SlideShare una empresa de Scribd logo

OAuth Base Camp

Oliver Pfaff
Oliver Pfaff

This document provides an overview of OAuth and discusses its use for authorizing third-party access to individually owned web resources. OAuth defines a protocol that allows resource owners to delegate access rights to third parties in a limited, discretionary manner. It addresses the key use case of allowing applications to access user resources, such as contacts or calendar entries, while respecting the user's ownership of those resources. The document covers OAuth concepts like authorization grants, protocol endpoints, and resource request authentication, as well as extensions and adoption examples.

Tecnología
1 de 36
OAuth Base Camp Lecture, Karlsruhe Institute of Technology, 2013-05-22 Dr. Oliver Pfaff © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Preface IT-Security - A Jigsaw Puzzle with Many Pieces © iC Consult GmbH 2013 - Dr. Oliver Pfaff Authorization ▶ Today’s focus: authorization  For individually owned Web resources  Discretionally managed by their resource owners ▶ The discussed mechanism addresses a key use case  It needs to be combined with other security mechanisms to deliver sound solutions - engineered security  It needs to be implemented with care to avoid eventual breaches – secure engineering Single- Sign-On Infrastructure Authenticity Key management Threats/Risks Confidentiality User/entity authentication Coding
Contents ▶ User authorization ▶ OAuth ▶ Demonstration ▶ Key observation ▶ Generalizations  User authentication  App authentication  Grant types  Kinds of tokens  IAM styles ▶ Conclusions © iC Consult GmbH 2013 - Dr. Oliver Pfaff
User Authorization Considered Use Case ▶ Individual, access-protected resources used by third-party providers  In the interest of resource owners, adding value for them  Not: legal entity-owned resources or public resources ▶ Examples:  Post to your feed at Facebook  Get your contacts or calendar from Google  Get your location information from a mobile provider  … © iC Consult GmbH 2013 - Dr. Oliver Pfaff You Application Your resources Web container HTTP HTML HTML Web browser Your user agent Your service provider Application Web container HTML HTTP Third-party provider ,JSON,XML
User Authorization Relevance of this Use Case ▶ Web APIs are a key driver behind current innovation in the Internet  Mindset: others might have cool ideas about what could be done with your assets – facilitate their integration  Examples: Web API directory  Buzzwords: API economy, mash-ups, composite applications, REST… ▶ Ability to work with individual, access-protected resources is a key concern  With public resources only, the potential behind Web APIs would get exhausted quickly  Fundamentally important © iC Consult GmbH 2013 - Dr. Oliver Pfaff
User Authorization Coverage for this Use Case ▶ Chickens – some birds just don’t fly:  IT-security: fiddle with authentication credentials • Assign end-user credentials to clients in a mashup (which authn themselves as end-users) • Assign service provider credentials to them (which authn end-users themselves and call as super-users)  IAM: use enterprise authorization approaches • Utilize long-lived authorization policy objects established a-priori and managed out-of-band (from the browsing sessions of users)  IT-security and IAM mechanisms as known/established until mid of last decade not do the desired trick © iC Consult GmbH 2013 - Dr. Oliver Pfaff
User Authorization How to Fill the Gap? © iC Consult GmbH 2013 - Dr. Oliver Pfaff ▶ Real-world analogy: valet parking keys  Master key: all vehicle features  Valet key: opens doors, starts engine but does not open luggage/glove compartments, limits speed… ▶ Useful when trusting (discretionary powers) an attendant (third-party) to park (limited use) the own car (resource) ▶ A Web-equivalent to valet parking keys would help: means that allow owners of Web resources to delegate resource access to third-parties  in discretionary fashion  and a constrained way (time, functional scope…)
OAuth Overview ▶ OAuth defines a resource authorization protocol that allows resource owners to delegate resource access rights to third-parties in a discretionary fashion with a limited functionality, for a limited time ▶ The OAuth specifications are developed by the IETF User Authorization Protocol (oauth) working group:  The OAuth 2.0 Authorization Framework RFC 6749, 2012  The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750, 2012  An IETF URN Sub-Namespace for OAuth RFC 6755, 2012  OAuth 2.0 Threat Model and Security Considerations RFC 6819, 2013  Plus several draft documents – work-in-progress ▶ The specifications care about simple things:  How to obtain a token to access resources?  How to use such tokens? ▶ Note: in the following OAuth 2.0 is considered. The term ‘OAuth’ refers to version 2.0 by default (predecessor: The OAuth 1.0 Protocol RFC 5849, 2010) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
OAuth (Super)Simplified ▶ With 3 assumptions:  Individual, access-protected resources  Third-party consumers  HTTP ▶ in 1 sentence: 3-party resource authorization protocol allowing resource owners to delegate access rights dynamically and in-band (with their browsing sessions) ▶ and in 1 diagram: © iC Consult GmbH 2013 - Dr. Oliver Pfaff Resource owner Resource provider Resource consumer 3. Present user authz 1. Request user authz 2. Establish user authz
OAuth The First Trick – User-Managed Authorization © iC Consult GmbH 2013 - Dr. Oliver Pfaff OAuth-protected resource endpoint Resource owner Resource consumer Resource providerAuthorization server Post/Get/ Put/Delete with access_token 200 OK with <Resource> Resource client 30x Redirect with code (URL query param) Bold: objects/endpoints specified by OAuth User authn and consent dialogues : exchanges specified by OAuth Authorization endpoint 30x Redirect with scope (URL query param) Redirection endpoint Token endpoint Post with client creds, code (application/ x-www-form-urlencoded) 200 OK with access_token (application/json) Token client
OAuth A User Authentication Protocol? ▶ Resource consumers do not get information about the  Authentication (method, time, authority…) established for the current user  Identity (identifiers, attributes, affiliations…) of the current user ▶ They can not challenge for certain methods of authentication, levels of assurance…  OAuth does not define a protocol for user authentication in distributed systems (attention: this refers to the native authorization code grant shown above; things gets more subtle with OAuth extensions and additional grants) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
