(4) OAuth 2.0 Obtaining Authorization

anikristo
anikristo
OAuth 2.0 OBTAINING AUTHORIZATION
Grant Types 1. Authorization Code Grant 2. Implicit Grant 3. Resource Owner Password Credentials Grant 4. Client Credentials Grant
Authorization Code Grant  Used to obtain both Access Tokens and Refresh Tokens  Optimized for confidential clients  Redirection-based flow
Authorization Code Grant
Authorization Code Grant FLOW A. Resource owner’s user agent is directed to the authorization endpoint. The client includes:  Client Identifier  Requested Scope  Local State  Redirection URI B. Authorization server authenticates the user via the user-agent. Grants or rejects the authorization. C. User-agent is redirected back to the “Redirection URI” with an Authorization Code. D. The client requests and access token form the authorization servers’ Token Endpoint by presenting the Authorization Code. The client is also authenticated to the server. The client sends the Redirection URI as a means of confirmation. E. The authentication server authenticates the client, validates the authorization code, compares the Redirection URI to the one in step C, and returns an Access Token and, optionally, a Refresh Token.
Authorization Code Grant AUTHORIZATION REQUEST  The client constructs the request URI by adding the following parameter to the query component of the authorization endpoint URI:  response_type (REQUIRED) should be set to “code”  client_id (REQURIED)  redirection_uri (OPTIONAL)  scope (OPTIONAL) the requested scope  state (RECOMMENDED) A value used by the client to distinguish the states between Request and Callback Example: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Authorization Code Grant AUTHORIZATION RESPONSE  If the Authorization Server grants the permission, it redirects the client by adding the following to the Redirection URI:  code (REQUIRED) the Authorization Code generated, which must expired shortly after it has been issued. (Maximum time: 10 minutes)  NOTE: This code must only be used once. In case the server detects more than one use, it must deny the request and revoke all the tokens issued previously.  state (REQUIRED) the exact value gotten from the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
Authorization Code Grant AUTHORIZATION RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?error=access_denied&state=xyz
Authorization Code Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint with the following parameters:  grant_type (REQUIRED) must be set to “authorization_code”  code (REQUIRED) authorization code received from the authorization server  redirect_uri (REQUIRED) identical value to the one in authorization request  client_id (REQUIRED) if the client is not authenticating with the authorization server *NOTE: If the client type is confidential or the client was issued client credentials, the client must authenticate with the authorization server.
Authorization Code Grant ACCESS TOKEN REQUEST - Continued Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Authorization Code Grant ACCESS TOKEN REQUEST - Continued  The authentication server must:  Require client authentication for confidential clients or clients that were issued client credentials  Authenticate the client if it is included  Ensure the authorization code is the one that belongs to the client  If the client is public, verify client_id  Verify that the authorization code is valid  Ensure that the redirect_uri parameter is present if redirect_uri was included in th initial authorization, and if included, ensure they are identical.
Authorization Code Grant ACCESS TOKEN RESPONSE Example of a token: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value“ }
Implicit Grant  Used to obtain Access Tokens (not Refresh Tokens)  Optimized for public clients, which operate at a particular Redirection URI  Clients are typically implemented on a browser using a scripting language such as JavaScript  Redirection-based flow  Client interacts with the user-agent and receives incoming requests via redirection by the server  As opposed to the Authorization Code grant type, this sends a one-time request to obtain an access token via authorization  Doesn’t include client authentication and relies on resource owner’s presence.  The access token is encoded into the redirection URI and exposed to every app residing on the user’s device
Implicit Grant
Implicit Grant FLOW A. User-agent is directed to the authorization endpoint. The client includes:  client_id  scope  local_state  redirection_uri B. Authorization server authenticates the resource owner and requests scope C. The user-agent is redirected to the Redirection URI. The URI contains the access token in the URI fragment D. The user-agent follows the redirection instructions by making requests to the web-hosted client resource E. The web-hosted client resources returns a web page (HTML + script) which accesses full redirection URI including the fragment F. The user-agent extracts the access token by using the scripts G. The user-agent passes the access token to the client
