SlideShare una empresa de Scribd logo

An introduction to OAuth 2

Descargar como PPTX, PDF
S
Sanjoy Kumar Roy

An introduction to OAuth 2

Tecnología
1 de 31
An introduction to OAuth 2.0 Sanjoy Roy
This presentation is based on OAuth 2 specification and the chapters of this book.
OAuth is a delegation protocol that provides authorisation across systems. OAuth is about: how to get a token and how to use a token. OAuth replaces the password-sharing anti-pattern with a delegation protocol that’s simultaneously more secure and more usable.
Two major steps to an OAuth transaction: Issuing a token Using a token
OAuth2.0 authorisation grant flow • Here the client will be interactively authorised directly by the resource owner. • The authorisation code grant uses a temporary credential, the authorisation code, to represent the resource owner’s delegation to the client.
Resource Owner Client Authorisation Server Token End PointAuthorisation End Point Protected Resource Redirects the user agent to authorisation end point User agent loads authorisation end point Resource owner authenticates to authorisation server Resource owner authorises the client Authorisation server redirects user agent to the client with authorisation code User agent loads the redirect URI at client with authorisation code Client sends the authorisation code and its own credential to token end point Authorisation server sends access token to the client Client sends access token to protected resource Protected resource returns resource to client
Client I need an access token. It starts with:
HTTP/1.1 302 Content-Length: 0 Date: Sun, 30 Apr 2017 17:47:27 GMT Location: https://unibet.okta.com/ oauth2/v1/authorize? client_id=P9BxWcYwdNnGFmIt8Oiz& redirect_uri=http://localhost:8080& response_type=code&scope=openid& state=2qdOs6PJAcE1E6qwg81R Set-Cookie: JSESSIONID=646430;path=/;HttpOnly
This redirect to the browser causes the browser to send an HTTP GET to the authorisation server. /authorize/authorize?client_id=P9BxWcYwdNnGFmI t8Oiz&redirect_uri=http://localhost:8080&respo nse_type=code&scope=openid&state=2qdOs6PJAcE1E 6qwg81R
Now the authorisation server will usually require the user to authenticate. This step is essential in determining who the resource owner is and what rights they’re allowed to delegate to the client.
User authorises the client application.
Next, the authorisation server redirects the user back to the client application. This takes the form of an HTTP redirect to the client’s redirect_uri. http://localhost:8080/? code=VzYHKvGXwqxBMq9qn8Pw& state=moBRz4CFpviCE4e5h0HZ Authorisation code
The authorisation code is sent back to the client. This code is a one-time use credential. It represents the result of the user’s authorisation decision.
The client now sends the code and it’s own credential (client id and client secret) to the authorisation server on its token end point.
The authorisation server takes the request and performs a number of steps to ensure that the request is valid: • It validates the client’s credential to determine which client is requesting the access. • Then, it reads the value of the code parameter from the body and looks up any information it has about that authorisation code, including which client made the initial authorisation request, which user authorises it, and what it was authorised for. • If the authorisation code is valid, hasn’t been used previously, and the client making this request is the same as the client that made original request, then the authorisation server issues a new access token for the client.
The client receives an access token.
This access token is returned in the HTTP response as a JSON object: { “access_token”: “tdgsgsdfq232wASDq232a”, “token_type”: “Bearer” } The client can now parse the token response and get the access token value from it to be used at the protected resource.
The client has several methods for presenting the access token. The recommended one: using the Authorization header. GET /reward HTTP/1.1 Host: localhost:8080 Accept: application/json Connection: keep-alive Authorization: Bearer tdgsgsdfq232wASDq232a The protected resource can then parse the token out of the header. It determines whether it’s still valid, look up information regarding who authorised it and what it was authorised for, and return the response accordingly.
The client uses the access token to do things:
OAuth Actors:  Client  Protected Resource  Resource Owner  Authorisation Server
Client • It is a piece of software that attempts to access the protected resource on behalf of the resource owner. • It uses OAuth to obtain that access. • An OAuth client can be a web application, a native application, or even an in-browser JavaScript application.
Protected Resource • An OAuth protected resource is available through an HTTP server and it requires an OAuth token to be accessed. • The protected resource needs to validate the tokens presented to it and determine whether and how to serve requests. • In an OAuth architecture, the protected resource has the final say as to whether or not to honor a token.
Resource Owner • A resource owner is the entity that has the authority to delegate access to the client. • In most cases, the resource owner is the person using the client software to access something they control.
Authorisation Server • An OAuth authorisation server is an HTTP server that acts as the central component to an OAuth system. • It authenticates the resource owner and client, provides mechanisms for allowing resource owners to authorise clients, and issues tokens to the client. • Some authorisation servers also provide additional capabilities such as token introspection and remembering authorisation decisions.
OAuth’s components:  Access Token  Scope  Refresh Token  Authorisation grant
Access Token  An OAuth access token is an artifact issued by the authorisation server to a client that indicates the rights that the client has been delegated.  OAuth does not define a format or content for the token itself, but it always represents the combination of the client’s requested access, the resource owner that authorised the client, and the rights conferred during that authorisation.  OAuth tokens are opaque to the client, which means that the client has no need (and often no ability) to look at the token itself. The client’s job is to carry the token, requesting it from the authorisation server and presenting it to the protected resource.
Scope  An OAuth scope is a representation of a set of rights at a protected resource.  Scopes are represented by strings in the OAuth protocol, and they can be combined into a set by using a space-separated list.  The scope value can’t contain the space character.  Scopes are an important mechanism for limiting the access granted to a client. Scopes are defined by the protected resource, based on the API that it’s offering.
Refresh Token  An OAuth refresh token is similar in concept to the access token, in that it’s issued to the client by the authorisation server and the client doesn’t know or care what’s inside the token.  But this token is never sent to the protected resource. Instead, the client uses the refresh token to request new access tokens without involving the resource owner.  In OAuth, an access token could stop working for a client at any point. When the access token expires, client can use the refresh token to request a new access token.
Authorisation grant  An authorisation grant is a way by which an OAuth client is given access to a protected resource using the OAuth protocol, and if successful it ultimately results in the client getting a token.  The authorisation grant is the method for getting a token.
What OAuth 2.0 isn’t?  OAuth isn’t an authentication protocol.  OAuth doesn’t define a mechanism for user-to-user delegation, even though it is fundamentally about delegation of a user to a piece of software. OAuth assumes that the resource owner is the one that’s controlling the client.  OAuth doesn’t define authorisation-processing mechanisms.  OAuth doesn’t define a token format.  OAuth 2.0 does not define any cryptographic method.
Thank You.

