The standardRFC6749
CheckpointThe problemThe history
1.1 Rolesresource ownerresource serverauthorization serverclient@Overrideprotected AuthorizationCodeFlow initializeFlow()t...
1.2 FlowAuthorization Request@OverrideprotectedAuthorizationCodeFlowinitializeFlow()throwsIOException…Authorization GrantA...
1.3 Authorization Grant•  Four grant types– authorization code– implicit– resource owner password credentials– client cred...
1.4 Access Token•  a string representing an authorization– usually opaque to the client•  may denote an identifier used to...
1.5 Refresh Token•  credentials used to obtain access tokens– when access token has expired– long lived (forever and ever)...
2.0 Client Registration•  Needs to be done (client type, redirectURI, keys)•  Details out-of-scope for RFC6749– Manual– OA...
•  Real world examples– Google– Facebook– Twitter2.0 Client Registration
2.1 Client types•  Confidential– web application•  Public– user-agent-based application– native application
2.2/3 Identifier & Auth•  Client Identifier– client_id (string, not secret)•  Client Authentication (confidential clientty...
3.0 Protocol Endpoints•  authorization server endpoints (URL:s)– Authorization endpoint– Token endpoint•  client endpoint–...
4.0 Obtaining Authorization•  Our main target is getting an AccessToken– There are a couple of ways to do it•  depending o...
4.1 Authorization Code GrantAuthorization RequestAuthorization GrantAuthorization GrantAccess TokenAccess TokenProtected R...
4.2 Implicit GrantAuthorization RequestAccess TokenRedirection URIScriptAccess TokenProtected Resource@overrideAuthenticat...
4.3 Resource OwnerPassword Credentials GrantAuthorization GrantAccess TokenAccess TokenProtected Resource@override
4.4 Client Credentials GrantAuthorization GrantAccess TokenAccess TokenProtected Resource@override
4.5 Extension GrantsPOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=...
4.5 Extension GrantsPOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=...
5. Issuing an Access TokenHTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store Pragma: no-ca...
5.1 Successful response•  access_token–  REQUIRED•  token_type–  REQUIRED•  expires_in–  RECOMMENDED•  refresh_token–  OPT...
6.0 Refreshing an AccessTokenPOST /token HTTP/1.1Host: server.example.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW...
7. Accessing ProtectedResources•  Present access token– How depends on token_type•  Server validates (out of scope)– Gener...
7.1 Access Token Types•  What type of token?– Compare with concept of grant_type•  Not defined by OAuth2– A registry is de...
Extensibility•  Defining Access Token Types•  Defining New Endpoint Parameters•  Defining New Authorization Grant Types•  ...
Critiscism•  Not that specified•  A consultants dream
Related Standards
‘oauth’ in ietf.org
Bearer Token Usage•  RFC6750– Details on OAuth2 access_token– Defines token_type bearer (first)•  “A security token with t...
Bearer Token Usage•  does not specify the encoding or thecontents of the token??•  Methods– Authorization Request Header F...