Implicit Grant AUTHORIZATION REQUEST  The client forms the Redirection URI by adding the following parameters:  response_type (REQUIRED) must be set to “token”  client_id (REQUIRED)  redirect_uri (OPTIONAL)  scope (OPTIONAL)  state (RECOMMENDED) Example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Implicit Grant AUTHORIZATION REQUEST - Continued  The authorization server validates the parameters and authenticates the resource owner.  After making a decision to grant or reject the authorization, the user-agent is redirected to the Redirection URI
Implicit Grant ACCESS TOKEN RESPONSE  The Access Token response contains:  access_token (REQUIRED)  token_type (REQUIRED) Bearer, MAC, … [case insensitive]  expires_in (RECOMMENDED) lifetime in seconds  scope (OPTIONAL)  state (REQUIRED) NOTE: The authorization server must not issue a refresh token! Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
Implicit Grant ACCESS TOKEN RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb#error=access_denied&state=xyz
Resource Owner Password Credentials Grant  Suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.  Can only be used when the client is able to retrieve the resource owner’s credentials (using a form).  Also used to migrate existing clients to OAuth using direct authentication schemes such as HTTP Basic or Digest and converting the stored credentials to an access token.
Resource Owner Password Credentials Grant
ROPC Grant FLOW A. The Resource Owner provides the client with its username and password. B. The client requests an access token with the Resource Owner’s credentials form the authorization server’s token endpoint. The client authenticates with the authorization server as well. C. The authorization server authenticates the client and validates the credentials. If valid, it issues the access token.
ROPC Grant AUTHORIZATION REQUEST AND RESPONSE  The method of obtaining the resource owner credentials is left up to the implementation.  The client must discard the credentials as soon as the access token is obtained.
ROPC Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by the following parameters:  grant_type (REQUIRED) must be set to “password”  username (REQUIRED)  password (REQUIRED)  scope (OPTIONAL)  If the client type is confidential or the client was issued credentials, the client must authenticate with the authorization server (ref. “Client Authentication”). Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w
ROPC Grant ACCESS TOKEN REQUEST  The Authorization Server must: 1. require client authentication for confidential clients or for clients that was issued credentials 2. authenticate the client 3. validate the resource owner’s password credentials using the existing password validation algorithm  The server should protect the endpoint against attacks (e.g.: using rate- limitation, generating alerts…)
ROPC Grant ACCESS TOKEN RESPONSE  If the authentication process is successful, the authorization server issues an access token and optionally a refresh token. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
Client Credentials Grant  The client makes a token request using only the client credentials when the resources are under its control.  Must only be used with confidential clients
Client Credentials Grant
Client Credentials Grant FLOW A. The client authenticates with the server and requests a token from the token endpoint. B. The server authenticates the client and, if valid, issues an access token.
Client Credentials Grant AUTHENTICATION REQUEST AND RESPONSE  Since the client authentication is used as the authorization grant, no additional authorization request is needed.
Client Credentials Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by using the following parameters:  grant_type (REQUIRED) must be set to “client_credentials”  scope (OPTIONAL)  The client must authenticate with the authorization server. (ref. “Client Authentication”) Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
Client Credentials Grant ACCESS TOKEN RESPONSE  If the authentication is successful, the access token is issued. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" }
Extension Grants  The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the authorization server) as the value of the “grant_type” parameter of the token endpoint, and by adding additional parameters optionally. Example: (using SAML – Security Assertion Markup Language) POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24-
1 de 33