Recomendados

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 

Recomendados

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 

Más contenido relacionado

La actualidad más candente

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 

La actualidad más candente (20)

OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth
OAuthOAuth
OAuth
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 

Similar a An introduction to OAuth 2

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 

Similar a An introduction to OAuth 2 (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
OAuth2
OAuth2OAuth2
OAuth2
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Maintest3
Maintest3Maintest3
Maintest3
 

Más de Sanjoy Kumar Roy

Arch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptxArch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptxSanjoy Kumar Roy
 
Visualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service DescriptionVisualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service DescriptionSanjoy Kumar Roy
 
Hypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelyHypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelySanjoy Kumar Roy
 
Microservice architecture design principles
Microservice architecture design principlesMicroservice architecture design principles
Microservice architecture design principlesSanjoy Kumar Roy
 
Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.Sanjoy Kumar Roy
 
An introduction to G1 collector for busy developers
An introduction to G1 collector for busy developersAn introduction to G1 collector for busy developers
An introduction to G1 collector for busy developersSanjoy Kumar Roy
 

Más de Sanjoy Kumar Roy (8)

Arch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptxArch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptx
 
Visualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service DescriptionVisualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service Description
 
Hypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelyHypermedia API and how to document it effectively
Hypermedia API and how to document it effectively
 
Transaction
TransactionTransaction
Transaction
 
Microservice architecture design principles
Microservice architecture design principlesMicroservice architecture design principles
Microservice architecture design principles
 
Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.
 
An introduction to G1 collector for busy developers
An introduction to G1 collector for busy developersAn introduction to G1 collector for busy developers
An introduction to G1 collector for busy developers
 
Major Java 8 features
Major Java 8 featuresMajor Java 8 features
Major Java 8 features
 

