SlideShare a Scribd company logo

Lecture #25 : Oauth 2.0

D
Dr. Ramchandra Mangrulkar

ASSDF Module3

Engineering
1 of 17
Download to read offline
Lecture #25: OAuth 2.0 Dr.Ramchandra Mangrulkar September 23, 2020 Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 1 / 17
Client-Server Authentication Model In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner’s credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 2 / 17
Problems and limitations This creates several problems and limitations1 : Third-party applications are required to store the resource owner’s credentials for future use, typically a password in clear-text. Servers are required to support password authentication, despite the security weaknesses inherent in passwords. Third-party applications gain access to the resource owner’s protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party’s password. Compromise of any third-party application results in compromise of the end-user’s password and all of the data protected by that password. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. 1 https://tools.ietf.org/html/rfc6749 Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 3 / 17
OAuth 2.0 OAuth defines four roles: Resource Owner Client Resource Server Authorization Server Figure: Abstract Protocol View Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 4 / 17
OAuth 2.0 OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 5 / 17
OAuth 2.0 : Working Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 6 / 17
OAuth 2.0 : Steps A : The client requests authorization from the resource owner. B: The client receives an authorization grant, which is a credential representing the resource owner’s authorization C: The client requests an access token by authenticating with the authorization server and presenting the authorization grant. D: The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token. E: The client requests the protected resource from the resource server and authenticates by presenting the access token. F: The resource server validates the access token, and if valid, serves the request. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 7 / 17
Application Registration Before using OAuth with your application, you must register your application with the service. This is done through a registration form in the “developer” or “API” portion of the service’s website -Application Name -Application Website -Redirect URI or Callback URL The redirect URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 8 / 17
Client ID and Client Secret the service will issue “client credentials” in the form of a client identifier and a client secret. The Client ID is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are presented to users. The Client Secret is used to authenticate the identity of the application to the service API when the application requests to access a user’s account, and must be kept private between the application and the API. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 9 / 17
Authorization Grant OAuth 2 defines four grant types, each of which is useful in different cases: Authorization Code: used with server-side Applications Implicit: used with Mobile Apps or Web Applications (applications that run on the user’s device) Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself Client Credentials: used with Applications API access Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 10 / 17
Authorization Grant: Authorization Code 1. Authorization Code Link First, the user is given an authorization code link that looks like the following: https://cloud.digitalocean.com/v1/oauth/authorize? response_type=code&client_id=CLIENT_ID&redirect_ url=CALLBACK_URL&scope=read client id=client id: the application’s client ID (how the API identifies the application) redirect uri=CALLBACK URL: where the service redirects the user-agent after an authorization code is granted response type=code: specifies that your application is requesting an authorization code grant scope=read: specifies the level of access that the application is requesting Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 11 / 17
Authorization Code Step 2: User Authorizes Application When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize or deny the application access to their account. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 12 / 17
Authorization Code Step 3: Application Receives Authorization Code If the user clicks “Authorize Application”, the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this (assuming the application is “dropletbook.com”): https: //dropletbook.com/callback?code=AUTHORIZATION_CODE Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 13 / 17
Authorization Code Step 4: Application Requests Access Token The application requests an access token from the API, by passing the authorization code along with authentication details, including the client secret, to the API token endpoint. Here is an example POST request to DigitalOcean’s token endpoint: https://cloud.digitalocean.com/v1/oauth/token? client_id=CLIENT_ID&client_secret=CLIENT_SECRET& grant_type=authorization_code&code=AUTHORIZATION_ CODE&redirect_uri=CALLBACK_URL Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 14 / 17
Authorization Code Step 5: Application Receives Access Token If the authorization is valid, the API will send a response containing the access token (and optionally, a refresh token) to the application. The entire response will look something like this: "access_token":"ACCESS_TOKEN","token_type": "bearer","expires_in":2592000,"refresh_token": "REFRESH_TOKEN","scope":"read","uid":100101,"info": {"name":"MarkE.Mark","email": "mark@thefunkybunch.com"} Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 15 / 17
Homework: Authorization Code a a https://www.digitalocean.com/community/tutorials/ an-introduction-to-oauth-2 Implicit Resource Owner Password Credentials Client Credentials Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 16 / 17
Homework for Lab OAuth 2.0 Java Guide: Secure Your App in 5 Minutes https: //developer.okta.com/blog/2019/10/30/java-oauth2 Spring Boot and OAuth2 https: //spring.io/guides/tutorials/spring-boot-oauth2/ Implementing The OAuth 2.0 Authorization Framework Using Jakarta EE https: //www.baeldung.com/java-ee-oauth2-implementation Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 17 / 17

Recommended

Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
0011sas security whitepaper
0011sas security whitepaper0011sas security whitepaper
0011sas security whitepaper
CMR WORLD TECH
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
Raj Chanchal
 
Lynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events CopyLynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events Copy
llangit
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for Applications
Ubisecure
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurity
feriuyolasyolas
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 

Recommended

Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
Dr. Ramchandra Mangrulkar
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
0011sas security whitepaper
0011sas security whitepaper0011sas security whitepaper
0011sas security whitepaper
CMR WORLD TECH
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
Raj Chanchal
 
Lynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events CopyLynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events Copy
llangit
 
An Introduction to Authentication for Applications
An Introduction to Authentication for ApplicationsAn Introduction to Authentication for Applications
An Introduction to Authentication for Applications
Ubisecure
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurity
feriuyolasyolas
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key SecurityIRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET Journal
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
Kevin Cody
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
Laurentiu Meirosu
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
Duo MFA integration with CoinJar Bitcoin Wallet
Duo MFA integration with CoinJar Bitcoin WalletDuo MFA integration with CoinJar Bitcoin Wallet
Duo MFA integration with CoinJar Bitcoin Wallet
Amir Yunas
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Blockchain Presentation
Blockchain PresentationBlockchain Presentation
Blockchain Presentation
Zied GUESMI
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Certification Authority - Sergio Lietti
Certification Authority - Sergio LiettiCertification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
Núcleo de Computação Científica
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
IRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger Technology
IRJET Journal
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
Synacts
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
IRJET- Decentralized Kyc System
IRJET- Decentralized Kyc SystemIRJET- Decentralized Kyc System
IRJET- Decentralized Kyc System
IRJET Journal
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 

More Related Content

What's hot

Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 

What's hot (20)

IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key SecurityIRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Duo MFA integration with CoinJar Bitcoin Wallet
Duo MFA integration with CoinJar Bitcoin WalletDuo MFA integration with CoinJar Bitcoin Wallet
Duo MFA integration with CoinJar Bitcoin Wallet
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Blockchain Presentation
Blockchain PresentationBlockchain Presentation
Blockchain Presentation
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Certification Authority - Sergio Lietti
Certification Authority - Sergio LiettiCertification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
IRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger TechnologyIRJET- Credible Data through Distributed Ledger Technology
IRJET- Credible Data through Distributed Ledger Technology
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
IRJET- Decentralized Kyc System
IRJET- Decentralized Kyc SystemIRJET- Decentralized Kyc System
IRJET- Decentralized Kyc System
 

Similar to Lecture #25 : Oauth 2.0

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 

Similar to Lecture #25 : Oauth 2.0 (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
 
Microsoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsMicrosoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application Permissions
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
 

More from Dr. Ramchandra Mangrulkar

More from Dr. Ramchandra Mangrulkar (20)

Blockchain#2.pdf
Blockchain#2.pdfBlockchain#2.pdf
Blockchain#2.pdf
 
Blockchain#1.pdf
Blockchain#1.pdfBlockchain#1.pdf
Blockchain#1.pdf
 
Blockchain#3.pdf
Blockchain#3.pdfBlockchain#3.pdf
Blockchain#3.pdf
 
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
Manuscript Preparation using Latex: A Cloud Based Approach(Overleaf)
 
Lecture #32: Forensic Duplication
Lecture #32: Forensic DuplicationLecture #32: Forensic Duplication
Lecture #32: Forensic Duplication
 
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and ReportingLecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
Lecture #32: Digital Forensics : Evidence Handling, Validation and Reporting
 
LEcture #28-#30
LEcture #28-#30LEcture #28-#30
LEcture #28-#30
 
Lecture #31 : Windows Forensics
Lecture #31 : Windows ForensicsLecture #31 : Windows Forensics
Lecture #31 : Windows Forensics
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
Lecture #15: Buffer Overflow Attack (Non Malicious Attack)
 
Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks Lecture # 14: Salami and Linearization Attacks
Lecture # 14: Salami and Linearization Attacks
 
Lecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part ILecture #12,#13 : Program and OS Security -Part I
Lecture #12,#13 : Program and OS Security -Part I
 
Lecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity ManagementLecture #9 : Single Sign on and Federation Identity Management
Lecture #9 : Single Sign on and Federation Identity Management
 
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityLecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
 
Lecture #6: Multilevel Security Models
Lecture #6: Multilevel Security ModelsLecture #6: Multilevel Security Models
Lecture #6: Multilevel Security Models
 
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel SecurityLecture #7: Bell Lapdula and Biba Model of Multilevel Security
Lecture #7: Bell Lapdula and Biba Model of Multilevel Security
 
Lecture #4: Access Control Policies
Lecture #4: Access Control PoliciesLecture #4: Access Control Policies
Lecture #4: Access Control Policies
 
Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II Lecture #3: Defense Strategies and Techniques: Part II
Lecture #3: Defense Strategies and Techniques: Part II
 

Recently uploaded

"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
mphochane1998
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
pritamlangde
 