(4) OAuth 2.0 Obtaining Authorization

Descargar para leer sin conexión
Ingeniería

This is the fourth part of the summary of the OAuth 2.0 protocol based on RFC6749.

anikristo
anikristo

Recomendados

The OAuth 2.0 Authorization Framework por
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
984 vistas25 diapositivas
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020 por
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
177 vistas80 diapositivas
Demystifying OAuth 2.0 por
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
7.5K vistas57 diapositivas
TLDR - OAuth por
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
160 vistas55 diapositivas
OAuth 2.0 por
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
4.8K vistas44 diapositivas
OAuth and Open-id por
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
179 vistas25 diapositivas

Más contenido relacionado

La actualidad más candente

An introduction to OAuth 2 por
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
733 vistas31 diapositivas
OAuth2 + API Security por
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
9K vistas43 diapositivas
Introduction to OAuth2.0 por
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
3.3K vistas18 diapositivas
An Introduction to OAuth2 por
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
14.7K vistas78 diapositivas
Microservice security with spring security 5.1,Oauth 2.0 and open id connect por
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
75 vistas61 diapositivas
OAuth 2.0 with Pet Care House por
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HousePrabath Siriwardena
1.4K vistas55 diapositivas

La actualidad más candente(20)

An introduction to OAuth 2 por Sanjoy Kumar Roy
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy733 vistas
OAuth2 + API Security por Amila Paranawithana
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana9K vistas
Introduction to OAuth2.0 por Oracle Corporation
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation3.3K vistas
An Introduction to OAuth2 por Aaron Parecki
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki14.7K vistas
Microservice security with spring security 5.1,Oauth 2.0 and open id connect por Nilanjan Roy
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy75 vistas
OAuth 2.0 with Pet Care House por Prabath Siriwardena
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena1.4K vistas
RFC6749 et alia 20130504 por Mattias Jidhage
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
Mattias Jidhage647 vistas
Implementing OAuth por leahculver
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver28.2K vistas
OAuth2 & OpenID Connect por Marcin Wolnik
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik592 vistas
Best Practices in Building an API Security Ecosystem por Prabath Siriwardena
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena1.4K vistas
O auth 2.0 authorization framework por John Temoty Roca
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca415 vistas
OAuth - Open API Authentication por leahculver
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver22.3K vistas
O Auth 2.0 The Path to Heaven from Hell por WSO2
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
WSO21.9K vistas
OAuth 2.0 and Library por Kenji Otsuka
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka177 vistas
OAuth2 primer por Manish Pandit
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit2.2K vistas
Intro to API Security with Oauth 2.0 por Functional Imperative
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative876 vistas
(1) OAuth 2.0 Overview por anikristo
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo560 vistas
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo... por Good Dog Labs, Inc.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.2.2K vistas
A Survey on SSO Authentication protocols: Security and Performance por Amin Saqi
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi524 vistas
Making Sense of API Access Control por CA API Management
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management5K vistas

Destacado

Citations & google my business for audiology marketing por
Citations & google my business for audiology marketingCitations & google my business for audiology marketing
Citations & google my business for audiology marketingGeoffrey Cooling
552 vistas15 diapositivas
Catalogo Dulces y Chocolates La Perla por
Catalogo Dulces y Chocolates La Perla Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla Gerardo Garcia Vasconcelos
2.1K vistas9 diapositivas
report_komal por
report_komalreport_komal
report_komalKomal Kumar
249 vistas31 diapositivas
More about wordpress 4.3 por
More about wordpress 4.3More about wordpress 4.3
More about wordpress 4.3NeilWilson2015
146 vistas12 diapositivas
Music video research assessment por
Music video research assessmentMusic video research assessment
Music video research assessmenttwbsmediaconnell
552 vistas1 diapositiva
Feria sanmiguel por
Feria sanmiguelFeria sanmiguel
Feria sanmigueljbg11
69 vistas1 diapositiva

Destacado(18)

