SlideShare a Scribd company logo
1 of 18
Download to read offline
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
OAuth 2.0 Overview
Oracle Asia Research and Development Center
Alice Liu(lzhmails@gmail.com)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.2
 OAuth 2.0 Overview
 3-Legged OAuth/ 2-Legged Oauth
 OAuth Workflow
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
 OAuth Terms
– Client is an application accessing an API, can be a web app, app
inside a user agent, or a native app
– Resource Owner is a “user” who can authorize/grant access to API
resources
– Resource Server is the API host
– Authorization Server is the authorization PDP and STS
 OAuth 2.0 is relatively simple
– Get the token
– Use the token to access the protected resource
OAuth 2.0 Overview
OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
 In the traditional client-server authentication model, the client accesses a protected resource on the server
by authenticating with the server using the resource owner's credentials. In order to provide third-party
applications access to protected resources, the resource owner shares its credentials with the third-
party. This creates several problems and limitations.
 Third-party applications are required to store the resource-owner's credentials for future use, typically a
password in clear-text.
 Servers are required to support password authentication, despite the security weaknesses created by
passwords.
 Third-party applications gain overly broad access to the resource-owner's protected resources, leaving
resource owners without any ability to restrict duration or access to a limited subset of resources.
 Resource owners cannot revoke access to an individual third-party without revoking access to all third-
parties, and must do so by changing their password.
OAuth 2.0 Overview
OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
3-Legged OAuth
1) The resource owner connects to an OAuth Client
enabled service and requests it access resources at
a different site
2) The OAuth Client (requesting site) redirects the user
to the OAuth Authorization Server, which
authenticates the user and presents a consent page.
It then sends authorization code to the OAuth client
3) The OAuth Client uses the authorization code to
retrieve an OAuth Access Token from the OAuth
Authorization Server
4) The OAuth Client presents the Access Token to the
OAuth Resource Server
5) The Resource Server validates the token with the
Authorization Server
6) The Resource Server provides the requested content
to the OAuth Client
OAuth
Client
Resource
Owner/Agent/
Native App
OAuth
Resource
Server
OAuth
Authorizatio
n Server
2
3
6
4
1Requesting
Site Resource
Site
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
2-Legged OAuth
 The requesting service (OAuth
Client) preregisters with the
OAuth Authorization Server and
receives client credentials
 The requesting service uses its
client credentials to connect to a
resource server
 The Resource server validates
the clients credentials and
provides the requested content
OAuth
Client
OAuth
Resource
Server
OAuth
Authorizati
on Server
2
3
1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
• OAuth allows resource owners to delegate resource access rights to
third-parties.
• No sharing of passwords with third-party apps
• Authorize to certain limited resources
• For a limited time
• Can revoke consent given to the third-party apps
• Where as sharing passwords approach with third-party apps
• Trust issues
• Unwanted level of access
• Not able to revoke etc.
OAuth 2.0 Overview
OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
OAuth Workflow
Consumer
(Client)
Service
Provider
(Resource
Server)
User
(Resource
Owner)
Ask for a Token with
OAuth
Responds with un-
Authorized request token
Redirects with
authorized request token
Requests exchange for
access token
Responds with
requested data
Ask for data with access
token
Ask for authorization
of request token
Redirect user to
content Access
page
Log-in and grant
permission
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Using OAuth 2.0 Authorization Code Flow
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
OAuth Actors/What is OAuth 2.0?
Client Application
Resource Owner
Resource Server
OAuth Server
Accesses Resources
Login, Gives consent
Issues Tokens
Accesses Resources Data
Delegates Authorization
(e.g. photoprinting.com) (e.g. photos from “photos.com”)
Authenticates, Authorizes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
• Service Provider (Resource Server) the Service Provider controls all aspects of the
OAuth implementation. The Service Provider is the term used to describe the website or web-service where
the restricted resources are located. It can be a photo sharing site where users keep albums, an online
bank service, a micro blogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not
mandate that the Service Provider will also be the identity provider which means the Service Provider can
use its own usernames and passwords to authenticate users, or use other systems such as OpenID
• User (Resource Owner) the user is why OAuth exists and without users, there is no need for
OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to
share it with another site. However OAuth can be used with the two-legged scenarios involving clients and
server, without the need of user interaction.
• Consumer (Client) this is a fancy name for an application trying to access the User’s resources.
This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the
web.
• Protected Resources the ‘stuff’ OAuth protects and allow access to. This can be data (photos,
documents, contacts etc.), activities (posting blog item, transferring funds) or any URL with a need for
access restrictions.
What is OAuth 2.0?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
 Access Token: Access tokens are credentials used to access protected resources. An
access token is a string representing an authorization issued to the client. The string is usually opaque to the
client. Tokens represent specific scopes and durations of access, granted by the resource owner, and
enforced by the resource server and authorization server.
 Refresh Token: Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are used to obtain a new access token when
the current access token becomes invalid or expires, or to obtain additional access tokens with identical or
narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the
resource owner).
What is OAuth 2.0?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
OAuth 2.0 Grant Types
• Authorization Code – usually clients running on web server
• Implicit – clients run directly in the browser like Javascript plugins
• Resource Owner – User Id/password of the user
• Client Credentials – client credentials
• Refresh Token – to refresh/get a new access token
• Assertion Framework
•Client Assertion ・(Authorization) Assertion ・Support multiple formats: JWT and SAML
• Extended Grants
•Depends on server and deployment needs
•E.g. for Oracle to support OAM tokens
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Typical 3-legged OAuth flow with Authorization Code
Grant Type
Background
Checker
Client
Resource
Server
Enterprise OAuth
Server
Token-claim registry
Scope registry
Policy store
User consent
orchestration
Get an “Access
token”
Obtain “Authorization
Grant”(User consent)
Use “Access Token” to
access a resource
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Questions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
References & Terminology
1. OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749
2. OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf-
oauth-assertions-11
3. OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf-
oauth-jwt-bearer-05
4. OAuth 2.0でWebサービスの利用方法はどう変わるか
http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html
5. http://lzhairs.blogspot.jp/2013/09/2-legged-oauth-3-legged-oauth.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18

