Summary of OAuth 2.0 draft 8 memo

1,310 views
1,247 views

Published on

OAuth 2.0 draft 8時点のSpec+αを並べただけの自分用メモです。

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,310
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Summary of OAuth 2.0 draft 8 memo

  1. 1. Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
  2. 2. Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
  3. 3. Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
  4. 4. Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
  5. 5. Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
  6. 6. 6
  7. 7. User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
  8. 8. 8
  9. 9. Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
  10. 10. Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
  11. 11. Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
  12. 12. Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
  13. 13. End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
  14. 14. End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
  15. 15. Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
  16. 16. Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
  17. 17. Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
  18. 18. OLD SPEC 18
  19. 19. Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
  20. 20. Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
  21. 21. Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21

×