OAuth 2.0 &OpenID Connect
@novOpenID Foundation Japan EvangelistOAuth.jpRuby Libraries  rack-oauth2  openid_connect  fb_graph                       ...
OpenSource Conference 2011
Current TrendMobile       Game        Social                         OpenID TechNight #7
Platform   3rd-party Developers                       OpenSource Conference 2011
API IntegrationAccess Control for APIs                          OpenID TechNight #7
OpenID TechNight #7
Using same password on 10+ services??                OpenID TechNight #7
OAuthNo password sharingLimited access lifetime  Expire a*er N weeksLimited access scope  Status Update : OK  Read Inbox :...
B2B is slow though..                  OpenID TechNight #7
Rough History                OpenID TechNight #7
2007.12 OAuth 1.0                OpenID TechNight #7
Twitter API              OpenID TechNight #7
2010.04 OAuth 2.0     (dra* 0)               OpenID TechNight #7
Facebook Graph API                OpenID TechNight #7
2010.07 dra* 10                  OpenID TechNight #7
mixi Graph API                 OpenID TechNight #7
OpenID TechNight #7
2011.09 dra* 22                  OpenID TechNight #7
OAuth 1.0   OAuth 2.0             OpenSource Conference 2011
OAuth 1.0 in Japanese     ju.mp/oauth1_jaOAuth 2.0 in Japanese     ju.mp/oauth2_ja                       OpenSource Confer...
OpenSource Conference 2011
Authorization                                         Server AuthorizeClient Access                         Access        ...
Authorization                                         Server AuthorizeClient Access                         Access        ...
Authorization                                         Server AuthorizeClient Access                         Access        ...
Core Spec                                  Authorization                                         Server AuthorizeClient Ac...
Core Spec                                    Authorization                                           Server  Authorize Cli...
Core            Response Type   2 Response Types in Core       Code       Token   Extensions       Code + Token       and ...
Core    response_type = codeResource Owner                Client          Authorization Server                 Initiate   ...
Core    response_type = codeResource Owner                 Client           Authorization Server                 Initiate ...
Core    response_type = codeResource Owner                Client          Authorization Server                 Initiate   ...
Core    response_type = codeResource Owner                Client          Authorization Server                 Initiate   ...
Core    response_type = codeResource Owner               Client           Authorization Server                 Initiate   ...
Core    response_type = codeResource Owner                      Client                Authorization Server                ...
Core   response_type = tokenResource Owner                Client   Authorization Server                 Initiate          ...
Core   response_type = tokenResource Owner                Client            Authorization Server                 Initiate ...
Core   response_type = tokenResource Owner                Client   Authorization Server                 Initiate          ...
Core            Response Type  Code                      Token       Secure                Efficient       2 HTTP request   ...
Token Type Spec                                   Authorization                                          Server  Authorize...
Token      Token Type Spec  Bearer              MAC    No signature       Signature    No token secret    Token secret    ...
Token        Token Type Spec   Bearer                      MAC     No signature               Signature     No token secre...
Token    Bearer Token        Access Token Response                                OpenID TechNight #7
Token   API Access (Bearer)                         OpenID TechNight #7
BUT  OpenSource Conference 2011
Not all API providersfollow the latest dra*..                  OpenSource Conference 2011
NO “token_type”Access Token Response                        OpenID TechNight #7
Different Scheme/Parameter              OAuth               oauth_token                      OpenID TechNight #7
#MA7 Mashup Caravan & Meetup in Kyoto
OpenSource Conference 2011
OpenID is dead!?Poor UX? URL as identifier?                     OpenSource Conference 2011
Lack of API access!?You need “stream access”, don’t you?                          OpenSource Conference 2011
OpenID Connect~ OpenID based on OAuth 2.0 ~                      OpenSource Conference 2011
ref.) slideshare.net/oid;/openidconnect-nat                  OpenSource Conference 2011
Authorization                                         Server AuthorizeClient Access                         Access        ...
Basic FlowResource Owner                Client   Authorization Server                 Initiate           Require Approval ...
Basic FlowResource Owner                Client   Authorization Server                 Initiate           Require Approval ...
Basic FlowResource Owner                Client   Authorization Server                 Initiate           Require Approval ...
OAuth 2.0 + “ID Token”                OpenSource Conference 2011
connect-rp.heroku.com               OpenSource Conference 2011
ID TokenRepresent Session InformationJWT-encoded JSON Object  Singed using JWS  Encrypted using JWE                       ...
OpenSource Conference 2011
OpenSource Conference 2011
UserInfoOAuth 2.0 Protected Resource  REQUIRED “profile” scope  OPTIONAL “email” and “address” scopesStandardized JSON Form...
OpenSource Conference 2011
OpenSource Conference 2011
OpenSource Conference 2011
So, why these matters?                 OpenSource Conference 2011
Social         OpenSource Conference 2011
Cloud        OpenSource Conference 2011
Living in the Web            OpenSource Conference 2011
ApplicationsPeopleStreamsAccess ControlIdentityDiscovery                 OpenSource Conference 2011
OpenID Summit Tokyoin Tokyo, Japan December 1, 2011                        OpenSource Conference 2011
twitter.com/novslideshare.net/matakegithub.com/novopenid-foundation-japan.github.com                        OpenSource Con...
Upcoming SlideShare
Loading in …5
×