OAuth Core Abstractions ▶ Authorization grants: credentials that refer to resource owner’s authorization and that are presented in requests to OAuth token endpoints ▶ Protocol endpoints (RFC 6749):  Authorization endpoint  Token endpoint  Redirection endpoint ▶ Protocol messages (RFC 6749):  Authorization requests and responses - via HTTP redirection • Request parameters: response_type, scope etc. • Response parameters: code etc.  Token requests and responses • Request parameters: grant_type, scope etc. • Response parameters: access_token etc. ▶ Resource request authentication:  Bearer (RFC 6750)  MAC (draft-ietf-oauth-v2-http-mac-03.txt)  OAuth (RFC 5849) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
OAuth Extension Points ▶ Authorization grants: new grants e.g. JWT/SAML 2.0 bearer assertions defined by OAuth (draft-ietf-oauth-jwt-bearer-05.txt, draft-ietf-oauth-saml2-bearer-16.txt) ▶ Protocol endpoints: new endpoints e.g.  TokenRevocation for token revocation purposes defined by OAuth (draft-ietf- oauth-revocation-07.txt)  Introspection for discovering token metadata (draft-richer-oauth- introspection-04.txt)  TokenInfo for token validation and discovery purposes provided by e.g. Google (https://accounts.google.com/o/oauth2/tokeninfo) ▶ Protocol messages:  New messages e.g. revocation request/response defined for token revocation purposes by OAuth (draft-ietf-oauth-revocation-07.txt)  New parameters e.g. request resp. id_token in authorization request resp. authorization/token response messages defined by OIDC for user authentication purposes  New values e.g. id_token resp. profile, offline_access of the OAuth- defined response_type resp. scope parameters defined by OIDC ▶ Resource request authentication: new schemes © iC Consult GmbH 2013 - Dr. Oliver Pfaff
OAuth Revocation ▶ Of OAuth tokens:  Short-lived objects to access resources  Supporting their revocation is based on an additional endpoint and is optional (draft-ietf-oauth-revocation-07.txt implementations should support the revocation of access tokens) ▶ Of OAuth refresh tokens:  Long-lived objects to refresh OAuth tokens  Supporting their revocation is based on an additional endpoint and is optional (draft-ietf-oauth-revocation-07.txt implementations must support the revocation of refresh tokens) ▶ Of objects storing granted authorizations by end users:  Long-lived objects governing OAuth tokens/refresh tokens issuance  Such objects are not specified by OAuth. It is common practice to provide Web UIs for revoking these objects. For instance: • Google: Authorized Access to your Google Account • Facebook: App requests and activity © iC Consult GmbH 2013 - Dr. Oliver Pfaff
OAuth Adoption ▶ AT&T: AT&T APIs use OAuth 2.0 ▶ Facebook: Graph API uses OAuth 2.0 ▶ Flickr: Flickr APIs use OAuth 1.x ▶ Google: Google APIs use OAuth 2.0 ▶ LinkedIn: LinkedIn API supports OAuth 2.0 and 1.x ▶ Microsoft:  Live Connect uses OAuth 2.0,  Windows Azure esp. Windows Azure AD Access Control supports OAuth 2.0 ▶ Salesforce: Force.com and Salesforce.com APIs use OAuth 2.0 ▶ Telefonica: BlueVia APIs use OAuth 2.0 as well as OAuth 1.x ▶ Tumblr: Tumblr API uses OAuth 1.x ▶ Twitter: Twitter API uses OAuth 1.x ▶ Xing: Xing API uses OAuth 1.x ▶ Yahoo: Yahoo APIs use OAuth 1.x ▶ Yammer: Yammer APIs use OAuth 2.0 ▶ …and many others. Note that some do abstain:  Amazon Web Services: "Do you support SAML or OAuth? Not at this time…" © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Demonstration Accessing OAuth-Protected Web APIs at Google ▶ Chosen OAuth-protected resource:  User info endpoint: https://www.googleapis.com/oauth2/v1/userinfo ▶ OAuth authz server:  Token endpoint: https://accounts.google.com/o/oauth2/token  Authz endpoint: https://accounts.google.com/o/oauth2/auth ▶ Resource consumer: DIY clients embedded in an own Web application:  Servlet: GoogleConnectServlet  Embedded clients: UserInfoServiceClient, OAuthTokenServiceClient  Third-party libraries: esp. Apache HttpClient, Google GSON ▶ Demonstration approach:  Common client code prepared upfront  OAuth-specific code evolves stepwise © iC Consult GmbH 2013 - Dr. Oliver Pfaff
302 Found HTTP GetHTTP PostHTTP Get Demonstration Web APIs that Will Be Called © iC Consult GmbH 2013 - Dr. Oliver Pfaff Web browser Google Token endpoint Authorization endpoint OAuth-protected UserInfo endpoint https://accounts.google.com/ o/oauth2/auth https://www.googleapis.com/ oauth2/v1/userinfo https://accounts.google.com/ o/oauth2/token Authorization server GoogleConnectServlet UserInfo ServiceClient OAuthToken ServiceClient Redirection endpoint
Demonstration Implementation Remark ▶ To keep the code compact, the same servlet class is used to implement:  OAuth redirection endpoint: respond to subsequent requests from user agents – triggered by redirects from OAuth authorization endpoints: GET /…/GoogleConnectServlet?code=4VrjQAl…&state=79e26d… HTTP/1.1  OAuth enforcement point: respond to initial requests from user agents – triggered by user action: GET /…/GoogleConnectServlet HTTP/1.1 ▶ This results in following code skeleton: if (needsUserLogin(httpServletRequest, httpServletResponse)) { try { // Provides the OAuth redirection endpoint // Completes OAuth user authorization exchange // Conducts OAuth token and UserInfo exchanges } catch (UserAuthorizationNeededException e1) { // Provides the OAuth enforcement point // Initiates OAuth user authorization exchange } catch (OtherException e2) { // Take care } // Do work for authn user } © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Demonstration Important Links for this Example ▶ User-facing links:  Manage granted authorizations: https://accounts.google.com/b/0/IssuedAuthSubTokens ▶ Developer-facing links:  Manage Google API clients: https://code.google.com/apis/console/  Using OAuth to access Google APIs: http://code.google.com/apis/accounts/docs/OAuth2.html  User info Web API documentation: • For Web applications as callers: https://developers.google.com/accounts/docs/OAuth2Login • For AJAX clients/mobile apps as callers: https://developers.google.com/accounts/docs/OAuth2UserAgent  Cryptographic checksum validation keys (concerns ID Token objects): https://www.googleapis.com/oauth2/v1/certs © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Demonstration Ditto for Facebook ▶ User-facing links:  Manage granted authorizations: http://www.facebook.com/settings?tab=notifications&section=application_not ification ▶ Developer-facing links:  Manage Facebook API clients: https://developers.facebook.com/apps  Using OAuth to access Facebook APIs: http://developers.facebook.com/docs/reference/api/data-access/  User info Web API documentation: • For Web applications as callers: https://developers.facebook.com/docs/howtos/login/server-side-login/ • For AJAX clients/mobile apps as callers: https://developers.facebook.com/docs/howtos/login-with-facebook- using-ios-sdk/ https://developers.facebook.com/docs/getting-started/facebook-sdk-for- android/3.0/#enablesso  Cryptographic checksum validation keys: n.a. © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Key Observation Complexity Is Distributed Unevenly ▶ OAuth client complexity: small - in the example:  Resource exchange: OAuth token sent as URL query parameter  Token exchange: authorization code sent as form-encoded body parameter along with client id/secret (client authentication). OAuth token received in response body (form-factor: JSON)  Authorization exchange: client id and scopes sent and authorization code received in URL query parameters ▶ OAuth server complexity: large  OAuth client run-time: • Web APIs: OAuth-protection of resource endpoints, OAuth endpoints • Web UIs: authenticate and authorize, manage granted authorizations  OAuth client build-time: • Web APIs resp. UIs: register/manage API clients  Unlike most other security and IAM protocols, OAuth distributes complexity unevenly. This is a feature as it helps developers to integrate © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Key Observation Is Client Simplicity a Problem? ▶ No, not all tokens are the same – just as in the real-world: © iC Consult GmbH 2013 - Dr. Oliver Pfaff  Tokens issued by notaries to claim real estate: ▶ Having a variety between low and high-end mechanisms presents a value ▶ IT-security in industry is about managing risks:  One needs to understand the • value/exposure of assets • protection offered by security mechanisms  One needs to create a sound matching, not: • Secure mechanism (e.g. notary tokens) for low-value items (baggage) • Insecure mechanism (e.g. hotel tokens) for high-value items (real estate)  Tokens issued by hotels to reclaim baggage:
Generalizations – User Authentication OpenID Connect Overview ▶ OpenID Connect defines a user authentication protocol on top of OAuth 2.0:  ID token objects: JWT objects that report about authentication events  UserInfo service: RESTful service to query authenticated information about the current user; protected by OAuth ▶ The specifications are developed by the OIDF (work-in-progress):  Basic Client Profile OIDF implementers draft, 2013  Implicit Client Profile OIDF implementers draft, 2013  Messages OIDF implementers draft, 2013  Standard OIDF implementers draft, 2013  Discovery OIDF implementers draft, 2013  Dynamic Client Registration OIDF implementers draft, 2013  Session Management OIDF implementers draft, 2013 ▶ The specifications care about simple things:  How to obtain a token that asserts the authenticated identity of a caller?  How to use such tokens? ▶ False friend: OpenID Connect is no new flavor of the OpenID 2.0 protocol–it is a new protocol for user authentication in distributed systems © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Server-side transfer of state Generalizations – User Authentication The Second Trick: Server-Side SSO © iC Consult GmbH 2013 - Dr. Oliver Pfaff© iC Consult GmbH 2013 - Dr. Oliver Pfaff Web browser Authorization server Get with access_token 200 OK with30x Redirect with code User authn and consent dialogues Authorization endpoint 30x Redirect with scope Redirection endpoint Token endpoint Post with client creds, code 200 OK with access_token Token client Identity consumer Identity provider Get inputs by tokenGet inputs by code Bold: objects/endpoints specified by OIDC : exchanges specified by OIDC , id_token UserInfo (application/json) OAuth-protected UserInfo endpoint UserInfo client and value openid
Generalizations – User Authentication Abstractions Added by OpenID Connect ▶ OAuth authorization request extensions :  Parameter values e.g. id_token  Parameters to instruct on how to conduct user authentication • With a simple value: e.g. display/prompt • With a complex value: Request objects o Based on JWT (draft-ietf-oauth-json-web-token-07.txt) o Matching samlp:AuthnRequest objects with respect to purpose ▶ OAuth authorization resp. token response extensions:  Parameters to report about user authentication • With a complex value: ID token objects o Based on JWT o Matching saml:Assertion objects with respect to purpose ▶ UserInfo service:  RESTful Web service  Standard claims for UserInfo service responses © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Generalizations – User Authentication Classifying OpenID Connect ▶ OIDC is a user authentication protocol based on OAuth – others that inherit from OAuth are also feasible. Common recipe:  Expose a Web API that provides authenticated information about the current user  Protect this Web API by means of OAuth ▶ This creates the problem of telling OIDC apart from other OAuth-based user authentication protocols ▶ A protocol for federated IdM can be called OIDC iff it  utilizes OAuth 2.0 (RFC 6749) with bearer tokens (RFC 6750) according the authorization code or implicit grants  presents the value openid in the OAuth scope parameter of its OAuth authorization request messages  presents OIDC ID Token objects in either the OAuth authorization (implicit grant) or the OAuth token response messages (code grant) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Generalizations – User Authentication Examples ▶ Login with Facebook: OAuth-based user authentication protocol, not OIDC  Authorization exchange: no support of the value openid in the OAuth scope parameter (cf. Permissions for supported scope values)  Token exchange: conducted via HTTP GET, no JSON response, no ID Token objects provided ▶ Login with Google: OIDC © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Client-sidetransferofstate Generalizations – App Authentication The Third Trick: Client-Side SSO © iC Consult GmbH 2013 - Dr. Oliver Pfaff OAuth-protected resource endpoint e.g. GMail Mobile browser Resource providerAuthorization server Authorization endpoint Token endpoint Mobile device Mobile app 200 OK Feed (text/xml) Post/Get/Put/Delete with access_token User authn and consent dialogues 30x Redirects with scope, code Some mechanism to pass OAuth creds