More Related Content

What's hot

An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門土岐 孝平
 

What's hot (20)

An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth
OAuthOAuth
OAuth
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門
 

Viewers also liked

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
04 june meetup - An overview of OAuth2 on Force.com projects
04   june meetup - An overview of OAuth2 on Force.com projects04   june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projectsAldo Fernandez
 
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Justin Richer
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
Principles and patterns for test driven development
Principles and patterns for test driven developmentPrinciples and patterns for test driven development
Principles and patterns for test driven developmentStephen Fuqua
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 

Viewers also liked (20)

Beveiliging en REST services
Beveiliging en REST servicesBeveiliging en REST services
Beveiliging en REST services
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
04 june meetup - An overview of OAuth2 on Force.com projects
04   june meetup - An overview of OAuth2 on Force.com projects04   june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projects
 
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
 
Designing an API
Designing an APIDesigning an API
Designing an API
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
 
Principles and patterns for test driven development
Principles and patterns for test driven developmentPrinciples and patterns for test driven development
Principles and patterns for test driven development
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 

Similar to Introduction to OAuth2.0

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...eSAT Journals
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter AuthenticationVishal Shah
 

Similar to Introduction to OAuth2.0 (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth2
OAuth2OAuth2
OAuth2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth
OAuthOAuth
OAuth
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
OAuth
OAuthOAuth
OAuth
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 
Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849aut
 
OAuth
OAuthOAuth
OAuth
 
O auth 2
O auth 2O auth 2
O auth 2
 

Recently uploaded

Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfMohonDas
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 

Recently uploaded (20)

Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdf
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 

