Intro to API Security with Oauth 2.0

Functional Imperative
Functional ImperativeFunctional Imperative
Introduction to API security with OAUTH 2.0 Kevin Johnson
Basics
Authentication -> ID card Authentication
Authorization -> Driver’s Licence Delegated Authorization Authorization
Authorization Code Grant Implicit Grant For Browser-Based Client-Side Applications Resource Owner Password-Based Grant Client Credentials Grant OAUTH Flows Four Primary Grant Types
App Specific Info Redirect URI client_id client_secret Authorization Server Specific Info Authorization Endpoint Token Endpoint Registration Of Client App
Authorization Code Grant
ConsentForm Credentials
Authorization Code Grant: Actors
Authorization Code Grant: Moving Parts
ConsentForm Credentials Authorization Code Grant: Step 1
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Authorization Server: 3 Components 1. Authentication Component • Identity Provider(LDAP, Active Directory) 2. Consent Component • Consent Server 3. Token Infrastructure Provider • Token Values: Access Token Refresh Token • Token Attributes: when created?, valid?, revoked?
ConsentForm Credentials Authorization Code Grant: Step 1
ConsentForm Credentials
Authorization Code Grant: Step 2
Authorization Code: Auth Endpoint
Authorization Code: Auth Endpoint HTTP GET Request GET /authorize? response_type=code& client_id=123456789& redirect_uri=https%3A%2F%2Fclient %2Eexample%2Ecom%2Fcb& scope=followers%20tweet_feed& state=aFodshfj(klMN HTTP/1.1 Host: server.oauth_provider.com
Authorization Code: Redirect Endpoint HTTP Response HTTP/1.1 302 Found Location: https://client.example.com/cb? code=SplxrhJY654090l& state=aFodshfj(klMN
Authorization Code: Token Endpoint
Authorization Code: Token Endpoint HTTP POST Request POST /token HTTP/1.1 Host: server.oauth_provider.com Content-Type: application/x-www-form- urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code& code=SplxrhJY654090l& redirect_uri=https%3A%2F%2Fclient %2Eexample%2Ecom%2Fcb
Authorization Code: Token Endpoint NOT RECOMMENDED POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www- form-urlencoded grant_type=refresh_token& refresh_token=tGzv3JOkF0XG5Qx2TlK WIA& client_id=s6BhdRkqt3& client_secret=7Fjfp0ZBr1KtDRbnfVd mIw
Authorization Code: Token Endpoint HTTP Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", “example_parameter":"example_value" }
Authorization Code Grant: Step 2
ConsentForm Credentials
Authorization Code Grant: Step 3
Authorization Code Grant: Step 3
Authorization Code: Resource Server API Call HTTP GET Request: Bearer Token GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM
Authorization Code: Resource Server API Call HTTP GET Request: MAC Token GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id=“h480djs93hd8", nonce=“274312:dj83hs9s”, mac="kDZvddkndxvhGRXZhvuDjE WhGeE="
Authorization Code Grant: Step 3
Basics: Implicit Grant Type
ConsentForm Credentials
Implicit Grant: Get Request for auth token GET /authorize? response_type=token& client_id=s6BhdRkqt3&state=xyz& redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Implicit Grant: Get Request for auth token HTTP/1.1 302 Found Location: http://example.com/cb# access_token=2YotnFZFEjr1zCsicMWpAA& state=xyz& token_type=example& expires_in=3600
Criticism
Criticism: Lack Of Interoperability Many Optional Components Partially/Fully Undefined Components Client Registration Authorization Server Capabilities Endpoint Discovery Future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.
Framework <-> Protocol
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Outdated Designed for 2006 Hosted Applications Centric mobile native js
Bearer Tokens Don’t put your eggs in one basket Defense in Depth is the humble realization that, of all the security measures you implement, a few will fail because of your own stupidity. It’s good to have a few backups, just in case
Alternative
Oz Three JS Modules: Iron: JavaScript object and turn it into a verifiable encoded blob. Hawk: is a client-server authentication protocol providing a rich set of features for a wide range of security needs. Oz: leverages the other two
Oz Builds on top of experience of Oauth 1.0/2.0 Highly Opinionated Decisions Client Side Cryptography: Hawk
Functional Imperative functionalimperative.com (647) 405-8994 @func_i
1 de 48

Intro to API Security with Oauth 2.0

Descargar para leer sin conexión
Redes sociales

Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.