Mac Token•  draft-ietf-oauth-v2-http-mac-03– access_token•  token_type = mac (second, not yet approved)– integrity
OAuth Assertions Framework•  draft-ietf-oauth-assertions-11– Framework, needs instances•  ietf-oauth-saml2-bearer•  ietf-o...
SAML2 Bearer AssertionsAuthorization GrantAccess TokenAccess TokenProtected Resource@override
SAML2 Bearer Assertion•  Note: ‘Bearer’ now used to describeassertion on Authorization Grant – notAccess Token•  SAML2 Ass...
JWT Bearer TokensAuthorization GrantAccess TokenAccess TokenProtected Resource@override
JWT Bearer Tokens•  Similar to SAML2•  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
JWT Tokens•  JSON Web Token (JWT) is a compactmeans of representing claims to betransferred between two parties.– JSW (JSO...
OpenID Connect•  a simple identity layer on top of the OAuth2.0 protocol.•  allows Clients to verify the identity of theEn...
OpenID Connect: flow•  Authorization Code Flow– response_type = code id_token•  Implicit Flow (RECOMMENDED)– response_type...
OpenID Connect: scope•  openid - REQUIRED•  profile - OPTIONAL•  email - OPTIONAL•  address - OPTIONAL•  phone - OPTIONAL
additions•  response_type: id_token•  endpoint: /check_id, /userinfo•  id_token is returned•  send as access_token to /che...
RecapAuthorization Request@OverrideprotectedAuthorizationCodeFlowinitializeFlow()throwsIOException…Authorization GrantAuth...
?Thank You!@mjidhagewww.sakerhetspodcasten.se
The actual problem46Lisa
47InformationLisa
48Lisa
49Service ProviderLisa
50Lisa
51ConsumerLisa
52Lisa
Why – the plot?53: Hmm, don’t know - could it be, lisa@hotmail.com?: h4pp1n3ss!: Perfect! We’ll steal your paypal, twitter...
54How?Authorization in 5 easy steps• Intent• Request Token• Authorize Request Token• Exchange Token• Access Data
55: Hi, ! I would like to order printouts of some of myon , they are marked as private.Could you please print them?: Sure,...
56Hi ! This is speaking! Can I have a Request Token?HMAC-SHA1 (Yours Truly, Moo.): “Sure! Your Request Token is: 9iKot2y5U...
57Step 3: Authorize Request Token: Sure, just redirect my browser and I will bedone in a second!: Hi , could you please go...
58Step 3, Continued: , I would like to authorize 9iKot2y5UQTDlS2V: Sure - to be on the safe side; you are allowing to read...
59Step 3, Optional Notify: Hi , I just told that you are allowed to access myprivate pictures and they told me the picture...
60Step 4: Exchange Token: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2Vfor an Access Token? HMAC-SHA1 (Yours Truly, ...
61Step 5: Access Data: Hi , I would like to fetch the private pictures owned by94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, M...
62Take Away•  No information on the identity of Lisa is passed toMoo and Moo have no idea of what Lisascredentials on Flic...
History
64—  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.—  2007-04 A Google group started t...
65• 2007-12 Initial version OAuth 1.0 ready• mainly based on the Flickr Auth API and Google AuthSub• 2009-06 Revised versi...
662011-05-06The Standard
RFC6749 et alia 20130504
RFC6749 et alia 20130504
Upcoming SlideShare
Loading in …5
×