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

5,710
-1

Published on

Published in: Technology

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

  1. 1. OAuth 2.0 &OpenID Connect
  2. 2. @novOpenID Foundation Japan EvangelistOAuth.jpRuby Libraries rack-oauth2 openid_connect fb_graph OpenSource Conference 2011
  3. 3. OpenSource Conference 2011
  4. 4. Current TrendMobile Game Social OpenID TechNight #7
  5. 5. Platform 3rd-party Developers OpenSource Conference 2011
  6. 6. API IntegrationAccess Control for APIs OpenID TechNight #7
  7. 7. OpenID TechNight #7
  8. 8. Using same password on 10+ services?? OpenID TechNight #7
  9. 9. OAuthNo password sharingLimited access lifetime Expire a*er N weeksLimited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  10. 10. B2B is slow though.. OpenID TechNight #7
  11. 11. Rough History OpenID TechNight #7
  12. 12. 2007.12 OAuth 1.0 OpenID TechNight #7
  13. 13. Twitter API OpenID TechNight #7
  14. 14. 2010.04 OAuth 2.0 (dra* 0) OpenID TechNight #7
  15. 15. Facebook Graph API OpenID TechNight #7
  16. 16. 2010.07 dra* 10 OpenID TechNight #7
  17. 17. mixi Graph API OpenID TechNight #7
  18. 18. OpenID TechNight #7
  19. 19. 2011.09 dra* 22 OpenID TechNight #7
  20. 20. OAuth 1.0 OAuth 2.0 OpenSource Conference 2011
  21. 21. OAuth 1.0 in Japanese ju.mp/oauth1_jaOAuth 2.0 in Japanese ju.mp/oauth2_ja OpenSource Conference 2011
  22. 22. OpenSource Conference 2011
  23. 23. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  24. 24. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  25. 25. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  26. 26. Core Spec Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access Token Type Spec OpenID TechNight #7
  27. 27. Core Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  28. 28. Core Response Type 2 Response Types in Core Code Token Extensions Code + Token and more.. OpenSource Conference 2011
  29. 29. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  30. 30. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=code&Code redirect_uri=https://...& scope=... Code Access Token OpenSource Conference 2011
  31. 31. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenSource Conference 2011
  32. 32. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenSource Conference 2011
  33. 33. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approvalcode=...& client_id=...& Approve client_secret=...& grant_type=authorization_code& redirect_uri=https://... Code Code Access Token OpenSource Conference 2011
  34. 34. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code [NOTE] Facebook API returns access token in x-www-form-urlencoded Code Access Token OpenSource Conference 2011
  35. 35. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  36. 36. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=token& redirect_uri=https://...& Access Token scope=... OpenID TechNight #7
  37. 37. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  38. 38. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  39. 39. Token Type Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  40. 40. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  41. 41. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0In most cases, you use this. + extensions OpenID TechNight #7
  42. 42. Token Bearer Token Access Token Response OpenID TechNight #7
  43. 43. Token API Access (Bearer) OpenID TechNight #7
  44. 44. BUT OpenSource Conference 2011
  45. 45. Not all API providersfollow the latest dra*.. OpenSource Conference 2011
  46. 46. NO “token_type”Access Token Response OpenID TechNight #7
  47. 47. Different Scheme/Parameter OAuth oauth_token OpenID TechNight #7
  48. 48. #MA7 Mashup Caravan & Meetup in Kyoto
  49. 49. OpenSource Conference 2011
  50. 50. OpenID is dead!?Poor UX? URL as identifier? OpenSource Conference 2011
  51. 51. Lack of API access!?You need “stream access”, don’t you? OpenSource Conference 2011
  52. 52. OpenID Connect~ OpenID based on OAuth 2.0 ~ OpenSource Conference 2011
  53. 53. ref.) slideshare.net/oid;/openidconnect-nat OpenSource Conference 2011
  54. 54. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  55. 55. Basic FlowResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  56. 56. Basic FlowResource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=token+id_token& redirect_uri=https://...& Access Token scope=openid OpenID TechNight #7
  57. 57. Basic FlowResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  58. 58. OAuth 2.0 + “ID Token” OpenSource Conference 2011
  59. 59. connect-rp.heroku.com OpenSource Conference 2011
  60. 60. ID TokenRepresent Session InformationJWT-encoded JSON Object Singed using JWS Encrypted using JWE OpenSource Conference 2011
  61. 61. OpenSource Conference 2011
  62. 62. OpenSource Conference 2011
  63. 63. UserInfoOAuth 2.0 Protected Resource REQUIRED “profile” scope OPTIONAL “email” and “address” scopesStandardized JSON Format PoCo (Portable Contacts) + Facebook Graph API OpenSource Conference 2011
  64. 64. OpenSource Conference 2011
  65. 65. OpenSource Conference 2011
  66. 66. OpenSource Conference 2011
  67. 67. So, why these matters? OpenSource Conference 2011
  68. 68. Social OpenSource Conference 2011
  69. 69. Cloud OpenSource Conference 2011
  70. 70. Living in the Web OpenSource Conference 2011
  71. 71. ApplicationsPeopleStreamsAccess ControlIdentityDiscovery OpenSource Conference 2011
  72. 72. OpenID Summit Tokyoin Tokyo, Japan December 1, 2011 OpenSource Conference 2011
  73. 73. twitter.com/novslideshare.net/matakegithub.com/novopenid-foundation-japan.github.com OpenSource Conference 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×