Citations & google my business for audiology marketing por Geoffrey Cooling
Citations & google my business for audiology marketingCitations & google my business for audiology marketing
Citations & google my business for audiology marketing
Geoffrey Cooling552 vistas
Catalogo Dulces y Chocolates La Perla por Gerardo Garcia Vasconcelos
Catalogo Dulces y Chocolates La Perla Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla
Gerardo Garcia Vasconcelos2.1K vistas
report_komal por Komal Kumar
report_komalreport_komal
report_komal
Komal Kumar249 vistas
More about wordpress 4.3 por NeilWilson2015
More about wordpress 4.3More about wordpress 4.3
More about wordpress 4.3
NeilWilson2015146 vistas
Music video research assessment por twbsmediaconnell
Music video research assessmentMusic video research assessment
Music video research assessment
twbsmediaconnell552 vistas
Feria sanmiguel por jbg11
Feria sanmiguelFeria sanmiguel
Feria sanmiguel
jbg1169 vistas
(6) OAuth 2.0 Refreshing an Access Token por anikristo
(6) OAuth 2.0 Refreshing an Access Token(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token
anikristo232 vistas
Vskills certified organizational behavior professional por Vskills
Vskills certified organizational behavior professionalVskills certified organizational behavior professional
Vskills certified organizational behavior professional
Vskills369 vistas
音録(オドロク)プレゼン資料 por Yco Tange
音録(オドロク)プレゼン資料音録(オドロク)プレゼン資料
音録(オドロク)プレゼン資料
Yco Tange291 vistas
Vskills certified html designer Notes por Vskills
Vskills certified html designer NotesVskills certified html designer Notes
Vskills certified html designer Notes
Vskills270 vistas
Macro Demo Letter por jennytuazon01630
Macro Demo LetterMacro Demo Letter
Macro Demo Letter
jennytuazon016302K vistas
A How-to Guide to OAuth & API Security por CA API Management
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
CA API Management7K vistas
Studiovox por Juhi Ramani
StudiovoxStudiovox
Studiovox
Juhi Ramani407 vistas
Stateless token-based authentication for pure front-end applications por Alvaro Sanchez-Mariscal
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal13.8K vistas
Securing your APIs with OAuth, OpenID, and OpenID Connect por Manish Pandit
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit4K vistas
From Zero to Hero with REST and OAuth2 #jjug por Toshiaki Maki
From Zero to Hero with REST and OAuth2 #jjugFrom Zero to Hero with REST and OAuth2 #jjug
From Zero to Hero with REST and OAuth2 #jjug
Toshiaki Maki3.3K vistas
Poblamiento Urbano por estribor1983
Poblamiento UrbanoPoblamiento Urbano
Poblamiento Urbano
estribor198354.5K vistas
Stateless authentication for microservices por Alvaro Sanchez-Mariscal
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal61.2K vistas

Similar a (4) OAuth 2.0 Obtaining Authorization

What the Heck is OAuth and OIDC - UberConf 2018 por
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
619 vistas89 diapositivas
(3) OAuth 2.0 Protocol Endpoints por
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpointsanikristo
233 vistas9 diapositivas
Protecting your APIs with Doorkeeper and OAuth 2.0 por
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
1.9K vistas35 diapositivas
Deep Dive into OAuth for Connected Apps por
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
1.1K vistas24 diapositivas
Learn with WSO2 - API Security por
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
1.4K vistas59 diapositivas
Oauth2 and OWSM OAuth2 support por
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
4K vistas45 diapositivas

Similar a (4) OAuth 2.0 Obtaining Authorization(18)