RFC6749 et alia 20130504

538 views

Published on

Presentation of RFC6749 given at Omegapoint conference OPKoKo 13.1

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
538
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RFC6749 et alia 20130504

  1. 1. The standardRFC6749
  2. 2. CheckpointThe problemThe history
  3. 3. 1.1 Rolesresource ownerresource serverauthorization serverclient@Overrideprotected AuthorizationCodeFlow initializeFlow()throws IOException …
  4. 4. 1.2 FlowAuthorization Request@OverrideprotectedAuthorizationCodeFlowinitializeFlow()throwsIOException…Authorization GrantAuthorization GrantAccess TokenAccess TokenProtected Resource
  5. 5. 1.3 Authorization Grant•  Four grant types– authorization code– implicit– resource owner password credentials– client credentials– (extension grants…)
  6. 6. 1.4 Access Token•  a string representing an authorization– usually opaque to the client•  may denote an identifier used to retrievethe authorization information•  may self-contain the authorizationinformation in a verifiable manner•  details in companion specifications
  7. 7. 1.5 Refresh Token•  credentials used to obtain access tokens– when access token has expired– long lived (forever and ever)– only sent to authorization server– denotes an identifier used to retrieve theauthorization information– OPTIONAL
  8. 8. 2.0 Client Registration•  Needs to be done (client type, redirectURI, keys)•  Details out-of-scope for RFC6749– Manual– OAuth 2.0 Dynamic Client RegistrationProtocol•  draft-ietf-oauth-dyn-reg-09– OpenID Connect Dynamic Client Registration1.0 - draft 08
  9. 9. •  Real world examples– Google– Facebook– Twitter2.0 Client Registration
  10. 10. 2.1 Client types•  Confidential– web application•  Public– user-agent-based application– native application
  11. 11. 2.2/3 Identifier & Auth•  Client Identifier– client_id (string, not secret)•  Client Authentication (confidential clienttype)– Basic Authentication (client_id:client_secret)•  And– Other Authentication Methods– Unregistered
  12. 12. 3.0 Protocol Endpoints•  authorization server endpoints (URL:s)– Authorization endpoint– Token endpoint•  client endpoint– Redirection endpoint•  resource server– As required…
  13. 13. 4.0 Obtaining Authorization•  Our main target is getting an AccessToken– There are a couple of ways to do it•  depending on the client type
  14. 14. 4.1 Authorization Code GrantAuthorization RequestAuthorization GrantAuthorization GrantAccess TokenAccess TokenProtected Resource@overrideAuthentication
  15. 15. 4.2 Implicit GrantAuthorization RequestAccess TokenRedirection URIScriptAccess TokenProtected Resource@overrideAuthentication@overrideresource
  16. 16. 4.3 Resource OwnerPassword Credentials GrantAuthorization GrantAccess TokenAccess TokenProtected Resource@override
  17. 17. 4.4 Client Credentials GrantAuthorization GrantAccess TokenAccess TokenProtected Resource@override
  18. 18. 4.5 Extension GrantsPOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...omitted forbrevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24------- Example is OAuth-SAML2
  19. 19. 4.5 Extension GrantsPOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...omitted forbrevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24------- Example is OAuth-SAML2
  20. 20. 5. Issuing an Access TokenHTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store Pragma: no-cache{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"example","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","example_parameter":"example_value"}
  21. 21. 5.1 Successful response•  access_token–  REQUIRED•  token_type–  REQUIRED•  expires_in–  RECOMMENDED•  refresh_token–  OPTIONAL•  scope–  OPTIONAL/REQUIRED
  22. 22. 6.0 Refreshing an AccessTokenPOST /token HTTP/1.1Host: server.example.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JWContent-Type: application/x-www-form-urlencodedgrant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
  23. 23. 7. Accessing ProtectedResources•  Present access token– How depends on token_type•  Server validates (out of scope)– Generally interaction with Authorization Server
  24. 24. 7.1 Access Token Types•  What type of token?– Compare with concept of grant_type•  Not defined by OAuth2– A registry is defined•  Contents– Bearer (RFC6750)– Mac (Oauth-HTTP-MAC)
  25. 25. Extensibility•  Defining Access Token Types•  Defining New Endpoint Parameters•  Defining New Authorization Grant Types•  Defining New Authorization EndpointResponse Type•  Defining Additional Error Codes
  26. 26. Critiscism•  Not that specified•  A consultants dream
  27. 27. Related Standards
  28. 28. ‘oauth’ in ietf.org
  29. 29. Bearer Token Usage•  RFC6750– Details on OAuth2 access_token– Defines token_type bearer (first)•  “A security token with the property that any party inpossession of the token (a "bearer") can use the token inany way that any other party in possession of it can.Using a bearer token does not require a bearer to provepossession of cryptographic key material (proof-of-possession).”
  30. 30. Bearer Token Usage•  does not specify the encoding or thecontents of the token??•  Methods– Authorization Request Header Field– Form-Encoded Body Parameter– URI Query Parameter