Generalizations – App Authentication Obstacles on the Way… ▶ How to conduct user login/consent dialogues?  Rely on mobile browser  Embed WebView component  Provide own user login/consent UIs in mobile app ▶ Which grants for acquiring OAuth tokens?  Authorization code, implicit, resource owner password credentials  Refresh token  Others ▶ Which OAuth credentials to pass?  Authorization codes  Tokens ▶ How to pass OAuth credentials?  Document titles  Cookie headers  Others ▶ Care is needed - a one-size-fits-all solution for authenticating users of mobile apps and providing SSO experience to them does not yet exist © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Generalizations – Grant Types OAuth Token Acquisition ▶ RFC 6749:  Authorization code: 3-party token acquisition with authorization codes based on explicit user authorization for confidential clients (Web applications)  Implicit: 3-party token acquisition based on explicit user authorization for public clients (AJAX clients, mobile apps)  Resource owner password credentials: 2-party token acquisition based on user credentials without explicit user authorization (for migration purposes)  Client credentials: 2-party token acquisition based on client credentials without explicit user authorization  Refresh token: 2-party token acquisition based on refresh tokens without explicit user authorization ▶ Bearer profiles (IETF oauth WG drafts):  JWT/SAML 2 bearer: 2-party token acquisition based on JWT/SAML 2.0 bearer assertions (‘bearer grants’) without explicit user authorization ▶ Proprietary extension grants e.g.:  Google+ one-time-code: achieves the effects of the authorization code and implicit grants in a single flow  Microsoft ACS bearer types: predecessors of JWT/SAML 2 bearer  … © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Generalizations – Kinds of Tokens Token Zoo ▶ Purposes:  Authz purposes: access tokens, refresh tokens (RFC 6749) - tokens with defined purpose but undefined contents – implementations define contents  Authn purposes: ID tokens (OIDC) - tokens with defined purpose and contents – claims about authentication event ▶ Types:  Opaque: tokens with contents that are opaque to token consumers (resource endpoints) - coupling them to token producers  Self-contained: tokens with contents that can be processed by token consumers - decoupling token producers and consumers ▶ Security:  PoP: tokens that can only be used if accompanied by a PoP e.g. MAC tokens (draft-ietf-oauth-v2-http-mac-03.txt)  Bearer (RFC 6750): tokens that any party in possession can use in any way that other parties in possession can • False friend: bearer tokens (help to integrate by simplifying clients) vs. bearer grants (JWT/SAML 2 bearer, provide STS-style exchanges) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Generalizations – IAM Styles Enterprise vs. Consumer IAM ▶ Main IAM styles:  EIAM – IAM for enterprise users (you@work): • Resources and identity records owned by legal entities • Representatives make decisions for resource pools and groups of users  CIAM – IAM for consumer users (you@Facebook/Google/Twitter...): • Resources and identity records owned by individual users • Individuals make decisions for themselves ▶ Especially authorization is fundamentally different for these IAM styles e.g.  Different responsibilities • Administrator-managed vs. user-managed authorization  Different state engines • First-policy-then-decision-requests vs. first-decision-requests-then-policy  OAuth is rooted in the CIAM camp and is somewhat colonialistic: - 3-party exchanges are CIAM-style - they depend on explicit user consent - 2-party, STS-style exchanges (e.g. JWT/SAML 2 bearer) shift OAuth towards EIAM territory © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Conclusions ▶ The coincidence of Web APIs and consumer users provides use cases that change the game for:  IT-security: new suite of Web security means - OAuth, JOSE…  IAM: new tricks for user authorization and authentication, SSO in the Web ▶ OAuth and OIDC are already in large-scale production use  Meanwhile their development is ongoing ▶ IAM key learning: a continental divide exists between EIAM and CIAM  Mantra: don’t use EIAM hammers for CIAM nails and vice versa ▶ Beware of voodoo discussions:  Phantom pain: adding bearer tokens to OAuth is bad security-wise - there is no ‘standard meter’ in IT-security  not true  Real pain: OAuth extensions e.g. STS-style exchanges, OIDC turn a special- purpose CIAM tool into a Swiss-knife for many things – {authz, authn}, {user, app authn}, {CIAM, EIAM}  confusion is omnipresent ▶ Keys towards mastership:  Learn from implementing rather than reading – fuzzy texts around  Simple things are to be achieved – always keep this in mind © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Author ▶ Dr. Oliver Pfaff, oliver.pfaff@ic-consult.com © iC Consult GmbH 2013 - Dr. Oliver Pfaff
Abbreviations ACS Access Control Service AJAX Asynchronous JavaScript And XML API Application Programming Interface Authn Authentication Authz Authorization CIAM IAM for Consumer users DIY Do It Yourself EIAM IAM for Enterprise users HTML HyperText Markup Language HTTP HyperText Transfer Protocol IAM Identity and Access Management ID IDentity IdM Identity Management IdP Identity Provider JOSE JavaScript Object Signing and Encryption JSON JavaScript Object Notation JWT JSON Web Token OAuth Open Authorization OIDC OpenID Connect OIDF OpenID Foundation PoP Proof-of-Possession REST REpresentational State Transfer © iC Consult GmbH 2013 - Dr. Oliver Pfaff SAML Security Assertion Markup Language saml: SAML assertion syntax namespace prefix samlp: SAML protocol syntax namespace prefix SSO Single-Sign-On STS Security Token Service UI User Interface XML eXtensible Markup Language
Further Information ▶ Bertocci, Vittorio: OAuth 2.0 and Sign-In. Blog 2013 ▶ Bray, Tim: Verifying Back-End Calls from Android Apps. Blog 2013 ▶ Bray, Tim: On ID Tokens. Blog 2013 ▶ Class, Gus: Using the one-time-code flow with Google+ Sign-in. Blog 2013 ▶ Jones, Mike: The Emerging JSON-Based Identity Protocol Suite. Paper - W3C Workshop on Identity in the Browser 2011 ▶ Jones, Mike: OpenID Connect Update. Presentation - OpenID Workshop, European Identity Conference 2013 ▶ Kiani, Khash: OAuth-Securing the Insecure. Presentation 2011 ▶ Madsen, Paul: Mobile Native App-OAuth Decision Framework. Presentation 2011 ▶ N.N.: OAuth 2 for Native Apps. Wiki 2011 ▶ Richer, Justin: Auth* in the Extended Enterprise. Presentation - MIT Legal Hack- A-Thon 2013 ▶ Yegge, Steve: Stevey's Google Platforms Rant. Posting 2011 © iC Consult GmbH 2013 - Dr. Oliver Pfaff

