Uploaded byAdamsus
ODP, PDF208 views

Kaunas jug presentation

1. The document introduces OAuth and defines key terms like resource owner, client, resource server, and authorization server. 2. It explains how OAuth works, with the user granting access to a client which can then access protected resources from a resource server, compared to pre-OAuth where credentials would need to be shared. 3. The different OAuth grant types are covered, including authorization code, implicit, resource owner credentials, client credentials, and refresh token grants with examples of the authorization code and implicit flows.

Embed presentation

Download to read offline
1 Introduction to Oauth
2 About me Adomas Greičius Java /Scala developer
3 Pre Oauth time If You want to send invitation to everyone that is in your email address book using third party service, you need to share credential It could not work if there is two factor authentication If it works that third party has access to all additional services like Wallet or Pictures
4 Glossary of OAuth terms ● * Resource owner (a.k.a. the User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user. ● * Resource server (a.k.a. the API server) - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. ● * Client - An application making protected resource requests on behalf of the resource owner and with its authorization. The term client does not imply any particular implementation characteristics (e.g. whether the application executes on a server, a desktop, or other devices). ● * Authorization server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
5 How it work with oauth? User Client Protected Resource Oauth2
6 Oauth Endpoint Authorization Endpoint The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application. Token Endpoint The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an access token.
7 Type oauth ● Authorization code grant ● Implicit grant ● Resource owner credentials grant ● Client credentials grant ● Refresh token grant
8 Authorization code grant Browser Client Protected Resource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Oauth 6.openoauthpage 7.Loginpage 9. Puts credentials 10putscrediantails 11.Redirecttoclient 12.Get main 15. Get mail 16. Return mail 17. Return mail 8 .Ask credentials 13.Getaccesstoken 14.Returnaccesstoken 18. Return mail
9 Authorization Request The authorization request is sent to the authorization endpoint to obtain an authorization code. Here are the parameters used in the request: ● response_type Required. Must be set to code ● client_id Required. The client identifier as assigned by the authorization server, when the client was registered. ● redirect_uri Optional. The redirect URI registered by the client. ● scopeOptional. The possible scope of the request. ● state Optional (recommended). Any client state that needs to be passed on to the client request URI.
10 Token Request client_id Required. The client application's id. client_secret Required. The client application's client secret . grant_type Required. Must be set to authorization_code . code Required. The authorization code received by the authorization server. redirect_uri Required, if the request URI was included in the authorization request. Must be identical then.
11 Demo
12 Implicit grant Browser Client Protected Resource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Oauth 6.openoauthpage 7.Loginpage 9. Puts credentials 10putscrediantails 11.Redirecttoclient 12.Get main 13. Get mail 14. Return mail 15. Return mail 8 .Ask credentials 16. Return mail
13 Demo
14 Resource owner credentials grant Browser Client Protected Resource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Login page 10Returntoken 7. Puts credentials 9Gettoken 8.Pass credentials 11. Get mail 12. Return mail 13. Return mail 6 .Ask credentials 14. Return mail
15 Demo
16 Client credentials grant Browser Client Protected Resource OAuth server 1.Get mail 2. Get Mail 6. Get mail 5Returntoken 4Gettoken 7. Return mail 9. Return mail 10. Return mail
17 Props ● Ease. ● Time. ● Privacy. ● Security. ● Control. ● Save Expenses. ● Popularity.
18 Cons ● Lack of anonymity. ● Lack of market saturation. ● Phishing. ● Many eggs in one basket. ● Bad precedents.

More Related Content

PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PPTX
The OAuth 2.0 Authorization Framework
bySamuele Cozzi
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PDF
Introduction to OAuth2.0
byOracle Corporation
 
PDF
OAuth2 primer
byManish Pandit
 
PPTX
OAuth2 Presentaion
byBhargav Surimenu
 
PDF
Learn with WSO2 - API Security
byWSO2
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
The OAuth 2.0 Authorization Framework
bySamuele Cozzi
 
OAuth2 + API Security
byAmila Paranawithana
 
Introduction to OAuth2.0
byOracle Corporation
 
OAuth2 primer
byManish Pandit
 
OAuth2 Presentaion
byBhargav Surimenu
 
Learn with WSO2 - API Security
byWSO2
 
Oauth 2.0 security
byvinoth kumar
 

What's hot

PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
PDF
Spring security oauth2
byaxykim00
 
PPT
OAuth - Alex Bilbie
byEduserv
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
ODP
OAuth2 - Introduction
byKnoldus Inc.
 
PPTX
Extended Security with WSO2 API Management Platform
byWSO2
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
PPTX
OAuth2 Introduction
byArpit Suthar
 
PPTX
The State of OAuth2
byAaron Parecki
 
PDF
Spring4 security oauth2
byaxykim00
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PPT
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
PDF
Spring4 security oauth2
bySang Shin
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
OAuth
byMohan Kumar Tadikimalla
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Protecting your APIs with Doorkeeper and OAuth 2.0
byMads Toustrup-Lønne
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
Spring security oauth2
byaxykim00
 
OAuth - Alex Bilbie
byEduserv
 
Demystifying OAuth 2.0
byKarl McGuinness
 
OAuth2 - Introduction
byKnoldus Inc.
 
