Your SlideShare is downloading. ×
0
OAuth 2.0 Updates11   9   8
@nov             OpenID Foundation Japan Translation & Education WG               Translated OpenID 2.0, OAuth 1.0 & 2.0 s...
OAuth in 5 min                              OpenID TechNight #711   9   8
Current Trend             Mobile       Game        Social                                      OpenID TechNight #711   9   8
API Integration             Access Control for APIs                                       OpenID TechNight #711   9   8
API Integration                Basic Auth                               OpenID TechNight #711   9   8
OpenID TechNight #711   9   8
I’m using same password                  on 10+ services.                                OpenID TechNight #711   9   8
OAuth             No password sharing             Limited access lifetime               Expire a,er N weeks             Li...
OAuth Everywhere             Mobile     Game     Social                                 OpenID TechNight #711   9   8
In B2B area too                               OpenID TechNight #711   9   8
OpenID TechNight #711   9   8
OpenID Connect                         OpenID TechNight #711   9   8
Rough History                             OpenID TechNight #711   9   8
2007.12 OAuth 1.0                             OpenID TechNight #711   9   8
Twitter API                           OpenID TechNight #711   9   8
2010.04 OAuth 2.0                  (dra, 0)                            OpenID TechNight #711   9   8
Facebook Graph API                             OpenID TechNight #711   9   8
2010.07 dra, 10                               OpenID TechNight #711   9   8
mixi Graph API                              OpenID TechNight #711   9   8
OpenID TechNight #711   9   8
2011.07 dra, 20                               OpenID TechNight #711   9   8
Review by 8/12                              OpenID TechNight #711   9   8
WG Feedback             (mainly on Security Considerations)                                          OpenID TechNight #711...
2011.09 dra, 21                               OpenID TechNight #711   9   8
Latest Spec             http://j.mp/oauth2_21                                     OpenID TechNight #711   9   8
Authorization                                                  Server          Authorize         Client Access            ...
Authorization                                                  Server          Authorize         Client Access            ...
Authorization                                                  Server          Authorize         Client Access            ...
Core Spec                                           Authorization                                                  Server ...
Core Spec                                                 Authorization                                                   ...
Core            Response Type             Code                    Token                Secure                Efficient      ...
Core   response_type = code     Resource Owner                 Client          Authorization Server                      I...
Core   response_type = token     Resource Owner                 Client   Authorization Server                      Initiat...
Core                Client Type             Confidential            Public                Has client secret     No client s...
Core   response_type = code     Resource Owner                 Client                  Authorization Server               ...
Core   response_type = code     Resource Owner                 Client                  Authorization Server               ...
Core      response_type = code     Resource Owner                      Client             Authorization Server            ...
Core   response_type = token     Resource Owner                 Client                 Authorization Server               ...
Core    response_type = token     Resource Owner                     Client                 Authorization Server          ...
Core                     Notes             For Servers                Do you support public clients?                Do you...
Core   Security Considerations             Don’t issue “client_secret” to public clients             “redirect_uri” verific...
Attacker                      Client          Authorization Server                            Initiate                    ...
Attacker                      Client          Authorization Server                            Initiate                    ...
Attacker                      Client                 Authorization Server                                                 ...
In dra, 21, “state” is RECOMMENDED                                         OpenID TechNight #711   9   8
Token Type Spec                                                Authorization                                              ...
Token        Token Type Spec             Bearer              MAC               No signature       Signature               ...
Token    Bearer Token                 Access Token Response                                         OpenID TechNight #711 ...
Token   API Access (Bearer)                                  OpenID TechNight #711   9   8
Token     MAC Token                 Access Token Response                                         OpenID TechNight #711   ...
Token   API Access (MAC)                                OpenID TechNight #711   9   8
Token                    Notes             For Servers               Access Token Response                 Set “token_type...
Token                  Notes             For Clients               Move from “OAuth” to “Bearer”               Move from “...
APPENDIX                        OpenID TechNight #711   9   8
FB OAuth Updates                            OpenID TechNight #711   9   8
OAuth Migration                            (by 2011.09.30)             Using legacy FB APIs? (~2010.04)               No m...
OAuth Migration                            (by 2011.09.30)             Developing canvas or page tab apps?               N...
OAuth Migration                            (by 2011.09.30)             Using FB.login (or <fb:login-button>) and FB cookie...
OAuth Spec Updates             Using “response_type=code_and_token”?              Use “response_type=code%20token” instead...
github.com/nov                         OpenID TechNight #711   9   8
Upcoming SlideShare
Loading in...5
×