Functional Imperative
Functional ImperativeFunctional Imperative

Recomendados

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo... por
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
2.2K vistas27 diapositivas
(1) OAuth 2.0 Overview por
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
560 vistas19 diapositivas
OAuth 2 Presentation por
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
288 vistas19 diapositivas
The Many Flavors of OAuth - Understand Everything About OAuth2 por
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
1.1K vistas55 diapositivas
OAuth 2 por
OAuth 2OAuth 2
OAuth 2ChrisWood262
365 vistas20 diapositivas
The State of OAuth2 por
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
6.1K vistas84 diapositivas

Más contenido relacionado

La actualidad más candente

Oauth 2.0 por
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
3K vistas16 diapositivas
OAuth2 - Introduction por
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
6.3K vistas12 diapositivas
Implementing OAuth por
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
28.2K vistas72 diapositivas
Oauth2.0 por
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
3.4K vistas39 diapositivas
LinkedIn OAuth: Zero To Hero por
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
37.8K vistas35 diapositivas
OAuth2 Authentication por
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
883 vistas11 diapositivas

La actualidad más candente(20)

Oauth 2.0 por Manish Kumar Singh
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh3K vistas
OAuth2 - Introduction por Knoldus Inc.
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.6.3K vistas
Implementing OAuth por leahculver
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver28.2K vistas
Oauth2.0 por Yasmine Gaber
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber3.4K vistas
LinkedIn OAuth: Zero To Hero por Taylor Singletary
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary37.8K vistas
OAuth2 Authentication por Ismael Costa
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa883 vistas
OAuth - Open API Authentication por leahculver
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver22.3K vistas
OAuth2 primer por Manish Pandit
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit2.2K vistas
OAuth using PHP5 por Nurulazrad Murad
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad3K vistas
OAuth2 + API Security por Amila Paranawithana
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana9K vistas
OAuth 2.0 por Uwe Friedrichsen
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen4.8K vistas
An Introduction to OAuth2 por Aaron Parecki
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki14.7K vistas
The Current State of OAuth 2 por Aaron Parecki
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki6K vistas
OAuth2 & OpenID Connect por Marcin Wolnik
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik592 vistas
Securing RESTful APIs using OAuth 2 and OpenID Connect por Jonathan LeBlanc
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc49.2K vistas
Demystifying OAuth 2.0 por Karl McGuinness
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness7.5K vistas
OAuth2 and Spring Security por Orest Ivasiv
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv8.5K vistas
Oauth2 and OWSM OAuth2 support por Gaurav Sharma
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma4K vistas
Securing APIs with OAuth 2.0 por Kai Hofstetter
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter784 vistas
Spring security oauth2 por axykim00
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00343 vistas

Destacado

OAuth: The Next Big Thing in Security por
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
1.9K vistas83 diapositivas
Opensource Authentication and Authorization por
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
12.6K vistas100 diapositivas
Introduction to OAuth 2.0 - the technology you need but never really learned por
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
2.3K vistas49 diapositivas
Mit 2014 introduction to open id connect and o-auth 2 por
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
15.2K vistas202 diapositivas
OAuth for your API - The Big Picture por
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
31.8K vistas49 diapositivas
Introduction to OpenID Connect por
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
18.3K vistas86 diapositivas

Destacado(8)

OAuth: The Next Big Thing in Security por Apigee | Google Cloud
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
Apigee | Google Cloud1.9K vistas
Opensource Authentication and Authorization por ConFoo
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
ConFoo12.6K vistas
Introduction to OAuth 2.0 - the technology you need but never really learned por Mikkel Flindt Heisterberg
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg2.3K vistas
Mit 2014 introduction to open id connect and o-auth 2 por Justin Richer
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer15.2K vistas
OAuth for your API - The Big Picture por Apigee | Google Cloud
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud31.8K vistas
Introduction to OpenID Connect por Nat Sakimura
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura18.3K vistas
An Introduction to OAuth 2 por Aaron Parecki
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki108.2K vistas
Openid & Oauth: An Introduction por Steve Ivy
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
Steve Ivy3.1K vistas

Similar a Intro to API Security with Oauth 2.0

Microservice security with spring security 5.1,Oauth 2.0 and open id connect por
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
75 vistas61 diapositivas
Stateless Auth using OAUTH2 & JWT por
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
1K vistas73 diapositivas
Deep Dive into OAuth for Connected Apps por
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
1.1K vistas24 diapositivas
Spring4 security oauth2 por
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
75 vistas22 diapositivas
Stateless Auth using OAuth2 & JWT por
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
11.5K vistas73 diapositivas
Authentication through Claims-Based Authentication por
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
44 vistas3 diapositivas

Similar a Intro to API Security with Oauth 2.0(20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect por Nilanjan Roy
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy75 vistas
Stateless Auth using OAUTH2 & JWT por Mobiliya
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya1K vistas
Deep Dive into OAuth for Connected Apps por Salesforce Developers
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers1.1K vistas
Spring4 security oauth2 por axykim00
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim0075 vistas
Stateless Auth using OAuth2 & JWT por Gaurav Roy
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy11.5K vistas
Authentication through Claims-Based Authentication por ijtsrd
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd44 vistas
Spring4 security oauth2 por Sang Shin
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin281 vistas
The OAuth 2.0 Authorization Framework por Samuele Cozzi
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi984 vistas
(4) OAuth 2.0 Obtaining Authorization por anikristo
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo295 vistas
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core por Vladimir Bychkov
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov30 vistas
Authentication and single sign on (sso) por Kumaresh Chandra Baruri
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)
Kumaresh Chandra Baruri239 vistas
Intro to OAuth2 and OpenID Connect por LiamWadman
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman143 vistas
O auth 2.0 authorization framework por John Temoty Roca
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca415 vistas
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2 por Profesia Srl, Lynx Group
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group35 vistas
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or... por Brian Campbell
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell62.2K vistas
Protecting your APIs with Doorkeeper and OAuth 2.0 por Mads Toustrup-Lønne
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne1.9K vistas
Wso2 is integration with .net core por Ismaeel Enjreny
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
Ismaeel Enjreny550 vistas
.NET Core, ASP.NET Core Course, Session 19 por aminmesbahi
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
aminmesbahi476 vistas
Creating a Sign On with Open id connect por Derek Binkley
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
Derek Binkley1.4K vistas
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ... por Vladimir Bychkov
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov42 vistas

Último

Trails Carolina Death Unraveling a Troubled History of Allegations.pdf por
Trails Carolina Death Unraveling a Troubled History of Allegations.pdfTrails Carolina Death Unraveling a Troubled History of Allegations.pdf
Trails Carolina Death Unraveling a Troubled History of Allegations.pdfAzura Everhart
5 vistas5 diapositivas
Soco 10.pdf por
Soco 10.pdfSoco 10.pdf
Soco 10.pdfSocioCosmos
7 vistas1 diapositiva
SOCO 8.pdf por
SOCO 8.pdfSOCO 8.pdf
SOCO 8.pdfSocioCosmos
9 vistas1 diapositiva
digital marketing por
digital marketing digital marketing
digital marketing mdZafar18
10 vistas1 diapositiva
sOCO 9.pdf por
sOCO 9.pdfsOCO 9.pdf
sOCO 9.pdfSocioCosmos
9 vistas1 diapositiva
Jack the Drawer: Journey to the West Chapters 1-17 **unedited** por
Jack the Drawer: Journey to the West Chapters 1-17 **unedited** Jack the Drawer: Journey to the West Chapters 1-17 **unedited**
Jack the Drawer: Journey to the West Chapters 1-17 **unedited** freetop498
13 vistas22 diapositivas

Último(8)

Trails Carolina Death Unraveling a Troubled History of Allegations.pdf por Azura Everhart
Trails Carolina Death Unraveling a Troubled History of Allegations.pdfTrails Carolina Death Unraveling a Troubled History of Allegations.pdf
Trails Carolina Death Unraveling a Troubled History of Allegations.pdf
Azura Everhart5 vistas
Soco 10.pdf por SocioCosmos
Soco 10.pdfSoco 10.pdf
Soco 10.pdf
SocioCosmos7 vistas
SOCO 8.pdf por SocioCosmos
SOCO 8.pdfSOCO 8.pdf
SOCO 8.pdf
SocioCosmos9 vistas
digital marketing por mdZafar18
digital marketing digital marketing
digital marketing
mdZafar1810 vistas
sOCO 9.pdf por SocioCosmos
sOCO 9.pdfsOCO 9.pdf
sOCO 9.pdf
SocioCosmos9 vistas
Jack the Drawer: Journey to the West Chapters 1-17 **unedited** por freetop498
Jack the Drawer: Journey to the West Chapters 1-17 **unedited** Jack the Drawer: Journey to the West Chapters 1-17 **unedited**
Jack the Drawer: Journey to the West Chapters 1-17 **unedited**
freetop49813 vistas
SOCO 12.pdf por SocioCosmos
SOCO 12.pdfSOCO 12.pdf
SOCO 12.pdf
SocioCosmos9 vistas
Soco 11 (2).pdf por SocioCosmos
Soco 11 (2).pdfSoco 11 (2).pdf
Soco 11 (2).pdf
SocioCosmos6 vistas

Intro to API Security with Oauth 2.0