Extended Security with WSO2 API Management Platform
byWSO2
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
OAuth2 Introduction
byArpit Suthar
 
The State of OAuth2
byAaron Parecki
 
Spring4 security oauth2
byaxykim00
 
OAuth 2.0
byUwe Friedrichsen
 
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
Spring4 security oauth2
bySang Shin
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
OAuth 2
byChrisWood262
 
OAuth
byMohan Kumar Tadikimalla
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Protecting your APIs with Doorkeeper and OAuth 2.0
byMads Toustrup-Lønne
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 

Similar to Kaunas jug presentation

PPTX
OAuth
byTom Elrod
 
PPTX
Api security
byteodorcotruta
 
PDF
A technical insight into the concepts and terminologies behind oauth – an ope...
byeSAT Journals
 
PPTX
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
OAuth [noddyCha]
bynoddycha
 
PDF
Rfc5849aut
byVishal Shah
 
PDF
Twitter Authentication
byVishal Shah
 
PPTX
(1) OAuth 2.0 Overview
byanikristo
 
PDF
Api security with OAuth
bythariyarox
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
ODP
Securing your Web API with OAuth
byMohan Krishnan
 
ODP
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
PDF
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
PPTX
OAuth
byAdi Challa
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
OAuth and OEmbed
byleahculver
 
PPTX
OAuth 2 Spring Boot 3 Integration Presentation
byKnoldus Inc.
 
OAuth
byTom Elrod
 
Api security
byteodorcotruta
 
A technical insight into the concepts and terminologies behind oauth – an ope...
byeSAT Journals
 
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
OAuth [noddyCha]
bynoddycha
 
Rfc5849aut
byVishal Shah
 
Twitter Authentication
byVishal Shah
 
(1) OAuth 2.0 Overview
byanikristo
 
Api security with OAuth
bythariyarox
 
Draft Ietf Oauth V2 12
byVishal Shah
 
Securing RESTful API
byMuhammad Zbeedat
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
Securing your Web API with OAuth
byMohan Krishnan
 
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
OAuth
byAdi Challa
 
OAuth2
bySPARK MEDIA
 
OAuth and OEmbed
byleahculver
 
OAuth 2 Spring Boot 3 Integration Presentation
byKnoldus Inc.
 

Kaunas jug presentation

  • 1.
  • 2.
  • 3.
    3 Pre Oauth time IfYou want to send invitation to everyone that is in your email address book using third party service, you need to share credential It could not work if there is two factor authentication If it works that third party has access to all additional services like Wallet or Pictures
  • 4.
    4 Glossary of OAuthterms ● * Resource owner (a.k.a. the User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user. ● * Resource server (a.k.a. the API server) - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. ● * Client - An application making protected resource requests on behalf of the resource owner and with its authorization. The term client does not imply any particular implementation characteristics (e.g. whether the application executes on a server, a desktop, or other devices). ● * Authorization server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  • 5.
    5 How it workwith oauth? User Client Protected Resource Oauth2
  • 6.
    6 Oauth Endpoint Authorization Endpoint Theauthorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application. Token Endpoint The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an access token.
  • 7.
    7 Type oauth ● Authorization codegrant ● Implicit grant ● Resource owner credentials grant ● Client credentials grant ● Refresh token grant
  • 8.
    8 Authorization code grant BrowserClient Protected Resource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Oauth 6.openoauthpage 7.Loginpage 9. Puts credentials 10putscrediantails 11.Redirecttoclient 12.Get main 15. Get mail 16. Return mail 17. Return mail 8 .Ask credentials 13.Getaccesstoken 14.Returnaccesstoken 18. Return mail
  • 9.
    9 Authorization Request The authorizationrequest is sent to the authorization endpoint to obtain an authorization code. Here are the parameters used in the request: ● response_type Required. Must be set to code ● client_id Required. The client identifier as assigned by the authorization server, when the client was registered. ● redirect_uri Optional. The redirect URI registered by the client. ● scopeOptional. The possible scope of the request. ● state Optional (recommended). Any client state that needs to be passed on to the client request URI.
  • 10.
    10 Token Request client_id Required.The client application's id. client_secret Required. The client application's client secret . grant_type Required. Must be set to authorization_code . code Required. The authorization code received by the authorization server. redirect_uri Required, if the request URI was included in the authorization request. Must be identical then.
  • 11.
  • 12.
    12 Implicit grant Browser Client ProtectedResource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Oauth 6.openoauthpage 7.Loginpage 9. Puts credentials 10putscrediantails 11.Redirecttoclient 12.Get main 13. Get mail 14. Return mail 15. Return mail 8 .Ask credentials 16. Return mail
  • 13.
  • 14.
    14 Resource owner credentialsgrant Browser Client Protected Resource OAuth server 1.Get mail 2. Get Mail 3. Get mail 4. Not authorized 5. Redirect to Login page 10Returntoken 7. Puts credentials 9Gettoken 8.Pass credentials 11. Get mail 12. Return mail 13. Return mail 6 .Ask credentials 14. Return mail
  • 15.
  • 16.
    16 Client credentials grant BrowserClient Protected Resource OAuth server 1.Get mail 2. Get Mail 6. Get mail 5Returntoken 4Gettoken 7. Return mail 9. Return mail 10. Return mail
  • 17.
  • 18.
    18 Cons ● Lack of anonymity. ● Lackof market saturation. ● Phishing. ● Many eggs in one basket. ● Bad precedents.