SlideShare una empresa de Scribd logo

OAuth2介紹

Descargar como PPTX, PDF
升煌 黃

Introduce OAuth2

Tecnología
1 de 28
黃升煌
傳統Client Server架構 Client Resource Server Username/Password
傳統Client Server架構 Client Resource Server Username/ Password Third Party App Username/ Password
使用Username/Password問題 Client Resource Server Username/ Password Third Party App Username/ Password •需儲存帳號密碼 •擁有完整存取權限 •密碼可能在此被破解 •其他… •只能以密碼驗證 •難以限制Third Party程式權限/時效 •無法撤回Third Party程式存取權 •其他… •必須完全信賴Third Party程式 •其他…
OAuth如何解決問題  引入Authorization Layer  把Client跟Resource Owner角色分開 Resource Owner Resource Server Client (Third Party App) Authorization Server 身分認證/存取許可 Access Token: 包含存取範圍、時效 等資訊 Access Token Access Token
OAuth角色定義 Resource Owner - 可以授權別人去存取 Protected Resource 。 如果這個角色是人類的話,則就是指使用者 (end-user)。 Resource Server - 存放 Protected Resource 的伺服器,可以根 據 Access Token 來接受 Protected Resource 的請求。 Client - 代表 Resource Owner 去存取 Protected Resource 的應 用程式。 "Client" 一詞並不指任何特定的實作方式(可以在 Server 上面跑、在一般電腦上跑、或是在其他的設備)。 Authorization Server - 在認證過 Resource Owner 並且 Resource Owner 許可之後,核發 Access Token 的伺服器。
基本流程 Resource Owner Resource Server Client Authorization Server 請求授權 授權許可 ( Authorization Grant) RFC6749已定義 4種授權方法 (可 擴充),Resource Owner 需 指 定 其 中一種
基本流程 Resource Owner Resource Server Client Authorization Server 請求 Access Token 核發 Access Token Authorization Server 需認證Client及驗證 授權許可
基本流程 Resource Owner Resource Server Client Authorization Server 出示 Access Token Resource Server 驗證Access Token, 若合法則處理請求 回傳 Protected Resource
Access Token 用來存取 Protected Resource 代表Resource Owner 的授權資訊 是一個具體的字串 代替傳統的帳號密碼 認證 資料包含存取範圍 (scope)及時效 (expired) 資料需經過加密演算 法 Resource Owner授權 Resource Server 和 Authorization Server 執行
Refresh Token 交由Authorization處 理,不該遞交到 Resource Server 代表Resource Owner 授權Client重新取得 Access Token 當Access Token到期 或需要新的權限範圍 (scope)時使用 Client可以自動完成重 新取得這件事 Authorization Server不 一定需要核發Refresh Token,若要核發則須在 核發Access Token時一 併核發
Refresh Token流程 Resource Server Client Authorization Server 請求 Access Token 核發 Access Token & Refresh Token
Refresh Token流程 Resource Server Client Authorization Server 出示 Access Token 告知Access Token 無法使用 Access Token 到期或權限不足
Refresh Token流程 Resource Server Client Authorization Server 出示 Refresh Token 核發新的 Access Token & Refresh Token
4種Authorization Grant方法(Grant Flows)  Authorization Code Grant Type Flow  Implicit Grant Type Flow  Resource Owner Password Credentials Grant Type Flow  Client Credentials Grant Type Flow
4種Authorization Grant方法(Grant Flows)  Authorization Code Grant Type Flow  要向 Authorization Server 先取得 Grant Code再 取得 Access Token (兩步)  適合 Confidential Clients ,如部署在 Server 上 面的應用程式  可以核發 Refresh Token  需要 User-Agent Redirection  各大社群網站最常使用
4種Authorization Grant方法(Grant Flows)  Implicit Grant Type Flow  Authorization Server 直接向 Client 核發 Access Token (一步)  適合非常特定的 Public Clients ,例如跑在 Browser 裡面 的應用程式  Authorization Server 不必(也無法)驗證 Client 的身份  禁止核發 Refresh Token  需要 User-Agent Redirection  有資料外洩風險
4種Authorization Grant方法(Grant Flows)  Resource Owner Password Credentials Grant Type Flow  Resource Owner 的帳號密碼直接拿來當做 Grant  適用於 Resource Owner 高度信賴的 Client (像是 OS 內建的)或是官方應用程式  其他流程不適用時才能用  可以核發 Refresh Token  沒有 User-Agent Redirection
4種Authorization Grant方法(Grant Flows)  Client Credentials Grant Type Flow  Client 的 ID 和 Secret 直接用來當做 Grant  適用於跑在 Server 上面的 Confidential Client  不建議核發 Refresh Token  沒有 User-Agent Redirection
Authorization Code Grant Type Flow Resource Owner Client Authorization Server User Agent Client將Resource Owner的User Agent 轉到Authorization Server,並告知驗證 完成後的轉址 GET 步驟(A)
Authorization Code Grant Type Flow Resource Owner Client Authorization Server User Agent Resource Owner透過User Agent 對Authorization Server驗證 GET 步驟(B)
Authorization Code Grant Type Flow Resource Owner Client Authorization Server User Agent 將Authorization Code傳回給Client 步驟(C)
Authorization Code Grant Type Flow Resource Owner Client Authorization Server User Agent Client將Authorization Code向 Authorization Server取得Access Token, 並告知回傳Access Token網址 POST 步驟(D)
Authorization Code Grant Type Flow Resource Owner Client Authorization Server User Agent Authorization Server核發Access Token 步驟(E)
參考資料  RFC 6749: http://tools.ietf.org/html/rfc6749  OAuth 2.0 筆記: http://blog.yorkxin.org/posts/2013/09/30/ oauth2-1-introduction/
Facebook Developers / Tools: https://developers.facebook.com https://developers.facebook.com/tools/explorer/145634995501895 Google Developers Console / Tools: https://console.developers.google.com https://developers.google.com/apis-explorer Dot Net Open Auth http://dotnetopenauth.net/ 範例Source Code: https://github.com/wellwind/WebApiOAuthDemo