Introduction to OAuth2.0

  • 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1 OAuth 2.0 Overview Oracle Asia Research and Development Center Alice Liu(lzhmails@gmail.com)
  • 2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.2  OAuth 2.0 Overview  3-Legged OAuth/ 2-Legged Oauth  OAuth Workflow
  • 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3  OAuth Terms – Client is an application accessing an API, can be a web app, app inside a user agent, or a native app – Resource Owner is a “user” who can authorize/grant access to API resources – Resource Server is the API host – Authorization Server is the authorization PDP and STS  OAuth 2.0 is relatively simple – Get the token – Use the token to access the protected resource OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4  In the traditional client-server authentication model, the client accesses a protected resource on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to protected resources, the resource owner shares its credentials with the third- party. This creates several problems and limitations.  Third-party applications are required to store the resource-owner's credentials for future use, typically a password in clear-text.  Servers are required to support password authentication, despite the security weaknesses created by passwords.  Third-party applications gain overly broad access to the resource-owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.  Resource owners cannot revoke access to an individual third-party without revoking access to all third- parties, and must do so by changing their password. OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 3-Legged OAuth 1) The resource owner connects to an OAuth Client enabled service and requests it access resources at a different site 2) The OAuth Client (requesting site) redirects the user to the OAuth Authorization Server, which authenticates the user and presents a consent page. It then sends authorization code to the OAuth client 3) The OAuth Client uses the authorization code to retrieve an OAuth Access Token from the OAuth Authorization Server 4) The OAuth Client presents the Access Token to the OAuth Resource Server 5) The Resource Server validates the token with the Authorization Server 6) The Resource Server provides the requested content to the OAuth Client OAuth Client Resource Owner/Agent/ Native App OAuth Resource Server OAuth Authorizatio n Server 2 3 6 4 1Requesting Site Resource Site
  • 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 2-Legged OAuth  The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials  The requesting service uses its client credentials to connect to a resource server  The Resource server validates the clients credentials and provides the requested content OAuth Client OAuth Resource Server OAuth Authorizati on Server 2 3 1
  • 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 • OAuth allows resource owners to delegate resource access rights to third-parties. • No sharing of passwords with third-party apps • Authorize to certain limited resources • For a limited time • Can revoke consent given to the third-party apps • Where as sharing passwords approach with third-party apps • Trust issues • Unwanted level of access • Not able to revoke etc. OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 OAuth Workflow Consumer (Client) Service Provider (Resource Server) User (Resource Owner) Ask for a Token with OAuth Responds with un- Authorized request token Redirects with authorized request token Requests exchange for access token Responds with requested data Ask for data with access token Ask for authorization of request token Redirect user to content Access page Log-in and grant permission
  • 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Using OAuth 2.0 Authorization Code Flow
  • 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 OAuth Actors/What is OAuth 2.0? Client Application Resource Owner Resource Server OAuth Server Accesses Resources Login, Gives consent Issues Tokens Accesses Resources Data Delegates Authorization (e.g. photoprinting.com) (e.g. photos from “photos.com”) Authenticates, Authorizes
  • 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 • Service Provider (Resource Server) the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a micro blogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID • User (Resource Owner) the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. However OAuth can be used with the two-legged scenarios involving clients and server, without the need of user interaction. • Consumer (Client) this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. • Protected Resources the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts etc.), activities (posting blog item, transferring funds) or any URL with a need for access restrictions. What is OAuth 2.0?
  • 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12  Access Token: Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.  Refresh Token: Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). What is OAuth 2.0?
  • 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 OAuth 2.0 Grant Types • Authorization Code – usually clients running on web server • Implicit – clients run directly in the browser like Javascript plugins • Resource Owner – User Id/password of the user • Client Credentials – client credentials • Refresh Token – to refresh/get a new access token • Assertion Framework •Client Assertion ・(Authorization) Assertion ・Support multiple formats: JWT and SAML • Extended Grants •Depends on server and deployment needs •E.g. for Oracle to support OAM tokens
  • 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Typical 3-legged OAuth flow with Authorization Code Grant Type Background Checker Client Resource Server Enterprise OAuth Server Token-claim registry Scope registry Policy store User consent orchestration Get an “Access token” Obtain “Authorization Grant”(User consent) Use “Access Token” to access a resource
  • 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Questions
  • 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 References & Terminology 1. OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749 2. OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf- oauth-assertions-11 3. OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf- oauth-jwt-bearer-05 4. OAuth 2.0でWebサービスの利用方法はどう変わるか http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html 5. http://lzhairs.blogspot.jp/2013/09/2-legged-oauth-3-legged-oauth.html
  • 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
  • 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18