What the Heck is OAuth and OIDC - UberConf 2018 por Matt Raible
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible619 vistas
(3) OAuth 2.0 Protocol Endpoints por anikristo
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints
anikristo233 vistas
Protecting your APIs with Doorkeeper and OAuth 2.0 por Mads Toustrup-Lønne
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne1.9K vistas
Deep Dive into OAuth for Connected Apps por Salesforce Developers
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers1.1K vistas
Learn with WSO2 - API Security por WSO2
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO21.4K vistas
Oauth2 and OWSM OAuth2 support por Gaurav Sharma
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma4K vistas
Rest & RESTful WebServices por Prateek Tandon
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon5.8K vistas
OAuth 2 por ChrisWood262
OAuth 2OAuth 2
OAuth 2
ChrisWood262365 vistas
Amazon Cognito OAuth 2.0 Grants por Sibtay Abbas
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas13 vistas
O auth2.0 guide por Dilip Mohapatra
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra2K vistas
Silicon Valley Code Camp 2009: OAuth: What, Why and How por Manish Pandit
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit982 vistas
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen por Codemotion
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion1.2K vistas
Stateless Auth using OAUTH2 & JWT por Mobiliya
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya1K vistas
.NET Core, ASP.NET Core Course, Session 19 por aminmesbahi
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
aminmesbahi476 vistas
Understanding and testing restful web services por mwinteringham
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web services
mwinteringham2.2K vistas
OAuth [noddyCha] por noddycha
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha980 vistas
CIS 2012 - Going Mobile with PingFederate and OAuth 2 por scotttomilson
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson3.7K vistas
NextGenPSD2 OAuth SCA Mode Security Recommendations por Torsten Lodderstedt
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt858 vistas

Último

MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVA por
MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVAMODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVA
MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVADemian Antony D'Mello
8 vistas14 diapositivas
CPM Schedule Float.pptx por
CPM Schedule Float.pptxCPM Schedule Float.pptx
CPM Schedule Float.pptxMathew Joseph
9 vistas5 diapositivas
Programmable Logic Devices : SPLD and CPLD por
Programmable Logic Devices : SPLD and CPLDProgrammable Logic Devices : SPLD and CPLD
Programmable Logic Devices : SPLD and CPLDUsha Mehta
44 vistas54 diapositivas
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth por
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for GrowthBCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for GrowthInnomantra
28 vistas4 diapositivas
AWS Certified Solutions Architect Associate Exam Guide_published .pdf por
AWS Certified Solutions Architect Associate Exam Guide_published .pdfAWS Certified Solutions Architect Associate Exam Guide_published .pdf
AWS Certified Solutions Architect Associate Exam Guide_published .pdfKiran Kumar Malik
6 vistas121 diapositivas
Different type of computer networks .pptx por
Different type of computer networks .pptxDifferent type of computer networks .pptx
Different type of computer networks .pptxnazmul1514788
20 vistas22 diapositivas

Último(20)

MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVA por Demian Antony D'Mello
MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVAMODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVA
MODULE-1 CHAPTER 3- Operators - Object Oriented Programming with JAVA
Demian Antony D'Mello8 vistas
CPM Schedule Float.pptx por Mathew Joseph
CPM Schedule Float.pptxCPM Schedule Float.pptx
CPM Schedule Float.pptx
Mathew Joseph9 vistas
Programmable Logic Devices : SPLD and CPLD por Usha Mehta
Programmable Logic Devices : SPLD and CPLDProgrammable Logic Devices : SPLD and CPLD
Programmable Logic Devices : SPLD and CPLD
Usha Mehta44 vistas
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth por Innomantra
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for GrowthBCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth
Innomantra 28 vistas
AWS Certified Solutions Architect Associate Exam Guide_published .pdf por Kiran Kumar Malik
AWS Certified Solutions Architect Associate Exam Guide_published .pdfAWS Certified Solutions Architect Associate Exam Guide_published .pdf
AWS Certified Solutions Architect Associate Exam Guide_published .pdf
Kiran Kumar Malik6 vistas
Different type of computer networks .pptx por nazmul1514788
Different type of computer networks .pptxDifferent type of computer networks .pptx
Different type of computer networks .pptx
nazmul151478820 vistas
Programmable Switches for Programmable Logic Devices por Usha Mehta
Programmable Switches for Programmable Logic DevicesProgrammable Switches for Programmable Logic Devices
Programmable Switches for Programmable Logic Devices
Usha Mehta37 vistas
Here comes the Loom - Ya!vaConf.pdf por Krystian Zybała
Here comes the Loom - Ya!vaConf.pdfHere comes the Loom - Ya!vaConf.pdf
Here comes the Loom - Ya!vaConf.pdf
Krystian Zybała7 vistas
Web Dev Session 1.pptx por VedVekhande
Web Dev Session 1.pptxWeb Dev Session 1.pptx
Web Dev Session 1.pptx
VedVekhande23 vistas
2023-12 Emarei MRI Tool Set E2I0501ST (TQ).pdf por Philipp Daum
2023-12 Emarei MRI Tool Set E2I0501ST (TQ).pdf2023-12 Emarei MRI Tool Set E2I0501ST (TQ).pdf
2023-12 Emarei MRI Tool Set E2I0501ST (TQ).pdf
Philipp Daum6 vistas
Automated Remote sensing GPS satellite system for managing resources and moni... por Khalid Abdel Naser Abdel Rahim
Automated Remote sensing GPS satellite system for managing resources and moni...Automated Remote sensing GPS satellite system for managing resources and moni...
Automated Remote sensing GPS satellite system for managing resources and moni...
Khalid Abdel Naser Abdel Rahim7 vistas
Integrating Sustainable Development Goals (SDGs) in School Education por SheetalTank1
Integrating Sustainable Development Goals (SDGs) in School EducationIntegrating Sustainable Development Goals (SDGs) in School Education
Integrating Sustainable Development Goals (SDGs) in School Education
SheetalTank120 vistas
GPS Survery Presentation/ Slides por OmarFarukEmon1
GPS Survery Presentation/ SlidesGPS Survery Presentation/ Slides
GPS Survery Presentation/ Slides
OmarFarukEmon19 vistas
IRJET-Productivity Enhancement Using Method Study.pdf por SahilBavdhankar
IRJET-Productivity Enhancement Using Method Study.pdfIRJET-Productivity Enhancement Using Method Study.pdf
IRJET-Productivity Enhancement Using Method Study.pdf
SahilBavdhankar11 vistas
PIT Interpretation - Use only PIT-W EN.ppt por Rabindra Shrestha
PIT Interpretation - Use only PIT-W EN.pptPIT Interpretation - Use only PIT-W EN.ppt
PIT Interpretation - Use only PIT-W EN.ppt
Rabindra Shrestha5 vistas
Building source code level profiler for C++.pdf por ssuser28de9e
Building source code level profiler for C++.pdfBuilding source code level profiler for C++.pdf
Building source code level profiler for C++.pdf
ssuser28de9e12 vistas
Module-1, Chapter-2 Data Types, Variables, and Arrays por Demian Antony D'Mello
Module-1, Chapter-2 Data Types, Variables, and ArraysModule-1, Chapter-2 Data Types, Variables, and Arrays
Module-1, Chapter-2 Data Types, Variables, and Arrays
Demian Antony D'Mello19 vistas
DevFest 2023 Daegu Speech_이재규, Implementing easy and simple chat with gol... por JQLEE6
DevFest 2023 Daegu Speech_이재규, Implementing easy and simple chat with gol...DevFest 2023 Daegu Speech_이재규, Implementing easy and simple chat with gol...
DevFest 2023 Daegu Speech_이재규, Implementing easy and simple chat with gol...
JQLEE616 vistas
Ansari: Practical experiences with an LLM-based Islamic Assistant por M Waleed Kadous
Ansari: Practical experiences with an LLM-based Islamic AssistantAnsari: Practical experiences with an LLM-based Islamic Assistant
Ansari: Practical experiences with an LLM-based Islamic Assistant
M Waleed Kadous13 vistas
Global airborne satcom market report por defencereport78
Global airborne satcom market reportGlobal airborne satcom market report
Global airborne satcom market report
defencereport788 vistas