Recomendados

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 

Recomendados

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Digital signature
Digital signatureDigital signature
Digital signature
9799907840kd
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
Sukhpreet Singh
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
FIDO Alliance
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
Umesh Mahawar
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
FIDO Alliance
 
Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器
升煌 黃
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
Novell
 

Más contenido relacionado

La actualidad más candente

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 

La actualidad más candente (20)

Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Spring security
Spring securitySpring security
Spring security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Digital signature
Digital signatureDigital signature
Digital signature
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure Deserialization
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 

Destacado

Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
Building High Availability Clusters with SUSE Linux Enterprise High Availabil...Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
Novell
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
Dan Frincu
 

Destacado (20)

Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
 
high availability case study fusion middleware cluster1
high availability case study fusion middleware cluster1high availability case study fusion middleware cluster1
high availability case study fusion middleware cluster1
 
Docker集群管理 工具篇
Docker集群管理 工具篇Docker集群管理 工具篇
Docker集群管理 工具篇
 
Cluster in linux
Cluster in linuxCluster in linux
Cluster in linux
 
VMware HA deep Dive
VMware HA deep DiveVMware HA deep Dive
VMware HA deep Dive
 
Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
Building High Availability Clusters with SUSE Linux Enterprise High Availabil...Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
Building High Availability Clusters with SUSE Linux Enterprise High Availabil...
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
 
linux-enterprise-cluster
linux-enterprise-clusterlinux-enterprise-cluster
linux-enterprise-cluster
 
SLE12 SP2 : High Availability et Geo Cluster
SLE12 SP2 : High Availability et Geo ClusterSLE12 SP2 : High Availability et Geo Cluster
SLE12 SP2 : High Availability et Geo Cluster
 
Maria DB Galera Cluster for High Availability
Maria DB Galera Cluster for High AvailabilityMaria DB Galera Cluster for High Availability
Maria DB Galera Cluster for High Availability
 
Metro Cluster High Availability or SRM Disaster Recovery?
Metro Cluster High Availability or SRM Disaster Recovery?Metro Cluster High Availability or SRM Disaster Recovery?
Metro Cluster High Availability or SRM Disaster Recovery?
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
 
Why SaltStack ?
Why SaltStack ?Why SaltStack ?
Why SaltStack ?
 
