9 8
45. Attacker Client Authorization Server
Store “state”
Initiate in Cookie etc.
Require Approval State
Approve
Code State
State
Code
Code State “state”
verification
failed!!
OpenID TechNight #7
11 9 8
46. In dra, 21, “state” is RECOMMENDED
OpenID TechNight #7
11 9 8
47. Token Type Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
11 9 8
48. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
+ extensions
OpenID TechNight #7
11 9 8
53. Token Notes
For Servers
Access Token Response
Set “token_type” as “bearer”
Resource Request
Support both “OAuth” and “Bearer” auth header
Support both “oauth_token” and “access_token”
query/body params
OpenID TechNight #7
11 9 8
54. Token Notes
For Clients
Move from “OAuth” to “Bearer”
Move from “oauth_token” to “access_token”
Only for Facebook API developers
Access token response will be JSON
OpenID TechNight #7
11 9 8
57. OAuth Migration
(by 2011.09.30)
Using legacy FB APIs? (~2010.04)
No more “fb_sig” and “fb_sig_session_key”
Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth)
Your library might not work anymore
OpenID TechNight #7
11 9 8
58. OAuth Migration
(by 2011.09.30)
Developing canvas or page tab apps?
No more “fb_sig”
Migrate to “signed_request”
Obtain SSL certificate
OpenID TechNight #7
11 9 8
59. OAuth Migration
(by 2011.09.30)
Using FB.login (or <fb:login-button>) and FB cookie?
Now “code” is in the cookie, not “access_token”
Needs to exchange the code with access token
OpenID TechNight #7
11 9 8
60. OAuth Spec Updates
Using “response_type=code_and_token”?
Use “response_type=code%20token” instead
OpenID TechNight #7
11 9 8