(4) OAuth 2.0 Obtaining Authorization

  • 2. Grant Types 1. Authorization Code Grant 2. Implicit Grant 3. Resource Owner Password Credentials Grant 4. Client Credentials Grant
  • 3. Authorization Code Grant  Used to obtain both Access Tokens and Refresh Tokens  Optimized for confidential clients  Redirection-based flow
  • 5. Authorization Code Grant FLOW A. Resource owner’s user agent is directed to the authorization endpoint. The client includes:  Client Identifier  Requested Scope  Local State  Redirection URI B. Authorization server authenticates the user via the user-agent. Grants or rejects the authorization. C. User-agent is redirected back to the “Redirection URI” with an Authorization Code. D. The client requests and access token form the authorization servers’ Token Endpoint by presenting the Authorization Code. The client is also authenticated to the server. The client sends the Redirection URI as a means of confirmation. E. The authentication server authenticates the client, validates the authorization code, compares the Redirection URI to the one in step C, and returns an Access Token and, optionally, a Refresh Token.
  • 6. Authorization Code Grant AUTHORIZATION REQUEST  The client constructs the request URI by adding the following parameter to the query component of the authorization endpoint URI:  response_type (REQUIRED) should be set to “code”  client_id (REQURIED)  redirection_uri (OPTIONAL)  scope (OPTIONAL) the requested scope  state (RECOMMENDED) A value used by the client to distinguish the states between Request and Callback Example: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 7. Authorization Code Grant AUTHORIZATION RESPONSE  If the Authorization Server grants the permission, it redirects the client by adding the following to the Redirection URI:  code (REQUIRED) the Authorization Code generated, which must expired shortly after it has been issued. (Maximum time: 10 minutes)  NOTE: This code must only be used once. In case the server detects more than one use, it must deny the request and revoke all the tokens issued previously.  state (REQUIRED) the exact value gotten from the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
  • 8. Authorization Code Grant AUTHORIZATION RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?error=access_denied&state=xyz
  • 9. Authorization Code Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint with the following parameters:  grant_type (REQUIRED) must be set to “authorization_code”  code (REQUIRED) authorization code received from the authorization server  redirect_uri (REQUIRED) identical value to the one in authorization request  client_id (REQUIRED) if the client is not authenticating with the authorization server *NOTE: If the client type is confidential or the client was issued client credentials, the client must authenticate with the authorization server.
  • 10. Authorization Code Grant ACCESS TOKEN REQUEST - Continued Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • 11. Authorization Code Grant ACCESS TOKEN REQUEST - Continued  The authentication server must:  Require client authentication for confidential clients or clients that were issued client credentials  Authenticate the client if it is included  Ensure the authorization code is the one that belongs to the client  If the client is public, verify client_id  Verify that the authorization code is valid  Ensure that the redirect_uri parameter is present if redirect_uri was included in th initial authorization, and if included, ensure they are identical.
  • 12. Authorization Code Grant ACCESS TOKEN RESPONSE Example of a token: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value“ }
  • 13. Implicit Grant  Used to obtain Access Tokens (not Refresh Tokens)  Optimized for public clients, which operate at a particular Redirection URI  Clients are typically implemented on a browser using a scripting language such as JavaScript  Redirection-based flow  Client interacts with the user-agent and receives incoming requests via redirection by the server  As opposed to the Authorization Code grant type, this sends a one-time request to obtain an access token via authorization  Doesn’t include client authentication and relies on resource owner’s presence.  The access token is encoded into the redirection URI and exposed to every app residing on the user’s device
  • 15. Implicit Grant FLOW A. User-agent is directed to the authorization endpoint. The client includes:  client_id  scope  local_state  redirection_uri B. Authorization server authenticates the resource owner and requests scope C. The user-agent is redirected to the Redirection URI. The URI contains the access token in the URI fragment D. The user-agent follows the redirection instructions by making requests to the web-hosted client resource E. The web-hosted client resources returns a web page (HTML + script) which accesses full redirection URI including the fragment F. The user-agent extracts the access token by using the scripts G. The user-agent passes the access token to the client
