1.3 Authorization Grant• Four grant types– authorization code– implicit– resource owner password credentials– client credentials– (extension grants…)
1.4 Access Token• a string representing an authorization– usually opaque to the client• may denote an identifier used to retrievethe authorization information• may self-contain the authorizationinformation in a verifiable manner• details in companion specifications
1.5 Refresh Token• credentials used to obtain access tokens– when access token has expired– long lived (forever and ever)– only sent to authorization server– denotes an identifier used to retrieve theauthorization information– OPTIONAL
Bearer Token Usage• RFC6750– Details on OAuth2 access_token– Defines token_type bearer (first)• “A security token with the property that any party inpossession of the token (a "bearer") can use the token inany way that any other party in possession of it can.Using a bearer token does not require a bearer to provepossession of cryptographic key material (proof-of-possession).”
Bearer Token Usage• does not specify the encoding or thecontents of the token??• Methods– Authorization Request Header Field– Form-Encoded Body Parameter– URI Query Parameter
Mac Token• draft-ietf-oauth-v2-http-mac-03– access_token• token_type = mac (second, not yet approved)– integrity
additions• response_type: id_token• endpoint: /check_id, /userinfo• id_token is returned• send as access_token to /check_id• control info returned• send access_token to /userinfo• user_info is returned
Why – the plot?53: Hmm, don’t know - could it be, email@example.com?: h4pp1n3ss!: Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If wefind any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake: Ok, great! What’s your password?fake: Hi Lisa, what’s your username?fake
54How?Authorization in 5 easy steps• Intent• Request Token• Authorize Request Token• Exchange Token• Access Data
55: Hi, ! I would like to order printouts of some of myon , they are marked as private.Could you please print them?: Sure, we just need to ask permission fromStep 1: Intent
56Hi ! This is speaking! Can I have a Request Token?HMAC-SHA1 (Yours Truly, Moo.): “Sure! Your Request Token is: 9iKot2y5UQTDlS2Vand your secret is: 1Hv0pzNXMXdEfBd”: Thanks!Step 2: Request Token
57Step 3: Authorize Request Token: Sure, just redirect my browser and I will bedone in a second!: Hi , could you please go to to authorizethe Request Token:9iKot2y5UQTDlS2V?When you have made the authorization, I canfetch your .
58Step 3, Continued: , I would like to authorize 9iKot2y5UQTDlS2V: Sure - to be on the safe side; you are allowing to read yourprivate pictures? We trust them, so there are no issues from ourside.: Yes, that is correct!: Ok, good. Now get back too and tell them it is ok to proceed.
59Step 3, Optional Notify: Hi , I just told that you are allowed to access myprivate pictures and they told me the pictures are ready foryou to access them.: Perfect, thank you!
60Step 4: Exchange Token: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2Vfor an Access Token? HMAC-SHA1 (Yours Truly, Moo.): Sure! Your Access Token is: 94S3sJVmuuxSPiZzand your Secret is: 4Fc8bwdKNGSM0iNe”: Perfect, thank you!
61Step 5: Access Data: Hi , I would like to fetch the private pictures owned by94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.): Here they are , anything else?
62Take Away• No information on the identity of Lisa is passed toMoo and Moo have no idea of what Lisascredentials on Flickr is.• => Not an authentication protocol/standard/technology• API independent– there are lots of different implementations on both client andserver sideThe Standard
64 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. 2007-04 A Google group started to write a draft protocol specification 2007-06 A first draft was ready and the group was opened for everyone interested incontributing to the specificationWhen?t
65• 2007-12 Initial version OAuth 1.0 ready• mainly based on the Flickr Auth API and Google AuthSub• 2009-06 Revised version 1.0a due to a security flaw• http://oauth.net/core/1.0a• 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”• OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31• New protocol, not backward compatible with OAuth1• Simplify and create a better user experience• Less secure due to no digital signature?When?t