Recomendados

OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 

Recomendados

OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 

Más contenido relacionado

La actualidad más candente

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 

La actualidad más candente (20)

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth2
OAuth2OAuth2
OAuth2
 

Similar a OAuth Base Camp

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)ForgeRock
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fimArchiver
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayVMware Tanzu
 
Introduction To Open Web Protocols
Introduction To Open Web ProtocolsIntroduction To Open Web Protocols
Introduction To Open Web ProtocolsMohan Krishnan
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
 
Perth Meetup February 2021
Perth Meetup February 2021Perth Meetup February 2021
Perth Meetup February 2021Michael Price
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit
 

Similar a OAuth Base Camp (20)

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fim
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Introduction To Open Web Protocols
Introduction To Open Web ProtocolsIntroduction To Open Web Protocols
Introduction To Open Web Protocols
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
OAuth
OAuthOAuth
OAuth
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
 
Perth Meetup February 2021
Perth Meetup February 2021Perth Meetup February 2021
Perth Meetup February 2021
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
 

Más de Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

Más de Oliver Pfaff (15)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

OAuth Base Camp

  • 1. OAuth Base Camp Lecture, Karlsruhe Institute of Technology, 2013-05-22 Dr. Oliver Pfaff © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 2. Preface IT-Security - A Jigsaw Puzzle with Many Pieces © iC Consult GmbH 2013 - Dr. Oliver Pfaff Authorization ▶ Today’s focus: authorization  For individually owned Web resources  Discretionally managed by their resource owners ▶ The discussed mechanism addresses a key use case  It needs to be combined with other security mechanisms to deliver sound solutions - engineered security  It needs to be implemented with care to avoid eventual breaches – secure engineering Single- Sign-On Infrastructure Authenticity Key management Threats/Risks Confidentiality User/entity authentication Coding
  • 3. Contents ▶ User authorization ▶ OAuth ▶ Demonstration ▶ Key observation ▶ Generalizations  User authentication  App authentication  Grant types  Kinds of tokens  IAM styles ▶ Conclusions © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 4. User Authorization Considered Use Case ▶ Individual, access-protected resources used by third-party providers  In the interest of resource owners, adding value for them  Not: legal entity-owned resources or public resources ▶ Examples:  Post to your feed at Facebook  Get your contacts or calendar from Google  Get your location information from a mobile provider  … © iC Consult GmbH 2013 - Dr. Oliver Pfaff You Application Your resources Web container HTTP HTML HTML Web browser Your user agent Your service provider Application Web container HTML HTTP Third-party provider ,JSON,XML
  • 5. User Authorization Relevance of this Use Case ▶ Web APIs are a key driver behind current innovation in the Internet  Mindset: others might have cool ideas about what could be done with your assets – facilitate their integration  Examples: Web API directory  Buzzwords: API economy, mash-ups, composite applications, REST… ▶ Ability to work with individual, access-protected resources is a key concern  With public resources only, the potential behind Web APIs would get exhausted quickly  Fundamentally important © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 6. User Authorization Coverage for this Use Case ▶ Chickens – some birds just don’t fly:  IT-security: fiddle with authentication credentials • Assign end-user credentials to clients in a mashup (which authn themselves as end-users) • Assign service provider credentials to them (which authn end-users themselves and call as super-users)  IAM: use enterprise authorization approaches • Utilize long-lived authorization policy objects established a-priori and managed out-of-band (from the browsing sessions of users)  IT-security and IAM mechanisms as known/established until mid of last decade not do the desired trick © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 7. User Authorization How to Fill the Gap? © iC Consult GmbH 2013 - Dr. Oliver Pfaff ▶ Real-world analogy: valet parking keys  Master key: all vehicle features  Valet key: opens doors, starts engine but does not open luggage/glove compartments, limits speed… ▶ Useful when trusting (discretionary powers) an attendant (third-party) to park (limited use) the own car (resource) ▶ A Web-equivalent to valet parking keys would help: means that allow owners of Web resources to delegate resource access to third-parties  in discretionary fashion  and a constrained way (time, functional scope…)
  • 8. OAuth Overview ▶ OAuth defines a resource authorization protocol that allows resource owners to delegate resource access rights to third-parties in a discretionary fashion with a limited functionality, for a limited time ▶ The OAuth specifications are developed by the IETF User Authorization Protocol (oauth) working group:  The OAuth 2.0 Authorization Framework RFC 6749, 2012  The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750, 2012  An IETF URN Sub-Namespace for OAuth RFC 6755, 2012  OAuth 2.0 Threat Model and Security Considerations RFC 6819, 2013  Plus several draft documents – work-in-progress ▶ The specifications care about simple things:  How to obtain a token to access resources?  How to use such tokens? ▶ Note: in the following OAuth 2.0 is considered. The term ‘OAuth’ refers to version 2.0 by default (predecessor: The OAuth 1.0 Protocol RFC 5849, 2010) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 9. OAuth (Super)Simplified ▶ With 3 assumptions:  Individual, access-protected resources  Third-party consumers  HTTP ▶ in 1 sentence: 3-party resource authorization protocol allowing resource owners to delegate access rights dynamically and in-band (with their browsing sessions) ▶ and in 1 diagram: © iC Consult GmbH 2013 - Dr. Oliver Pfaff Resource owner Resource provider Resource consumer 3. Present user authz 1. Request user authz 2. Establish user authz
  • 10. OAuth The First Trick – User-Managed Authorization © iC Consult GmbH 2013 - Dr. Oliver Pfaff OAuth-protected resource endpoint Resource owner Resource consumer Resource providerAuthorization server Post/Get/ Put/Delete with access_token 200 OK with <Resource> Resource client 30x Redirect with code (URL query param) Bold: objects/endpoints specified by OAuth User authn and consent dialogues : exchanges specified by OAuth Authorization endpoint 30x Redirect with scope (URL query param) Redirection endpoint Token endpoint Post with client creds, code (application/ x-www-form-urlencoded) 200 OK with access_token (application/json) Token client