  31. 31. Mac Token•  draft-ietf-oauth-v2-http-mac-03– access_token•  token_type = mac (second, not yet approved)– integrity
  32. 32. OAuth Assertions Framework•  draft-ietf-oauth-assertions-11– Framework, needs instances•  ietf-oauth-saml2-bearer•  ietf-oauth-jwt-bearer
  33. 33. SAML2 Bearer AssertionsAuthorization GrantAccess TokenAccess TokenProtected Resource@override
  34. 34. SAML2 Bearer Assertion•  Note: ‘Bearer’ now used to describeassertion on Authorization Grant – notAccess Token•  SAML2 Assertion – another possiblegrant_type
  35. 35. JWT Bearer TokensAuthorization GrantAccess TokenAccess TokenProtected Resource@override
  36. 36. JWT Bearer Tokens•  Similar to SAML2•  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
  37. 37. JWT Tokens•  JSON Web Token (JWT) is a compactmeans of representing claims to betransferred between two parties.– JSW (JSON Web Signature)– JWE (JSON Web Encryption)•  Enables MAC/signed/encrypted
  38. 38. OpenID Connect•  a simple identity layer on top of the OAuth2.0 protocol.•  allows Clients to verify the identity of theEnd-User based on the authenticationperformed by an Authorization Server
  39. 39. OpenID Connect: flow•  Authorization Code Flow– response_type = code id_token•  Implicit Flow (RECOMMENDED)– response_type = token id_token
  40. 40. OpenID Connect: scope•  openid - REQUIRED•  profile - OPTIONAL•  email - OPTIONAL•  address - OPTIONAL•  phone - OPTIONAL
  41. 41. additions•  response_type: id_token•  endpoint: /check_id, /userinfo•  id_token is returned•  send as access_token to /check_id•  control info returned•  send access_token to /userinfo•  user_info is returned
  42. 42. RecapAuthorization Request@OverrideprotectedAuthorizationCodeFlowinitializeFlow()throwsIOException…Authorization GrantAuthorization GrantAccess TokenAccess TokenProtected Resource
  43. 43. ?Thank You!@mjidhagewww.sakerhetspodcasten.se
  44. 44. The actual problem46Lisa
  45. 45. 47InformationLisa
  46. 46. 48Lisa
  47. 47. 49Service ProviderLisa
  48. 48. 50Lisa
  49. 49. 51ConsumerLisa
  50. 50. 52Lisa
  51. 51. Why – the plot?53: Hmm, don’t know - could it be, lisa@hotmail.com?: h4pp1n3ss!: Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If wefind any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake: Ok, great! What’s your password?fake: Hi Lisa, what’s your username?fake
  52. 52. 54How?Authorization in 5 easy steps• Intent• Request Token• Authorize Request Token• Exchange Token• Access Data
  53. 53. 55: Hi, ! I would like to order printouts of some of myon , they are marked as private.Could you please print them?: Sure, we just need to ask permission fromStep 1: Intent
  54. 54. 56Hi ! This is speaking! Can I have a Request Token?HMAC-SHA1 (Yours Truly, Moo.): “Sure! Your Request Token is: 9iKot2y5UQTDlS2Vand your secret is: 1Hv0pzNXMXdEfBd”: Thanks!Step 2: Request Token
  55. 55. 57Step 3: Authorize Request Token: Sure, just redirect my browser and I will bedone in a second!: Hi , could you please go to to authorizethe Request Token:9iKot2y5UQTDlS2V?When you have made the authorization, I canfetch your .
  56. 56. 58Step 3, Continued: , I would like to authorize 9iKot2y5UQTDlS2V: Sure - to be on the safe side; you are allowing to read yourprivate pictures? We trust them, so there are no issues from ourside.: Yes, that is correct!: Ok, good. Now get back too and tell them it is ok to proceed.
  57. 57. 59Step 3, Optional Notify: Hi , I just told that you are allowed to access myprivate pictures and they told me the pictures are ready foryou to access them.: Perfect, thank you!
  58. 58. 60Step 4: Exchange Token: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2Vfor an Access Token? HMAC-SHA1 (Yours Truly, Moo.): Sure! Your Access Token is: 94S3sJVmuuxSPiZzand your Secret is: 4Fc8bwdKNGSM0iNe”: Perfect, thank you!
  59. 59. 61Step 5: Access Data: Hi , I would like to fetch the private pictures owned by94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.): Here they are , anything else?
  60. 60. 62Take Away•  No information on the identity of Lisa is passed toMoo and Moo have no idea of what Lisascredentials on Flickr is.•  => Not an authentication protocol/standard/technology•  API independent–  there are lots of different implementations on both client andserver sideThe Standard
  61. 61. History
  62. 62. 64—  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.—  2007-04 A Google group started to write a draft protocol specification—  2007-06 A first draft was ready and the group was opened for everyone interested incontributing to the specificationWhen?t
  63. 63. 65• 2007-12 Initial version OAuth 1.0 ready• mainly based on the Flickr Auth API and Google AuthSub• 2009-06 Revised version 1.0a due to a security flaw• http://oauth.net/core/1.0a• 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”• OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31• New protocol, not backward compatible with OAuth1• Simplify and create a better user experience• Less secure due to no digital signature?When?t
  64. 64. 662011-05-06The Standard

×