Hannes Tschofenig, Blaine Cook      (IETF#79, Beijing)
Acknowledgements• I would like to thank to Pasi Eronen. We are  re-using some of his slides in this  presentation.12/29/12...
The Problem: Secure Data Sharing12/29/12    IETF #79, OAuth Tutorial Beijing   3
12/29/12   IETF #79, OAuth Tutorial Beijing   4
Example OAuth Exchange12/29/12         IETF #79, OAuth Tutorial Beijing   5
Entities                                                           User Agent                                             ...
User navigates to Resource Client12/29/12   IETF #79, OAuth Tutorial Beijing   7
User authenticated by           Authorization Server12/29/12        IETF #79, OAuth Tutorial Beijing   8
User authorizes Resource Consumer to       access Resource Server12/29/12    IETF #79, OAuth Tutorial Beijing   9
Resource Client calls the             Resource Server API12/29/12          IETF #79, OAuth Tutorial Beijing   10
Remark: Authentication• Yahoo in our example may outside the authentication part to  other providers (e.g. using OpenID).•...
Remark: Authorization• Asking the user for consent prior to share  information is considered privacy-friendly.• User inter...
Remark: Authorization, cont.12/29/12            IETF #79, OAuth Tutorial Beijing   13
Remark: Authorization, cont.
Remark: Authorization, cont.12/29/12            IETF #79, OAuth Tutorial Beijing   15
Remark: Prior-Registration• Many Resource Server require registration of  Resource Client’s prior to usage.• Example: http...
Remark,cont.12/29/12   IETF #79, OAuth Tutorial Beijing   17
History12/29/12   IETF #79, OAuth Tutorial Beijing   18
History• November 2006: Blaine Cook was looking into the possibility of  using OpenID to accomplish the functionality for ...
History, cont.• 1st OAuth BOF (Minneapolis, November 2008, IETF#73)     – BOF Chairs: Sam Hartman, Mark Nottingham     – B...
History, cont.•   March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig    became Blaine’s co-chair.•  ...
Entities                                                           User Agent                     Authorization Request   ...
Scope of the OAuth WG• Currently only one working group item:    – http://tools.ietf.org/html/draft-ietf-oauth-v2    – Unl...
Work Areas                                                                    User Interface                              ...
Web Server Flow
12/29/12   IETF #79, OAuth Tutorial Beijing   26
A little bit about OAuth security…          Se curity
Work Areas                                                                     User Interface                             ...
“Bearer Token”                  Authorization                  Server       Request                  Token            TLSR...
“Message Signing”                   Authorization                   Server       Request                Token,SK,         ...
Conclusion• Open Web Authentication (OAuth) is developed in  the IETF to provide delegated authentication for  Web-based e...
Backup Slides12/29/12    IETF #79, OAuth Tutorial Beijing   32
JavaScript Flow(User Agent Flow in Draft)
12/29/12   IETF #79, OAuth Tutorial Beijing   34
Native Application Flow
12/29/12   IETF #79, OAuth Tutorial Beijing   36
Autonomous Flow
12/29/12   IETF #79, OAuth Tutorial Beijing   38
Device Flow
12/29/12   IETF #79, OAuth Tutorial Beijing   40
12/29/12   IETF #79, OAuth Tutorial Beijing   41
Upcoming SlideShare
Loading in …5
×

Oauth tutorial

881
-1

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
881
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Oauth tutorial