Recently uploaded (20)

Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdf
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 

Lecture #25 : Oauth 2.0

  • 1. Lecture #25: OAuth 2.0 Dr.Ramchandra Mangrulkar September 23, 2020 Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 1 / 17
  • 2. Client-Server Authentication Model In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner’s credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 2 / 17
  • 3. Problems and limitations This creates several problems and limitations1 : Third-party applications are required to store the resource owner’s credentials for future use, typically a password in clear-text. Servers are required to support password authentication, despite the security weaknesses inherent in passwords. Third-party applications gain access to the resource owner’s protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party’s password. Compromise of any third-party application results in compromise of the end-user’s password and all of the data protected by that password. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. 1 https://tools.ietf.org/html/rfc6749 Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 3 / 17
  • 4. OAuth 2.0 OAuth defines four roles: Resource Owner Client Resource Server Authorization Server Figure: Abstract Protocol View Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 4 / 17
  • 5. OAuth 2.0 OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 5 / 17
  • 6. OAuth 2.0 : Working Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 6 / 17
  • 7. OAuth 2.0 : Steps A : The client requests authorization from the resource owner. B: The client receives an authorization grant, which is a credential representing the resource owner’s authorization C: The client requests an access token by authenticating with the authorization server and presenting the authorization grant. D: The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token. E: The client requests the protected resource from the resource server and authenticates by presenting the access token. F: The resource server validates the access token, and if valid, serves the request. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 7 / 17
  • 8. Application Registration Before using OAuth with your application, you must register your application with the service. This is done through a registration form in the “developer” or “API” portion of the service’s website -Application Name -Application Website -Redirect URI or Callback URL The redirect URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 8 / 17
  • 9. Client ID and Client Secret the service will issue “client credentials” in the form of a client identifier and a client secret. The Client ID is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are presented to users. The Client Secret is used to authenticate the identity of the application to the service API when the application requests to access a user’s account, and must be kept private between the application and the API. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 9 / 17
  • 10. Authorization Grant OAuth 2 defines four grant types, each of which is useful in different cases: Authorization Code: used with server-side Applications Implicit: used with Mobile Apps or Web Applications (applications that run on the user’s device) Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself Client Credentials: used with Applications API access Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 10 / 17
  • 11. Authorization Grant: Authorization Code 1. Authorization Code Link First, the user is given an authorization code link that looks like the following: https://cloud.digitalocean.com/v1/oauth/authorize? response_type=code&client_id=CLIENT_ID&redirect_ url=CALLBACK_URL&scope=read client id=client id: the application’s client ID (how the API identifies the application) redirect uri=CALLBACK URL: where the service redirects the user-agent after an authorization code is granted response type=code: specifies that your application is requesting an authorization code grant scope=read: specifies the level of access that the application is requesting Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 11 / 17
  • 12. Authorization Code Step 2: User Authorizes Application When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize or deny the application access to their account. Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 12 / 17
  • 13. Authorization Code Step 3: Application Receives Authorization Code If the user clicks “Authorize Application”, the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this (assuming the application is “dropletbook.com”): https: //dropletbook.com/callback?code=AUTHORIZATION_CODE Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 13 / 17
  • 14. Authorization Code Step 4: Application Requests Access Token The application requests an access token from the API, by passing the authorization code along with authentication details, including the client secret, to the API token endpoint. Here is an example POST request to DigitalOcean’s token endpoint: https://cloud.digitalocean.com/v1/oauth/token? client_id=CLIENT_ID&client_secret=CLIENT_SECRET& grant_type=authorization_code&code=AUTHORIZATION_ CODE&redirect_uri=CALLBACK_URL Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 14 / 17
  • 15. Authorization Code Step 5: Application Receives Access Token If the authorization is valid, the API will send a response containing the access token (and optionally, a refresh token) to the application. The entire response will look something like this: "access_token":"ACCESS_TOKEN","token_type": "bearer","expires_in":2592000,"refresh_token": "REFRESH_TOKEN","scope":"read","uid":100101,"info": {"name":"MarkE.Mark","email": "mark@thefunkybunch.com"} Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 15 / 17
  • 16. Homework: Authorization Code a a https://www.digitalocean.com/community/tutorials/ an-introduction-to-oauth-2 Implicit Resource Owner Password Credentials Client Credentials Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 16 / 17
  • 17. Homework for Lab OAuth 2.0 Java Guide: Secure Your App in 5 Minutes https: //developer.okta.com/blog/2019/10/30/java-oauth2 Spring Boot and OAuth2 https: //spring.io/guides/tutorials/spring-boot-oauth2/ Implementing The OAuth 2.0 Authorization Framework Using Jakarta EE https: //www.baeldung.com/java-ee-oauth2-implementation Dr.Ramchandra Mangrulkar Lecture #25: OAuth 2.0 September 23, 2020 17 / 17