Your SlideShare is downloading. ×
OAuth 2.0 Updates #technight
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

OAuth 2.0 Updates #technight

7,970
views

Published on

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

Published in: Technology

0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,970
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
101
Comments
0
Likes
10
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OAuth 2.0 Updates
  • 2. @novOpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specsWeb Developer @ iKnow!OAuth.jpRuby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
  • 3. OAuth in 5 min OpenID TechNight #7
  • 4. Current TrendMobile Game Social OpenID TechNight #7
  • 5. API IntegrationAccess Control for APIs OpenID TechNight #7
  • 6. API Integration Basic Auth OpenID TechNight #7
  • 7. OpenID TechNight #7
  • 8. I’m using same password on 10+ services. OpenID TechNight #7
  • 9. OAuthNo password sharingLimited access lifetime Expire a,er N weeksLimited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  • 10. OAuth EverywhereMobile Game Social OpenID TechNight #7
  • 11. B2B is slow though.. OpenID TechNight #7
  • 12. Rough History OpenID TechNight #7
  • 13. 2007.12 OAuth 1.0 OpenID TechNight #7
  • 14. Twitter API OpenID TechNight #7
  • 15. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
  • 16. Facebook Graph API OpenID TechNight #7
  • 17. 2010.07 dra, 10 OpenID TechNight #7
  • 18. mixi Graph API OpenID TechNight #7
  • 19. OpenID TechNight #7
  • 20. 2011.07 dra, 20 OpenID TechNight #7
  • 21. Review by 8/12 OpenID TechNight #7
  • 22. Latest Spechttp://j.mp/oauth2_20 OpenID TechNight #7
  • 23. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  • 24. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  • 25. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  • 26. Core Spec Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access Token Type Spec OpenID TechNight #7
  • 27. Core Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  • 28. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  • 29. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 30. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  • 31. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
  • 32. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 33. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 34. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 35. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
  • 36. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
  • 37. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
  • 38. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
  • 39. Attacker Client Authorization Server Initiate Require Approval Approve CodeCode Code Code Access Token OpenID TechNight #7
  • 40. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter accountCode Code Code Access Token OpenID TechNight #7
  • 41. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code StateStateCode Code State “state” verification failed!! OpenID TechNight #7
  • 42. Token Type Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  • 43. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  • 44. Token Bearer Token Access Token Response OpenID TechNight #7
  • 45. Token API Access (Bearer) OpenID TechNight #7
  • 46. Token MAC Token Access Token Response OpenID TechNight #7
  • 47. Token API Access (MAC) OpenID TechNight #7
  • 48. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
  • 49. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
  • 50. Review by 8/12 OpenID TechNight #7
  • 51. github.com/nov OpenID TechNight #7