Your SlideShare is downloading. ×
0
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OAuth 2.0 Updates #technight in Osaka

1,266

Published on

Published in: Technology, Travel
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,266
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OAuth 2.0 Updates11 9 8
  • 2. @nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, openid_connect etc. OpenID TechNight #711 9 8
  • 3. OAuth in 5 min OpenID TechNight #711 9 8
  • 4. Current Trend Mobile Game Social OpenID TechNight #711 9 8
  • 5. API Integration Access Control for APIs OpenID TechNight #711 9 8
  • 6. API Integration Basic Auth OpenID TechNight #711 9 8
  • 7. OpenID TechNight #711 9 8
  • 8. I’m using same password on 10+ services. OpenID TechNight #711 9 8
  • 9. OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #711 9 8
  • 10. OAuth Everywhere Mobile Game Social OpenID TechNight #711 9 8
  • 11. In B2B area too OpenID TechNight #711 9 8
  • 12. OpenID TechNight #711 9 8
  • 13. OpenID Connect OpenID TechNight #711 9 8
  • 14. Rough History OpenID TechNight #711 9 8
  • 15. 2007.12 OAuth 1.0 OpenID TechNight #711 9 8
  • 16. Twitter API OpenID TechNight #711 9 8
  • 17. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #711 9 8
  • 18. Facebook Graph API OpenID TechNight #711 9 8
  • 19. 2010.07 dra, 10 OpenID TechNight #711 9 8
  • 20. mixi Graph API OpenID TechNight #711 9 8
  • 21. OpenID TechNight #711 9 8
  • 22. 2011.07 dra, 20 OpenID TechNight #711 9 8
  • 23. Review by 8/12 OpenID TechNight #711 9 8
  • 24. WG Feedback (mainly on Security Considerations) OpenID TechNight #711 9 8
  • 25. 2011.09 dra, 21 OpenID TechNight #711 9 8
  • 26. Latest Spec http://j.mp/oauth2_21 OpenID TechNight #711 9 8
  • 27. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  • 28. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  • 29. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  • 30. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #711 9 8
  • 31. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  • 32. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #711 9 8
  • 33. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  • 34. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #711 9 8
  • 35. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #711 9 8
  • 36. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  • 37. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  • 38. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  • 39. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #711 9 8
  • 40. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #711 9 8
  • 41. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #711 9 8
  • 42. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #711 9 8
  • 43. Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #711 9 8
  • 44. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #711 9 8
  • 45. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #711 9 8
  • 46. In dra, 21, “state” is RECOMMENDED OpenID TechNight #711 9 8
  • 47. Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  • 48. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #711 9 8
  • 49. Token Bearer Token Access Token Response OpenID TechNight #711 9 8
  • 50. Token API Access (Bearer) OpenID TechNight #711 9 8
  • 51. Token MAC Token Access Token Response OpenID TechNight #711 9 8
  • 52. Token API Access (MAC) OpenID TechNight #711 9 8
  • 53. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #711 9 8
  • 54. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #711 9 8
  • 55. APPENDIX OpenID TechNight #711 9 8
  • 56. FB OAuth Updates OpenID TechNight #711 9 8
  • 57. OAuth Migration (by 2011.09.30) Using legacy FB APIs? (~2010.04) No more “fb_sig” and “fb_sig_session_key” Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth) Your library might not work anymore OpenID TechNight #711 9 8
  • 58. OAuth Migration (by 2011.09.30) Developing canvas or page tab apps? No more “fb_sig” Migrate to “signed_request” Obtain SSL certificate OpenID TechNight #711 9 8
  • 59. OAuth Migration (by 2011.09.30) Using FB.login (or <fb:login-button>) and FB cookie? Now “code” is in the cookie, not “access_token” Needs to exchange the code with access token OpenID TechNight #711 9 8
  • 60. OAuth Spec Updates Using “response_type=code_and_token”? Use “response_type=code%20token” instead OpenID TechNight #711 9 8
  • 61. github.com/nov OpenID TechNight #711 9 8

×