Último

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

An introduction to OAuth 2

  • 1. An introduction to OAuth 2.0 Sanjoy Roy
  • 2. This presentation is based on OAuth 2 specification and the chapters of this book.
  • 3. OAuth is a delegation protocol that provides authorisation across systems. OAuth is about: how to get a token and how to use a token. OAuth replaces the password-sharing anti-pattern with a delegation protocol that’s simultaneously more secure and more usable.
  • 4. Two major steps to an OAuth transaction: Issuing a token Using a token
  • 5. OAuth2.0 authorisation grant flow • Here the client will be interactively authorised directly by the resource owner. • The authorisation code grant uses a temporary credential, the authorisation code, to represent the resource owner’s delegation to the client.
  • 6. Resource Owner Client Authorisation Server Token End PointAuthorisation End Point Protected Resource Redirects the user agent to authorisation end point User agent loads authorisation end point Resource owner authenticates to authorisation server Resource owner authorises the client Authorisation server redirects user agent to the client with authorisation code User agent loads the redirect URI at client with authorisation code Client sends the authorisation code and its own credential to token end point Authorisation server sends access token to the client Client sends access token to protected resource Protected resource returns resource to client
  • 7. Client I need an access token. It starts with:
  • 8. HTTP/1.1 302 Content-Length: 0 Date: Sun, 30 Apr 2017 17:47:27 GMT Location: https://unibet.okta.com/ oauth2/v1/authorize? client_id=P9BxWcYwdNnGFmIt8Oiz& redirect_uri=http://localhost:8080& response_type=code&scope=openid& state=2qdOs6PJAcE1E6qwg81R Set-Cookie: JSESSIONID=646430;path=/;HttpOnly
  • 9. This redirect to the browser causes the browser to send an HTTP GET to the authorisation server. /authorize/authorize?client_id=P9BxWcYwdNnGFmI t8Oiz&redirect_uri=http://localhost:8080&respo nse_type=code&scope=openid&state=2qdOs6PJAcE1E 6qwg81R
  • 10. Now the authorisation server will usually require the user to authenticate. This step is essential in determining who the resource owner is and what rights they’re allowed to delegate to the client.
  • 11. User authorises the client application.
  • 12. Next, the authorisation server redirects the user back to the client application. This takes the form of an HTTP redirect to the client’s redirect_uri. http://localhost:8080/? code=VzYHKvGXwqxBMq9qn8Pw& state=moBRz4CFpviCE4e5h0HZ Authorisation code
  • 13. The authorisation code is sent back to the client. This code is a one-time use credential. It represents the result of the user’s authorisation decision.
  • 14. The client now sends the code and it’s own credential (client id and client secret) to the authorisation server on its token end point.
  • 15. The authorisation server takes the request and performs a number of steps to ensure that the request is valid: • It validates the client’s credential to determine which client is requesting the access. • Then, it reads the value of the code parameter from the body and looks up any information it has about that authorisation code, including which client made the initial authorisation request, which user authorises it, and what it was authorised for. • If the authorisation code is valid, hasn’t been used previously, and the client making this request is the same as the client that made original request, then the authorisation server issues a new access token for the client.
  • 16. The client receives an access token.
  • 17. This access token is returned in the HTTP response as a JSON object: { “access_token”: “tdgsgsdfq232wASDq232a”, “token_type”: “Bearer” } The client can now parse the token response and get the access token value from it to be used at the protected resource.
  • 18. The client has several methods for presenting the access token. The recommended one: using the Authorization header. GET /reward HTTP/1.1 Host: localhost:8080 Accept: application/json Connection: keep-alive Authorization: Bearer tdgsgsdfq232wASDq232a The protected resource can then parse the token out of the header. It determines whether it’s still valid, look up information regarding who authorised it and what it was authorised for, and return the response accordingly.
  • 19. The client uses the access token to do things:
  • 20. OAuth Actors:  Client  Protected Resource  Resource Owner  Authorisation Server
  • 21. Client • It is a piece of software that attempts to access the protected resource on behalf of the resource owner. • It uses OAuth to obtain that access. • An OAuth client can be a web application, a native application, or even an in-browser JavaScript application.
  • 22. Protected Resource • An OAuth protected resource is available through an HTTP server and it requires an OAuth token to be accessed. • The protected resource needs to validate the tokens presented to it and determine whether and how to serve requests. • In an OAuth architecture, the protected resource has the final say as to whether or not to honor a token.
  • 23. Resource Owner • A resource owner is the entity that has the authority to delegate access to the client. • In most cases, the resource owner is the person using the client software to access something they control.
  • 24. Authorisation Server • An OAuth authorisation server is an HTTP server that acts as the central component to an OAuth system. • It authenticates the resource owner and client, provides mechanisms for allowing resource owners to authorise clients, and issues tokens to the client. • Some authorisation servers also provide additional capabilities such as token introspection and remembering authorisation decisions.
  • 25. OAuth’s components:  Access Token  Scope  Refresh Token  Authorisation grant
  • 26. Access Token  An OAuth access token is an artifact issued by the authorisation server to a client that indicates the rights that the client has been delegated.  OAuth does not define a format or content for the token itself, but it always represents the combination of the client’s requested access, the resource owner that authorised the client, and the rights conferred during that authorisation.  OAuth tokens are opaque to the client, which means that the client has no need (and often no ability) to look at the token itself. The client’s job is to carry the token, requesting it from the authorisation server and presenting it to the protected resource.
  • 27. Scope  An OAuth scope is a representation of a set of rights at a protected resource.  Scopes are represented by strings in the OAuth protocol, and they can be combined into a set by using a space-separated list.  The scope value can’t contain the space character.  Scopes are an important mechanism for limiting the access granted to a client. Scopes are defined by the protected resource, based on the API that it’s offering.
  • 28. Refresh Token  An OAuth refresh token is similar in concept to the access token, in that it’s issued to the client by the authorisation server and the client doesn’t know or care what’s inside the token.  But this token is never sent to the protected resource. Instead, the client uses the refresh token to request new access tokens without involving the resource owner.  In OAuth, an access token could stop working for a client at any point. When the access token expires, client can use the refresh token to request a new access token.
  • 29. Authorisation grant  An authorisation grant is a way by which an OAuth client is given access to a protected resource using the OAuth protocol, and if successful it ultimately results in the client getting a token.  The authorisation grant is the method for getting a token.
  • 30. What OAuth 2.0 isn’t?  OAuth isn’t an authentication protocol.  OAuth doesn’t define a mechanism for user-to-user delegation, even though it is fundamentally about delegation of a user to a piece of software. OAuth assumes that the resource owner is the one that’s controlling the client.  OAuth doesn’t define authorisation-processing mechanisms.  OAuth doesn’t define a token format.  OAuth 2.0 does not define any cryptographic method.

