SlideShare a Scribd company logo

Prabath Siriwardena | Johann Nallathamby - OAuth Security Issues

WSO2
WSO2

The document discusses security issues with the traditional method of third-party applications accessing user resources using resource owner passwords. Specifically, it notes that passwords must be stored insecurely, access cannot be restricted or revoked for individual third parties, and compromise of a third party results in compromise of the user's password and all protected data. The document introduces OAuth as a solution to address these issues using mechanisms such as access tokens and authorization codes to control third party access.

Technology
1 of 55
Download to read offline
Prabath Siriwardena | Johann Nallathamby
Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
•  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
•  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
•  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
•  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
•  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
Scope   OAuth  Handshake  
Scope   Scope  is  defined  by  the  Authorization  Server.     Scope  indicates  what  resource  client  wants  access  and  which   actions  he  wants  to  perform  on  that.     The  value  of  the  scope  parameter  is  expressed  as  a  list  of   space-­‐delimited,  case  sensitive  strings.         The  strings  are  defined  by  the  authorization  server.     OAuth  Handshake  
Confidential  Client  Type     Web  Application   OAuth  Handshake  
BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  "code".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
Authorization  Grant  Response   •   code:  REQUIRED.  The  authorization  code  generated  by  the  authorization  server   •   state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request.   OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  "authorization_code".   •  code  :  REQUIRED.    The  authorization  code  received  from  the  Authorization  Server.   •  redirect_uri  :  REQUIRED,  if  the  "redirect_uri"  parameter  was  included  in  the   authorization     OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Scope   OAuth  Handshake  
Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
Anonymous  Clients   OAuth  Handshake  
Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  ”token".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   •  scope  :    OPTIONAL,  if  identical  to  the  scope  requested  by  the  client,  otherwise   REQUIRED.   •  state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Authorization  Grant  Request   Since  the  client  authentication  is  used  as  the  authorization  grant,  no  additional   authorization  request  is  needed.     OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   Note  :  The  client  needs  to  pass  BasicAuth  headers  or  authenticate  to  the  Authorization   Server  in  other  means.     OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Authorization  Grant  Request   The  method  through  which  the  client  obtains  the  resource  owner        credentials  is  beyond  the  scope  of  this  specification.    The  client        MUST  discard  the  credentials  once  an  access  token  has  been  obtained   OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  username  :  REQUIRED.    The  resource  owner  username,  encoded  as  UTF-­‐8.   •  password  :  REQUIRED.    The  resource  owner  password,  encoded  as  UTF-­‐8.   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Runtime  
Bearer   MAC   Runtime  
Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                                                                                        ts="1336363200”,                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime  
Prabath Siriwardena | Johann Nallathamby - OAuth Security Issues

Recommended

OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HousePrabath Siriwardena
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 

Recommended

OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HousePrabath Siriwardena
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Globus
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Globus
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization frameworkJohn Temoty Roca
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity serversureshattanayake
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity serverWSO2
 

More Related Content

What's hot

Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Globus
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Globus
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization frameworkJohn Temoty Roca
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 

What's hot (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
 
OAuth2
OAuth2OAuth2
OAuth2
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 

Viewers also liked

Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity serversureshattanayake
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity serverWSO2
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity WSO2
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server WSO2
 
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity ServerWSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity ServerWSO2
 
Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1WSO2
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerWSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 

Viewers also liked (10)

Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server
 
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity ServerWSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
 
Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1
 
WSO2 Identity Server
WSO2 Identity ServerWSO2 Identity Server
WSO2 Identity Server
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 

Similar to Prabath Siriwardena | Johann Nallathamby - OAuth Security Issues

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .netSathyaish Chakravarthy
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 

Similar to Prabath Siriwardena | Johann Nallathamby - OAuth Security Issues (20)

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .net
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
O auth
O authO auth
O auth
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 

More from WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

More from WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Prabath Siriwardena | Johann Nallathamby - OAuth Security Issues

  • 1. Prabath Siriwardena | Johann Nallathamby
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  • 7. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  • 8. Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  • 9. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  • 10. Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. •  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
  • 18. •  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
  • 19. •  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
  • 20. •  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
  • 21. •  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
  • 22.
  • 23. Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
  • 25. Scope   Scope  is  defined  by  the  Authorization  Server.     Scope  indicates  what  resource  client  wants  access  and  which   actions  he  wants  to  perform  on  that.     The  value  of  the  scope  parameter  is  expressed  as  a  list  of   space-­‐delimited,  case  sensitive  strings.         The  strings  are  defined  by  the  authorization  server.     OAuth  Handshake  
  • 26. Confidential  Client  Type     Web  Application   OAuth  Handshake  
  • 27. BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
  • 28. Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  "code".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
  • 29. Authorization  Grant  Response   •   code:  REQUIRED.  The  authorization  code  generated  by  the  authorization  server   •   state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request.   OAuth  Handshake  
  • 30. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  "authorization_code".   •  code  :  REQUIRED.    The  authorization  code  received  from  the  Authorization  Server.   •  redirect_uri  :  REQUIRED,  if  the  "redirect_uri"  parameter  was  included  in  the   authorization     OAuth  Handshake  
  • 31. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 33. Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
  • 35. Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  ”token".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
  • 36. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   •  scope  :    OPTIONAL,  if  identical  to  the  scope  requested  by  the  client,  otherwise   REQUIRED.   •  state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request   OAuth  Handshake  
  • 38. Confidential  Client  Type     OAuth  Handshake  
  • 39. BasicAuth   OAuth  Handshake  
  • 40. Authorization  Grant  Request   Since  the  client  authentication  is  used  as  the  authorization  grant,  no  additional   authorization  request  is  needed.     OAuth  Handshake  
  • 41. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   Note  :  The  client  needs  to  pass  BasicAuth  headers  or  authenticate  to  the  Authorization   Server  in  other  means.     OAuth  Handshake  
  • 42. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 44. Confidential  Client  Type     OAuth  Handshake  
  • 46. Authorization  Grant  Request   The  method  through  which  the  client  obtains  the  resource  owner        credentials  is  beyond  the  scope  of  this  specification.    The  client        MUST  discard  the  credentials  once  an  access  token  has  been  obtained   OAuth  Handshake  
  • 47. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  username  :  REQUIRED.    The  resource  owner  username,  encoded  as  UTF-­‐8.   •  password  :  REQUIRED.    The  resource  owner  password,  encoded  as  UTF-­‐8.   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   OAuth  Handshake  
  • 48. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 50. Bearer   MAC   Runtime  
  • 51. Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  • 52. Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
  • 53. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  • 54. Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                                                                                        ts="1336363200”,                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime