36. Core response_type = token
Resource Owner Client Authorization Server
Initiate
client_id=...&
response_type=token&
redirect_uri=https://...
Require Approval
Approve
All clients MUST pre-register “redirect_uri”
Access Token
OpenID TechNight #7
37. Core Notes
For Servers
Do you support public clients?
Do you need iPhone/Android apps support?
Require full redirect URI registration
Narrower scopes / shorter lifetime for public clients
For Clients
Don’t include client secret in your mobile app
OpenID TechNight #7
38. Core Security Considerations
Don’t issue “client_secret” to public clients
“redirect_uri” verification is important especially for
public clients
Consider security policy per client type
Use “state” param against CSRF / code injection attack
etc.
OpenID TechNight #7
40. Attacker Client Authorization Server
Initiate
Require Approval
Approve
Allow attacker to login
Code
with attacker’s Twitter account
Code
Code
Code
Access Token
OpenID TechNight #7
41. Attacker Client Authorization Server
Store “state”
Initiate in Cookie etc.
Require Approval State
Approve
Code State
State
Code
Code State “state”
verification
failed!!
OpenID TechNight #7
42. Token Type Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
43. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
+ extensions
OpenID TechNight #7
48. Token Notes
For Servers
Access Token Response
Set “token_type” as “bearer”
Resource Request
Support both “OAuth” and “Bearer” auth header
Support both “oauth_token” and “access_token”
query/body params
OpenID TechNight #7
49. Token Notes
For Clients
Move from “OAuth” to “Bearer”
Move from “oauth_token” to “access_token”
Only for Facebook API developers
Access token response will be JSON
OpenID TechNight #7