SUSE OpenStack Cloud 7
SUSE OpenStack Cloud 7SUSE OpenStack Cloud 7
SUSE OpenStack Cloud 7
 
Introduction - vSphere 5 High Availability (HA)
Introduction - vSphere 5 High Availability (HA)Introduction - vSphere 5 High Availability (HA)
Introduction - vSphere 5 High Availability (HA)
 
Docker home ted
Docker home tedDocker home ted
Docker home ted
 
Cluster Computers
Cluster ComputersCluster Computers
Cluster Computers
 
認識那條鯨魚 Docker 初探
認識那條鯨魚 Docker 初探認識那條鯨魚 Docker 初探
認識那條鯨魚 Docker 初探
 
Docker應用
Docker應用Docker應用
Docker應用
 

Similar a OAuth2介紹

如何規劃 OAuth Server
如何規劃 OAuth Server如何規劃 OAuth Server
如何規劃 OAuth Server
Sean S.G Wang
 
Accessmanager
AccessmanagerAccessmanager
Accessmanager
Jim Jiang
 
使用者認證
使用者認證使用者認證
使用者認證
Shengyou Fan
 
OAuth: How And Why?
OAuth: How And Why?OAuth: How And Why?
OAuth: How And Why?
LI Daobing
 
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
Amy Ho, PMP, PMI-ACP
 
单点登录解决方案的架构与实现
单点登录解决方案的架构与实现单点登录解决方案的架构与实现
单点登录解决方案的架构与实现
jeffz
 
1026 Windows Server 2008 Active Directory 版權管理服務
1026 Windows Server 2008 Active Directory 版權管理服務1026 Windows Server 2008 Active Directory 版權管理服務
1026 Windows Server 2008 Active Directory 版權管理服務
Timothy Chen
 

Similar a OAuth2介紹 (20)

如何規劃 OAuth Server
如何規劃 OAuth Server如何規劃 OAuth Server
如何規劃 OAuth Server
 
[xDef2012]OAuth Security
[xDef2012]OAuth Security[xDef2012]OAuth Security
[xDef2012]OAuth Security
 
Laradebut #7 - Laravel AUTH
Laradebut #7 - Laravel AUTHLaradebut #7 - Laravel AUTH
Laradebut #7 - Laravel AUTH
 
OAuth2.0协议介绍
OAuth2.0协议介绍OAuth2.0协议介绍
OAuth2.0协议介绍
 
Accessmanager
AccessmanagerAccessmanager
Accessmanager
 
CAREY-Tech SSO
CAREY-Tech SSOCAREY-Tech SSO
CAREY-Tech SSO
 
11个步骤应用Spring Security 3(西安尚学堂~付老实)
11个步骤应用Spring Security 3(西安尚学堂~付老实)11个步骤应用Spring Security 3(西安尚学堂~付老实)
11个步骤应用Spring Security 3(西安尚学堂~付老实)
 
11个步骤应用Spring Security 3
11个步骤应用Spring Security 311个步骤应用Spring Security 3
11个步骤应用Spring Security 3
 
OAuth 2.0协议
OAuth 2.0协议OAuth 2.0协议
OAuth 2.0协议
 
SAM: Simple Access Manager Design
SAM: Simple Access Manager DesignSAM: Simple Access Manager Design
SAM: Simple Access Manager Design
 
使用者認證
使用者認證使用者認證
使用者認證
 
OAuth: How And Why?
OAuth: How And Why?OAuth: How And Why?
OAuth: How And Why?
 