  • 16. Implicit Grant AUTHORIZATION REQUEST  The client forms the Redirection URI by adding the following parameters:  response_type (REQUIRED) must be set to “token”  client_id (REQUIRED)  redirect_uri (OPTIONAL)  scope (OPTIONAL)  state (RECOMMENDED) Example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 17. Implicit Grant AUTHORIZATION REQUEST - Continued  The authorization server validates the parameters and authenticates the resource owner.  After making a decision to grant or reject the authorization, the user-agent is redirected to the Redirection URI
  • 18. Implicit Grant ACCESS TOKEN RESPONSE  The Access Token response contains:  access_token (REQUIRED)  token_type (REQUIRED) Bearer, MAC, … [case insensitive]  expires_in (RECOMMENDED) lifetime in seconds  scope (OPTIONAL)  state (REQUIRED) NOTE: The authorization server must not issue a refresh token! Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
  • 19. Implicit Grant ACCESS TOKEN RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb#error=access_denied&state=xyz
  • 20. Resource Owner Password Credentials Grant  Suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.  Can only be used when the client is able to retrieve the resource owner’s credentials (using a form).  Also used to migrate existing clients to OAuth using direct authentication schemes such as HTTP Basic or Digest and converting the stored credentials to an access token.
  • 21. Resource Owner Password Credentials Grant
  • 22. ROPC Grant FLOW A. The Resource Owner provides the client with its username and password. B. The client requests an access token with the Resource Owner’s credentials form the authorization server’s token endpoint. The client authenticates with the authorization server as well. C. The authorization server authenticates the client and validates the credentials. If valid, it issues the access token.
  • 23. ROPC Grant AUTHORIZATION REQUEST AND RESPONSE  The method of obtaining the resource owner credentials is left up to the implementation.  The client must discard the credentials as soon as the access token is obtained.
  • 24. ROPC Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by the following parameters:  grant_type (REQUIRED) must be set to “password”  username (REQUIRED)  password (REQUIRED)  scope (OPTIONAL)  If the client type is confidential or the client was issued credentials, the client must authenticate with the authorization server (ref. “Client Authentication”). Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w
  • 25. ROPC Grant ACCESS TOKEN REQUEST  The Authorization Server must: 1. require client authentication for confidential clients or for clients that was issued credentials 2. authenticate the client 3. validate the resource owner’s password credentials using the existing password validation algorithm  The server should protect the endpoint against attacks (e.g.: using rate- limitation, generating alerts…)
  • 26. ROPC Grant ACCESS TOKEN RESPONSE  If the authentication process is successful, the authorization server issues an access token and optionally a refresh token. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  • 27. Client Credentials Grant  The client makes a token request using only the client credentials when the resources are under its control.  Must only be used with confidential clients
  • 29. Client Credentials Grant FLOW A. The client authenticates with the server and requests a token from the token endpoint. B. The server authenticates the client and, if valid, issues an access token.
  • 30. Client Credentials Grant AUTHENTICATION REQUEST AND RESPONSE  Since the client authentication is used as the authorization grant, no additional authorization request is needed.
  • 31. Client Credentials Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by using the following parameters:  grant_type (REQUIRED) must be set to “client_credentials”  scope (OPTIONAL)  The client must authenticate with the authorization server. (ref. “Client Authentication”) Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
  • 32. Client Credentials Grant ACCESS TOKEN RESPONSE  If the authentication is successful, the access token is issued. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" }
  • 33. Extension Grants  The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the authorization server) as the value of the “grant_type” parameter of the token endpoint, and by adding additional parameters optionally. Example: (using SAML – Security Assertion Markup Language) POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24-