  • 11. OAuth A User Authentication Protocol? ▶ Resource consumers do not get information about the  Authentication (method, time, authority…) established for the current user  Identity (identifiers, attributes, affiliations…) of the current user ▶ They can not challenge for certain methods of authentication, levels of assurance…  OAuth does not define a protocol for user authentication in distributed systems (attention: this refers to the native authorization code grant shown above; things gets more subtle with OAuth extensions and additional grants) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 12. OAuth Core Abstractions ▶ Authorization grants: credentials that refer to resource owner’s authorization and that are presented in requests to OAuth token endpoints ▶ Protocol endpoints (RFC 6749):  Authorization endpoint  Token endpoint  Redirection endpoint ▶ Protocol messages (RFC 6749):  Authorization requests and responses - via HTTP redirection • Request parameters: response_type, scope etc. • Response parameters: code etc.  Token requests and responses • Request parameters: grant_type, scope etc. • Response parameters: access_token etc. ▶ Resource request authentication:  Bearer (RFC 6750)  MAC (draft-ietf-oauth-v2-http-mac-03.txt)  OAuth (RFC 5849) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 13. OAuth Extension Points ▶ Authorization grants: new grants e.g. JWT/SAML 2.0 bearer assertions defined by OAuth (draft-ietf-oauth-jwt-bearer-05.txt, draft-ietf-oauth-saml2-bearer-16.txt) ▶ Protocol endpoints: new endpoints e.g.  TokenRevocation for token revocation purposes defined by OAuth (draft-ietf- oauth-revocation-07.txt)  Introspection for discovering token metadata (draft-richer-oauth- introspection-04.txt)  TokenInfo for token validation and discovery purposes provided by e.g. Google (https://accounts.google.com/o/oauth2/tokeninfo) ▶ Protocol messages:  New messages e.g. revocation request/response defined for token revocation purposes by OAuth (draft-ietf-oauth-revocation-07.txt)  New parameters e.g. request resp. id_token in authorization request resp. authorization/token response messages defined by OIDC for user authentication purposes  New values e.g. id_token resp. profile, offline_access of the OAuth- defined response_type resp. scope parameters defined by OIDC ▶ Resource request authentication: new schemes © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 14. OAuth Revocation ▶ Of OAuth tokens:  Short-lived objects to access resources  Supporting their revocation is based on an additional endpoint and is optional (draft-ietf-oauth-revocation-07.txt implementations should support the revocation of access tokens) ▶ Of OAuth refresh tokens:  Long-lived objects to refresh OAuth tokens  Supporting their revocation is based on an additional endpoint and is optional (draft-ietf-oauth-revocation-07.txt implementations must support the revocation of refresh tokens) ▶ Of objects storing granted authorizations by end users:  Long-lived objects governing OAuth tokens/refresh tokens issuance  Such objects are not specified by OAuth. It is common practice to provide Web UIs for revoking these objects. For instance: • Google: Authorized Access to your Google Account • Facebook: App requests and activity © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 15. OAuth Adoption ▶ AT&T: AT&T APIs use OAuth 2.0 ▶ Facebook: Graph API uses OAuth 2.0 ▶ Flickr: Flickr APIs use OAuth 1.x ▶ Google: Google APIs use OAuth 2.0 ▶ LinkedIn: LinkedIn API supports OAuth 2.0 and 1.x ▶ Microsoft:  Live Connect uses OAuth 2.0,  Windows Azure esp. Windows Azure AD Access Control supports OAuth 2.0 ▶ Salesforce: Force.com and Salesforce.com APIs use OAuth 2.0 ▶ Telefonica: BlueVia APIs use OAuth 2.0 as well as OAuth 1.x ▶ Tumblr: Tumblr API uses OAuth 1.x ▶ Twitter: Twitter API uses OAuth 1.x ▶ Xing: Xing API uses OAuth 1.x ▶ Yahoo: Yahoo APIs use OAuth 1.x ▶ Yammer: Yammer APIs use OAuth 2.0 ▶ …and many others. Note that some do abstain:  Amazon Web Services: "Do you support SAML or OAuth? Not at this time…" © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 16. Demonstration Accessing OAuth-Protected Web APIs at Google ▶ Chosen OAuth-protected resource:  User info endpoint: https://www.googleapis.com/oauth2/v1/userinfo ▶ OAuth authz server:  Token endpoint: https://accounts.google.com/o/oauth2/token  Authz endpoint: https://accounts.google.com/o/oauth2/auth ▶ Resource consumer: DIY clients embedded in an own Web application:  Servlet: GoogleConnectServlet  Embedded clients: UserInfoServiceClient, OAuthTokenServiceClient  Third-party libraries: esp. Apache HttpClient, Google GSON ▶ Demonstration approach:  Common client code prepared upfront  OAuth-specific code evolves stepwise © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 17. 302 Found HTTP GetHTTP PostHTTP Get Demonstration Web APIs that Will Be Called © iC Consult GmbH 2013 - Dr. Oliver Pfaff Web browser Google Token endpoint Authorization endpoint OAuth-protected UserInfo endpoint https://accounts.google.com/ o/oauth2/auth https://www.googleapis.com/ oauth2/v1/userinfo https://accounts.google.com/ o/oauth2/token Authorization server GoogleConnectServlet UserInfo ServiceClient OAuthToken ServiceClient Redirection endpoint
  • 18. Demonstration Implementation Remark ▶ To keep the code compact, the same servlet class is used to implement:  OAuth redirection endpoint: respond to subsequent requests from user agents – triggered by redirects from OAuth authorization endpoints: GET /…/GoogleConnectServlet?code=4VrjQAl…&state=79e26d… HTTP/1.1  OAuth enforcement point: respond to initial requests from user agents – triggered by user action: GET /…/GoogleConnectServlet HTTP/1.1 ▶ This results in following code skeleton: if (needsUserLogin(httpServletRequest, httpServletResponse)) { try { // Provides the OAuth redirection endpoint // Completes OAuth user authorization exchange // Conducts OAuth token and UserInfo exchanges } catch (UserAuthorizationNeededException e1) { // Provides the OAuth enforcement point // Initiates OAuth user authorization exchange } catch (OtherException e2) { // Take care } // Do work for authn user } © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 19. Demonstration Important Links for this Example ▶ User-facing links:  Manage granted authorizations: https://accounts.google.com/b/0/IssuedAuthSubTokens ▶ Developer-facing links:  Manage Google API clients: https://code.google.com/apis/console/  Using OAuth to access Google APIs: http://code.google.com/apis/accounts/docs/OAuth2.html  User info Web API documentation: • For Web applications as callers: https://developers.google.com/accounts/docs/OAuth2Login • For AJAX clients/mobile apps as callers: https://developers.google.com/accounts/docs/OAuth2UserAgent  Cryptographic checksum validation keys (concerns ID Token objects): https://www.googleapis.com/oauth2/v1/certs © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 20. Demonstration Ditto for Facebook ▶ User-facing links:  Manage granted authorizations: http://www.facebook.com/settings?tab=notifications&section=application_not ification ▶ Developer-facing links:  Manage Facebook API clients: https://developers.facebook.com/apps  Using OAuth to access Facebook APIs: http://developers.facebook.com/docs/reference/api/data-access/  User info Web API documentation: • For Web applications as callers: https://developers.facebook.com/docs/howtos/login/server-side-login/ • For AJAX clients/mobile apps as callers: https://developers.facebook.com/docs/howtos/login-with-facebook- using-ios-sdk/ https://developers.facebook.com/docs/getting-started/facebook-sdk-for- android/3.0/#enablesso  Cryptographic checksum validation keys: n.a. © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 21. Key Observation Complexity Is Distributed Unevenly ▶ OAuth client complexity: small - in the example:  Resource exchange: OAuth token sent as URL query parameter  Token exchange: authorization code sent as form-encoded body parameter along with client id/secret (client authentication). OAuth token received in response body (form-factor: JSON)  Authorization exchange: client id and scopes sent and authorization code received in URL query parameters ▶ OAuth server complexity: large  OAuth client run-time: • Web APIs: OAuth-protection of resource endpoints, OAuth endpoints • Web UIs: authenticate and authorize, manage granted authorizations  OAuth client build-time: • Web APIs resp. UIs: register/manage API clients  Unlike most other security and IAM protocols, OAuth distributes complexity unevenly. This is a feature as it helps developers to integrate © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 22. Key Observation Is Client Simplicity a Problem? ▶ No, not all tokens are the same – just as in the real-world: © iC Consult GmbH 2013 - Dr. Oliver Pfaff  Tokens issued by notaries to claim real estate: ▶ Having a variety between low and high-end mechanisms presents a value ▶ IT-security in industry is about managing risks:  One needs to understand the • value/exposure of assets • protection offered by security mechanisms  One needs to create a sound matching, not: • Secure mechanism (e.g. notary tokens) for low-value items (baggage) • Insecure mechanism (e.g. hotel tokens) for high-value items (real estate)  Tokens issued by hotels to reclaim baggage:
  • 23. Generalizations – User Authentication OpenID Connect Overview ▶ OpenID Connect defines a user authentication protocol on top of OAuth 2.0:  ID token objects: JWT objects that report about authentication events  UserInfo service: RESTful service to query authenticated information about the current user; protected by OAuth ▶ The specifications are developed by the OIDF (work-in-progress):  Basic Client Profile OIDF implementers draft, 2013  Implicit Client Profile OIDF implementers draft, 2013  Messages OIDF implementers draft, 2013  Standard OIDF implementers draft, 2013  Discovery OIDF implementers draft, 2013  Dynamic Client Registration OIDF implementers draft, 2013  Session Management OIDF implementers draft, 2013 ▶ The specifications care about simple things:  How to obtain a token that asserts the authenticated identity of a caller?  How to use such tokens? ▶ False friend: OpenID Connect is no new flavor of the OpenID 2.0 protocol–it is a new protocol for user authentication in distributed systems © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 24. Server-side transfer of state Generalizations – User Authentication The Second Trick: Server-Side SSO © iC Consult GmbH 2013 - Dr. Oliver Pfaff© iC Consult GmbH 2013 - Dr. Oliver Pfaff Web browser Authorization server Get with access_token 200 OK with30x Redirect with code User authn and consent dialogues Authorization endpoint 30x Redirect with scope Redirection endpoint Token endpoint Post with client creds, code 200 OK with access_token Token client Identity consumer Identity provider Get inputs by tokenGet inputs by code Bold: objects/endpoints specified by OIDC : exchanges specified by OIDC , id_token UserInfo (application/json) OAuth-protected UserInfo endpoint UserInfo client and value openid
  • 25. Generalizations – User Authentication Abstractions Added by OpenID Connect ▶ OAuth authorization request extensions :  Parameter values e.g. id_token  Parameters to instruct on how to conduct user authentication • With a simple value: e.g. display/prompt • With a complex value: Request objects o Based on JWT (draft-ietf-oauth-json-web-token-07.txt) o Matching samlp:AuthnRequest objects with respect to purpose ▶ OAuth authorization resp. token response extensions:  Parameters to report about user authentication • With a complex value: ID token objects o Based on JWT o Matching saml:Assertion objects with respect to purpose ▶ UserInfo service:  RESTful Web service  Standard claims for UserInfo service responses © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 26. Generalizations – User Authentication Classifying OpenID Connect ▶ OIDC is a user authentication protocol based on OAuth – others that inherit from OAuth are also feasible. Common recipe:  Expose a Web API that provides authenticated information about the current user  Protect this Web API by means of OAuth ▶ This creates the problem of telling OIDC apart from other OAuth-based user authentication protocols ▶ A protocol for federated IdM can be called OIDC iff it  utilizes OAuth 2.0 (RFC 6749) with bearer tokens (RFC 6750) according the authorization code or implicit grants  presents the value openid in the OAuth scope parameter of its OAuth authorization request messages  presents OIDC ID Token objects in either the OAuth authorization (implicit grant) or the OAuth token response messages (code grant) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 27. Generalizations – User Authentication Examples ▶ Login with Facebook: OAuth-based user authentication protocol, not OIDC  Authorization exchange: no support of the value openid in the OAuth scope parameter (cf. Permissions for supported scope values)  Token exchange: conducted via HTTP GET, no JSON response, no ID Token objects provided ▶ Login with Google: OIDC © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 28. Client-sidetransferofstate Generalizations – App Authentication The Third Trick: Client-Side SSO © iC Consult GmbH 2013 - Dr. Oliver Pfaff OAuth-protected resource endpoint e.g. GMail Mobile browser Resource providerAuthorization server Authorization endpoint Token endpoint Mobile device Mobile app 200 OK Feed (text/xml) Post/Get/Put/Delete with access_token User authn and consent dialogues 30x Redirects with scope, code Some mechanism to pass OAuth creds