Notas del editor

  1. The power of OAuth is the notion of delegation. Although OAuth is often called an authorisation protocol, it is a delegation protocol. Generally, a subset of a user’s authorisation is delegated, but OAuth itself doesn’t carry or convey the authorisation. Instead, it provides a means by which a client can request that a user delegate some of their authority to it. The user can then approve this request, and the client can then act on it with the results of that approval. OAuth is used to grant authorisation. It enables you to authorise the web app A to access the information from the web app B without sharing your credentials. It was built with only authorisation in mind and does not include any authentication mechanism.
  2. The token represents the access that’s been delegated to the client and it plays a central role in every part of OAuth 2.0.
  3. The user’s authentication passes directly between the user (and their browser) and the authorisation server; it’s never seen by the client application. This essential aspect protects the user from having to share their credentials with the client application, the anti-pattern that OAuth was invented to combat.
  4. The client can parse the HTTP parameter to get the authorisation code value when the request comes in, and it will use that code in the next step. The client will also check that the value of the state parameter matches the value that it sent in the previous step. State parameter is used to protect against CSRF attack. Cross-site request forgery (CSRF) is an exploit in which an attacker causes the user-agent of a victim end-user to follow a malicious URI (e.g., provided to the user-agent as a misleading link, image, or redirection) to a trusting server (usually established via the presence of a valid session cookie). A CSRF attack against the client's redirection URI allows an attacker to inject its own authorization code or access token, which can result in the client using an access token associated with the attacker's protected resources rather than the victim's (e.g., save the victim's bank account information to a protected resource controlled by the attacker).
  5. The client performs an HTTP POST with its parameters as a form-encoded HTTP entity body, passing its client_id and client_secret as an HTTP Basic authorisation header. This HTTP request is made directly between the client and the authorisation server, without involving the browser or resource owner at all. This separation between different HTTP connections ensures that the client can authenticate itself directly without other components being able to see or manipulate the token request.
  6. The response can also include a refresh token (used to get new access tokens without asking for authorisation again) as well as additional information about the access token, like a hint about the token’s scopes and expiration time. In Okta, using the authorisation_code grant type also returns an ID token if the openid scope is requested. ID token is a JWT. ID token must be validated before use.
  7. The client is generally the simplest component in an OAuth system, and its responsibilities are largely centered on obtaining tokens from the authorisation server and using tokens at the protected resource. The client doesn’t have to understand the token, nor should it ever need to inspect the token’s contents. Instead, the client uses the token as an opaque string.
  8. Refresh tokens also give the client the ability to down-scope its access. If a client is granted scopes A, B, and C, but it knows that it needs only scope A to make a particular call, it can use the refresh token to request an access token for only scope A.