OAuth 2.0 Updates #technight in Osaka

1,289

Published on

Published in: Technology, Travel
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,289
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "OAuth 2.0 Updates #technight in Osaka"

  1. 1. OAuth 2.0 Updates11 9 8
  2. 2. @nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, openid_connect etc. OpenID TechNight #711 9 8
  3. 3. OAuth in 5 min OpenID TechNight #711 9 8
  4. 4. Current Trend Mobile Game Social OpenID TechNight #711 9 8
  5. 5. API Integration Access Control for APIs OpenID TechNight #711 9 8
  6. 6. API Integration Basic Auth OpenID TechNight #711 9 8
  7. 7. OpenID TechNight #711 9 8
  8. 8. I’m using same password on 10+ services. OpenID TechNight #711 9 8
  9. 9. OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #711 9 8
  10. 10. OAuth Everywhere Mobile Game Social OpenID TechNight #711 9 8
  11. 11. In B2B area too OpenID TechNight #711 9 8
  12. 12. OpenID TechNight #711 9 8
  13. 13. OpenID Connect OpenID TechNight #711 9 8
  14. 14. Rough History OpenID TechNight #711 9 8
  15. 15. 2007.12 OAuth 1.0 OpenID TechNight #711 9 8
  16. 16. Twitter API OpenID TechNight #711 9 8
  17. 17. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #711 9 8
  18. 18. Facebook Graph API OpenID TechNight #711 9 8
  19. 19. 2010.07 dra, 10 OpenID TechNight #711 9 8
  20. 20. mixi Graph API OpenID TechNight #711 9 8
  21. 21. OpenID TechNight #711 9 8
  22. 22. 2011.07 dra, 20 OpenID TechNight #711 9 8
  23. 23. Review by 8/12 OpenID TechNight #711 9 8
  24. 24. WG Feedback (mainly on Security Considerations) OpenID TechNight #711 9 8
  25. 25. 2011.09 dra, 21 OpenID TechNight #711 9 8
  26. 26. Latest Spec http://j.mp/oauth2_21 OpenID TechNight #711 9 8
  27. 27. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  28. 28. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  29. 29. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  30. 30. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #711 9 8
  31. 31. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  32. 32. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #711 9 8
  33. 33. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  34. 34. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #711 9 8
  35. 35. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #711 9 8
  36. 36. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  37. 37. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  38. 38. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  39. 39. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #711 9 8
  40. 40. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #711 9 8
  41. 41. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #711 9 8
  42. 42. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #711 9 8
  43. 43. Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #711 9 8
  44. 44. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #711 9 8
  45. 45. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #711 9 8
  46. 46. In dra, 21, “state” is RECOMMENDED OpenID TechNight #711 9 8
  47. 47. Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  48. 48. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #711 9 8
  49. 49. Token Bearer Token Access Token Response OpenID TechNight #711 9 8
  50. 50. Token API Access (Bearer) OpenID TechNight #711 9 8
  51. 51. Token MAC Token Access Token Response OpenID TechNight #711 9 8
  52. 52. Token API Access (MAC) OpenID TechNight #711 9 8
  53. 53. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #711 9 8
  54. 54. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #711 9 8
  55. 55. APPENDIX OpenID TechNight #711 9 8
  56. 56. FB OAuth Updates OpenID TechNight #711 9 8
  57. 57. OAuth Migration (by 2011.09.30) Using legacy FB APIs? (~2010.04) No more “fb_sig” and “fb_sig_session_key” Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth) Your library might not work anymore OpenID TechNight #711 9 8
  58. 58. OAuth Migration (by 2011.09.30) Developing canvas or page tab apps? No more “fb_sig” Migrate to “signed_request” Obtain SSL certificate OpenID TechNight #711 9 8
  59. 59. OAuth Migration (by 2011.09.30) Using FB.login (or <fb:login-button>) and FB cookie? Now “code” is in the cookie, not “access_token” Needs to exchange the code with access token OpenID TechNight #711 9 8
  60. 60. OAuth Spec Updates Using “response_type=code_and_token”? Use “response_type=code%20token” instead OpenID TechNight #711 9 8
  61. 61. github.com/nov OpenID TechNight #711 9 8
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×