Douban openplatform-use-oauth2.0
Douban openplatform-use-oauth2.0Douban openplatform-use-oauth2.0
Douban openplatform-use-oauth2.0
 
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
優碩-20120629_Openfind Solution Day_防堵機密外洩一氣呵成!從個資盤點到檔案保護
 
授權即服務介紹與實作 (LaaS)
授權即服務介紹與實作 (LaaS)授權即服務介紹與實作 (LaaS)
授權即服務介紹與實作 (LaaS)
 
淺談RESTful API認證 Token機制使用經驗分享
淺談RESTful API認證 Token機制使用經驗分享淺談RESTful API認證 Token機制使用經驗分享
淺談RESTful API認證 Token機制使用經驗分享
 
8 3
8 38 3
8 3
 
单点登录解决方案的架构与实现
单点登录解决方案的架构与实现单点登录解决方案的架构与实现
单点登录解决方案的架构与实现
 
1026 Windows Server 2008 Active Directory 版權管理服務
1026 Windows Server 2008 Active Directory 版權管理服務1026 Windows Server 2008 Active Directory 版權管理服務
1026 Windows Server 2008 Active Directory 版權管理服務
 
6, OCP - oracle security
6, OCP - oracle security6, OCP - oracle security
6, OCP - oracle security
 

Más de 升煌 黃

使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
升煌 黃
 

Más de 升煌 黃 (14)

使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
 
陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular
 
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端 用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
 
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
 
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
 
gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務
 
Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案
 
Angular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics WorkshopAngular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics Workshop
 
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
 
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
 
Angular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDKAngular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDK
 
玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018
 
敏捷開發與Scrum
敏捷開發與Scrum敏捷開發與Scrum
敏捷開發與Scrum
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 

OAuth2介紹

Notas del editor

  1. 在傳統的 Client-Server 架構裡, Client 要拿取受保護的資源 (Protected Resource) 的時候,要向 Server 出示使用者 (Resource Owner) 的帳號密碼才行。為了讓第三方應用程式也可以拿到這些 Resources ,則 Resource Owner 要把帳號密碼給這個第三方程式
  2. 第三方程式必須儲存 Resource Owner 的帳號密碼,通常是明文儲存。 Server 必須支援密碼認證,即使密碼有天生的資訊安全上的弱點。 第三方程式會得到幾乎完整的權限,可以存取 Protected Resources ,而 Resource Owner 沒辦法限制第三方程式可以拿取 Resource 的時效,以及可以存取的範圍 (subset)。 Resource Owner 無法只撤回單一個第三方程式的存取權,而且必須要改密碼才能撤回。 任何第三方程式被破解 (compromized),就會導致使用該密碼的所有資料被破解。
  3. OAuth 解決這些問題的方式,是引入一個認證層 (authorization layer) ,並且把 client 跟 resource owner 的角色分開。在 OAuth 裡面,Client 會先索取存取權,來存取 Resource Owner 擁有的資源,這些資源會放在 Resource Server 上面,並且 Client 會得到一組不同於 Resource Owner 所持有的認證碼 (credentials) 。 Client 會取得一個 Access Token 來存取 Protected Resources ,而非使用 Resource Owner 的帳號密碼。Access Token 是一個字串,記載了特定的存取範圍 (scope) 、時效等等的資訊。Access Token 是從 Authorization Server 拿到的,取得之前會得到 Resource Owner 的許可。Client 用這個 Access Token 來存取 Resource Server 上面的 Protected Resources 。 實際使用的例子:使用者 (Resource Owner) 可以授權印刷服務 (Client) 去相簿網站 (Resource Server) 存取他的私人照片,而不需要把相簿網站的帳號密碼告訴印刷服務。這個使用者會直接授權透過一個相簿網站所信任的伺服器 (Authorization Server) ,核發一個專屬於該印刷服務的認證碼 (Access Token)。