  1. 1. Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)
  2. 2. Acknowledgements• I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation.12/29/12 IETF #79, OAuth Tutorial Beijing 2
  3. 3. The Problem: Secure Data Sharing12/29/12 IETF #79, OAuth Tutorial Beijing 3
  4. 4. 12/29/12 IETF #79, OAuth Tutorial Beijing 4
  5. 5. Example OAuth Exchange12/29/12 IETF #79, OAuth Tutorial Beijing 5
  6. 6. Entities User Agent (Web Browser) Authorization Request User Resource Consumer (LinkedIn) Token request Authorization Server (Yahoo) Access Request (incl. Token) Resource Server (Yahoo)12/29/12 IETF #79, OAuth Tutorial Beijing 6
  7. 7. User navigates to Resource Client12/29/12 IETF #79, OAuth Tutorial Beijing 7
  8. 8. User authenticated by Authorization Server12/29/12 IETF #79, OAuth Tutorial Beijing 8
  9. 9. User authorizes Resource Consumer to access Resource Server12/29/12 IETF #79, OAuth Tutorial Beijing 9
  10. 10. Resource Client calls the Resource Server API12/29/12 IETF #79, OAuth Tutorial Beijing 10
  11. 11. Remark: Authentication• Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID).• Authorization Server and Resource Server do not need to be operated by the same entity.12/29/12 IETF #79, OAuth Tutorial Beijing 11
  12. 12. Remark: Authorization• Asking the user for consent prior to share information is considered privacy-friendly.• User interfaces for obtaining user content may not always be great.12/29/12 IETF #79, OAuth Tutorial Beijing 12
  13. 13. Remark: Authorization, cont.12/29/12 IETF #79, OAuth Tutorial Beijing 13
  14. 14. Remark: Authorization, cont.
  15. 15. Remark: Authorization, cont.12/29/12 IETF #79, OAuth Tutorial Beijing 15
  16. 16. Remark: Prior-Registration• Many Resource Server require registration of Resource Client’s prior to usage.• Example: http://developer.cliqset.com/api12/29/12 IETF #79, OAuth Tutorial Beijing 16
  17. 17. Remark,cont.12/29/12 IETF #79, OAuth Tutorial Beijing 17
  18. 18. History12/29/12 IETF #79, OAuth Tutorial Beijing 18
  19. 19. History• November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need.• December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft• April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.• July 2007: OAuth 1.0 (with code for major programming languages)• September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows)• Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders12/29/12 IETF #79, OAuth Tutorial Beijing 19
  20. 20. History, cont.• 1st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved.• 2nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting• IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html• OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre• Feb 2010: The OAuth 1.0 Protocol ‘ approved as Informational RFC: –12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html IETF #79, OAuth Tutorial Beijing 20
  21. 21. History, cont.• March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair.• March 2010: IETF OAuth meeting in Anaheim• April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David.• May 2010: First OAuth interim meeting co-located with IIW to discuss open issues.• July 2010: Maastricht IETF meeting• November 2010: Document split into “abstract” specification and separate bearer token and message signing specification.• November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth12/29/12 IETF #79, OAuth Tutorial Beijing 21
  22. 22. Entities User Agent Authorization Request User Resource Consumer Token request Authorization Server Access Request (incl. Token) Resource Server12/29/12 IETF #79, OAuth Tutorial Beijing 22
  23. 23. Scope of the OAuth WG• Currently only one working group item: – http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms• We have a punch of other documents as individual items – Providing security related extensions – User interface considerations – Token formats – Token by reference – Use case descriptions – Other OAuth profiles OAuth Tutorial Beijing12/29/12 IETF #79, 23
  24. 24. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Format Token Request And Content Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server Request SecurityOAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 24
  25. 25. Web Server Flow
  26. 26. 12/29/12 IETF #79, OAuth Tutorial Beijing 26
  27. 27. A little bit about OAuth security… Se curity
  28. 28. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Request Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource ServerOAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 28
  29. 29. “Bearer Token” Authorization Server Request Token TLSResource Token ResourceConsumer TLS Server
  30. 30. “Message Signing” Authorization Server Request Token,SK, TLS {SK}BobResource ResourceConsumer Token, Server {Request}SK, {SK}Bob
  31. 31. Conclusion• Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed as well.• Work is in progress and re-chartering will expand the work to include new features and use cases as well as security.• Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution.12/29/12 IETF #79, OAuth Tutorial Beijing 31
  32. 32. Backup Slides12/29/12 IETF #79, OAuth Tutorial Beijing 32
  33. 33. JavaScript Flow(User Agent Flow in Draft)
  34. 34. 12/29/12 IETF #79, OAuth Tutorial Beijing 34
  35. 35. Native Application Flow
  36. 36. 12/29/12 IETF #79, OAuth Tutorial Beijing 36
  37. 37. Autonomous Flow
  38. 38. 12/29/12 IETF #79, OAuth Tutorial Beijing 38
  39. 39. Device Flow
  40. 40. 12/29/12 IETF #79, OAuth Tutorial Beijing 40
  41. 41. 12/29/12 IETF #79, OAuth Tutorial Beijing 41
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×