  • 29. Generalizations – App Authentication Obstacles on the Way… ▶ How to conduct user login/consent dialogues?  Rely on mobile browser  Embed WebView component  Provide own user login/consent UIs in mobile app ▶ Which grants for acquiring OAuth tokens?  Authorization code, implicit, resource owner password credentials  Refresh token  Others ▶ Which OAuth credentials to pass?  Authorization codes  Tokens ▶ How to pass OAuth credentials?  Document titles  Cookie headers  Others ▶ Care is needed - a one-size-fits-all solution for authenticating users of mobile apps and providing SSO experience to them does not yet exist © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 30. Generalizations – Grant Types OAuth Token Acquisition ▶ RFC 6749:  Authorization code: 3-party token acquisition with authorization codes based on explicit user authorization for confidential clients (Web applications)  Implicit: 3-party token acquisition based on explicit user authorization for public clients (AJAX clients, mobile apps)  Resource owner password credentials: 2-party token acquisition based on user credentials without explicit user authorization (for migration purposes)  Client credentials: 2-party token acquisition based on client credentials without explicit user authorization  Refresh token: 2-party token acquisition based on refresh tokens without explicit user authorization ▶ Bearer profiles (IETF oauth WG drafts):  JWT/SAML 2 bearer: 2-party token acquisition based on JWT/SAML 2.0 bearer assertions (‘bearer grants’) without explicit user authorization ▶ Proprietary extension grants e.g.:  Google+ one-time-code: achieves the effects of the authorization code and implicit grants in a single flow  Microsoft ACS bearer types: predecessors of JWT/SAML 2 bearer  … © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 31. Generalizations – Kinds of Tokens Token Zoo ▶ Purposes:  Authz purposes: access tokens, refresh tokens (RFC 6749) - tokens with defined purpose but undefined contents – implementations define contents  Authn purposes: ID tokens (OIDC) - tokens with defined purpose and contents – claims about authentication event ▶ Types:  Opaque: tokens with contents that are opaque to token consumers (resource endpoints) - coupling them to token producers  Self-contained: tokens with contents that can be processed by token consumers - decoupling token producers and consumers ▶ Security:  PoP: tokens that can only be used if accompanied by a PoP e.g. MAC tokens (draft-ietf-oauth-v2-http-mac-03.txt)  Bearer (RFC 6750): tokens that any party in possession can use in any way that other parties in possession can • False friend: bearer tokens (help to integrate by simplifying clients) vs. bearer grants (JWT/SAML 2 bearer, provide STS-style exchanges) © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 32. Generalizations – IAM Styles Enterprise vs. Consumer IAM ▶ Main IAM styles:  EIAM – IAM for enterprise users (you@work): • Resources and identity records owned by legal entities • Representatives make decisions for resource pools and groups of users  CIAM – IAM for consumer users (you@Facebook/Google/Twitter...): • Resources and identity records owned by individual users • Individuals make decisions for themselves ▶ Especially authorization is fundamentally different for these IAM styles e.g.  Different responsibilities • Administrator-managed vs. user-managed authorization  Different state engines • First-policy-then-decision-requests vs. first-decision-requests-then-policy  OAuth is rooted in the CIAM camp and is somewhat colonialistic: - 3-party exchanges are CIAM-style - they depend on explicit user consent - 2-party, STS-style exchanges (e.g. JWT/SAML 2 bearer) shift OAuth towards EIAM territory © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 33. Conclusions ▶ The coincidence of Web APIs and consumer users provides use cases that change the game for:  IT-security: new suite of Web security means - OAuth, JOSE…  IAM: new tricks for user authorization and authentication, SSO in the Web ▶ OAuth and OIDC are already in large-scale production use  Meanwhile their development is ongoing ▶ IAM key learning: a continental divide exists between EIAM and CIAM  Mantra: don’t use EIAM hammers for CIAM nails and vice versa ▶ Beware of voodoo discussions:  Phantom pain: adding bearer tokens to OAuth is bad security-wise - there is no ‘standard meter’ in IT-security  not true  Real pain: OAuth extensions e.g. STS-style exchanges, OIDC turn a special- purpose CIAM tool into a Swiss-knife for many things – {authz, authn}, {user, app authn}, {CIAM, EIAM}  confusion is omnipresent ▶ Keys towards mastership:  Learn from implementing rather than reading – fuzzy texts around  Simple things are to be achieved – always keep this in mind © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 34. Author ▶ Dr. Oliver Pfaff, oliver.pfaff@ic-consult.com © iC Consult GmbH 2013 - Dr. Oliver Pfaff
  • 35. Abbreviations ACS Access Control Service AJAX Asynchronous JavaScript And XML API Application Programming Interface Authn Authentication Authz Authorization CIAM IAM for Consumer users DIY Do It Yourself EIAM IAM for Enterprise users HTML HyperText Markup Language HTTP HyperText Transfer Protocol IAM Identity and Access Management ID IDentity IdM Identity Management IdP Identity Provider JOSE JavaScript Object Signing and Encryption JSON JavaScript Object Notation JWT JSON Web Token OAuth Open Authorization OIDC OpenID Connect OIDF OpenID Foundation PoP Proof-of-Possession REST REpresentational State Transfer © iC Consult GmbH 2013 - Dr. Oliver Pfaff SAML Security Assertion Markup Language saml: SAML assertion syntax namespace prefix samlp: SAML protocol syntax namespace prefix SSO Single-Sign-On STS Security Token Service UI User Interface XML eXtensible Markup Language
  • 36. Further Information ▶ Bertocci, Vittorio: OAuth 2.0 and Sign-In. Blog 2013 ▶ Bray, Tim: Verifying Back-End Calls from Android Apps. Blog 2013 ▶ Bray, Tim: On ID Tokens. Blog 2013 ▶ Class, Gus: Using the one-time-code flow with Google+ Sign-in. Blog 2013 ▶ Jones, Mike: The Emerging JSON-Based Identity Protocol Suite. Paper - W3C Workshop on Identity in the Browser 2011 ▶ Jones, Mike: OpenID Connect Update. Presentation - OpenID Workshop, European Identity Conference 2013 ▶ Kiani, Khash: OAuth-Securing the Insecure. Presentation 2011 ▶ Madsen, Paul: Mobile Native App-OAuth Decision Framework. Presentation 2011 ▶ N.N.: OAuth 2 for Native Apps. Wiki 2011 ▶ Richer, Justin: Auth* in the Extended Enterprise. Presentation - MIT Legal Hack- A-Thon 2013 ▶ Yegge, Steve: Stevey's Google Platforms Rant. Posting 2011 © iC Consult GmbH 2013 - Dr. Oliver Pfaff