SlideShare una empresa de Scribd logo

Summary of OAuth 2.0 draft 8 memo

Ryo Ito
Ryo Ito

OAuth 2.0 draft 8時点のSpec+αを並べただけの自分用メモです。

Tecnología
1 de 21
Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
6
User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
8
Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
OLD SPEC 18
Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21

Recomendados

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 

Recomendados

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 PresentaionBhargav Surimenu
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7Ryo Ito
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 

Más contenido relacionado

La actualidad más candente

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 

La actualidad más candente (20)

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 

Similar a Summary of OAuth 2.0 draft 8 memo

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7Ryo Ito
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 

Similar a Summary of OAuth 2.0 draft 8 memo (20)

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth2
OAuth2OAuth2
OAuth2
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 

Más de Ryo Ito

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1Ryo Ito
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectRyo Ito
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiRyo Ito
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionRyo Ito
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectRyo Ito
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いRyo Ito
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor authRyo Ito
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Ryo Ito
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1Ryo Ito
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Ryo Ito
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門Ryo Ito
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13Ryo Ito
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNSRyo Ito
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demoRyo Ito
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoRyo Ito
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9Ryo Ito
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationRyo Ito
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj Ryo Ito
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Ryo Ito
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid MemoRyo Ito
 

Más de Ryo Ito (20)

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirect
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixi
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF Protection
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID Connect
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来い
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNS
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_Demo
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC Authentication
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid Memo
 

Último

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Último (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Summary of OAuth 2.0 draft 8 memo

  • 1. Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
  • 2. Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
  • 3. Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
  • 4. Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
  • 5. Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
  • 6. 6
  • 7. User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
  • 8. 8
  • 9. Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
  • 10. Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
  • 11. Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
  • 12. Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
  • 13. End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
  • 14. End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
  • 15. Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
  • 16. Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
  • 17. Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
  • 18. OLD SPEC 18
  • 19. Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
  • 20. Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
  • 21. Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21