SlideShare a Scribd company logo
1 of 25
Introduction to OAuth 2.0
RFC 6749 - Simplified
RFC 6749 -The OAuth 2.0
Authorization Framework
Actors
Resource Owner
An entity capable of granting access to a protected
resource.
When the resource owner is a person, it is referred to
as an end-user
Resource Server
The server hosting the protected resources, capable of
accepting and responding to protected resource
requests using access tokens
Authorization Server
The server issuing access tokens to the client after
successfully authenticating the resource owner and
obtaining authorization.
Client
An application making protected resource requests on
behalf of the resource owner and with its authorization.
The term "client" does not imply any particular
implementation characteristics (e.g., whether the
application executes on a server, a desktop, or other
devices).
ClientTypes
Confidential
Clients capable of maintaining the confidentiality of their credentials (e.g., client
implemented on a secure server with restricted access to the client credentials), or
capable of secure client authentication using other means.
Web Application
User-Agent-Based
Application
Public
Clients incapable of maintaining the confidentiality
of their credentials (e.g., clients executing on the
device used by the resource owner, such as an
installed native application or a web browser-based
application), and incapable of secure client
authentication via any other means.
Native Apllication
Protocol Flow
Authorization
Grant Authorization
Request
Access
Token Authorization
Grant
Protected
Reource AccessToken
Protocol Endpoints
The authorization
endpoint is used to
interact with the
resource owner and
obtain an
authorization grant.
Authorization The token endpoint is
used by the client to
obtain an access
token by presenting
its authorization grant
or refresh token.
Token
Authorization Endpoint
The authorization endpoint is used to interact with the resource owner and obtain an
authorization grant. The authorization server MUST first verify the identity of the
resource owner.
the authorization server MAY support including the client credentials in the request-
body using the following parameters:
• client_id
REQUIRED. The client identifier issued to the client during the registration process described by
Section 2.2.
• client_secret
REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty
string.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Token Endpoint
Authorization
Code
Implicit
Resource Owner
Password
Credentials
Client Credential
Authorization Code
3
1
22
1 3
4
5
Authorization Code
1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint.
The client includes its client identifier, requested scope, local state, and a redirection URI to which the
authorization server will send the user-agent back once access is granted (or denied).
2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether
the resource owner grants or denies the client's access request.
3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the
client using the redirection URI provided earlier (in the request or during client registration). The
redirection URI includes an authorization code and any local state provided by the client earlier.
4. The client requests an access token from the authorization server's token endpoint by including the
authorization code received in the previous step. When making the request, the client authenticates with
the authorization server. The client includes the redirection URI used to obtain the authorization code for
verification.
5. The authorization server authenticates the client, validates the authorization code, and ensures that the
redirection URI received matches the URI used to redirect the client in step (3). If valid, the authorization
server responds back with an access token and, optionally, a refresh token.
Request
• grant_type
REQUIRED. Value MUST be set to "authorization_code".
• code
REQUIRED. The authorization code received from the authorization server.
• redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the authorization request as
described in Section 4.1.1, and their values MUST be identical.
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Implicit
3
1
2
2
1
7
5
4
6
Implicit
1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client
includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will
send the user-agent back once access is granted (or denied).
2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource
owner grants or denies the client's access request.
3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using
the redirection URI provided earlier.
4. The redirection URI includes the access token in the URI fragment.The user-agent follows the redirection instructions by
making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]).
5. The user-agent retains the fragment information locally.The web-hosted client resource returns a web page (typically
an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment
retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment.
6. The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token.
7. The user-agent passes the access token to the client.
Request
• response_type
REQUIRED. Value MUST be set to "token".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.
• redirect_uri
OPTIONAL. As described in Section 3.1.2.
• state
RECOMMENDED. An opaque value used by the client to maintain state between the request and
callback.The authorization server includes this value when redirecting the user-agent back to the client.
The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
GET /authorize?
response_type=token
&client_id=s6BhdRkqt3
&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample
%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
Resource Owner Password Credential
1. The resource owner provides the client with its username and password.
2. The client requests an access token from the authorization server's token endpoint by
including the credentials received from the resource owner. When making the request,
the client authenticates with the authorization server.
3. The authorization server authenticates the client and validates the resource owner
credentials, and if valid, issues an access token.
2
3
1
Request
• grant_type
REQUIRED. Value MUST be set to "client_credentials".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Client Credential
1. The client authenticates with the authorization server and requests an
access token from the token endpoint.
2. The authorization server authenticates the client, and if valid, issues an
access token.
1
2
Request
• grant_type
REQUIRED. Value MUST be set to "client_credentials".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
RefreshToken
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Scope
The authorization and token endpoints allow the client to specify the scope
of the access request using the "scope" request parameter. In turn, the
authorization server uses the "scope" response parameter to inform the client
of the scope of the access token issued. The value of the scope parameter is
expressed as a list of space- delimited, case-sensitive strings.
The strings are defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter, and each string
adds an additional access range to the requested scope.

More Related Content

What's hot

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Decentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveDecentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveSSIMeetup
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized IdentityJim Flynn
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 

What's hot (20)

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Decentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep diveDecentralized Identifier (DIDs) fundamentals deep dive
Decentralized Identifier (DIDs) fundamentals deep dive
 
OAuth
OAuthOAuth
OAuth
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 

Viewers also liked

OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015Toru Yamaguchi
 
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.DjLucefer
 
Samuele Cozzi - Curriculum Vitae 2015
Samuele Cozzi - Curriculum Vitae 2015Samuele Cozzi - Curriculum Vitae 2015
Samuele Cozzi - Curriculum Vitae 2015Samuele Cozzi
 
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложений
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложенийОбзор протокола OAuth 2.0. Способы внедрения в различные типы приложений
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложенийVitebsk Miniq
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティHiroshi Hayakawa
 
LASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementLASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementMike Schwartz
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare
 

Viewers also liked (8)

OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015
 
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.
PCI DSS, ISO 27001/27002 , ITIL, VISA и MasterCard. Тесты на проникновение.
 
Samuele Cozzi - Curriculum Vitae 2015
Samuele Cozzi - Curriculum Vitae 2015Samuele Cozzi - Curriculum Vitae 2015
Samuele Cozzi - Curriculum Vitae 2015
 
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложений
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложенийОбзор протокола OAuth 2.0. Способы внедрения в различные типы приложений
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложений
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティ
 
LASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementLASCON: Three Profiels of OAuth2 for Identity and Access Management
LASCON: Three Profiels of OAuth2 for Identity and Access Management
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
 

Similar to OAuth 2.0 Authorization Framework Explained

(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpointsanikristo
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Kaunas jug presentation
Kaunas jug presentationKaunas jug presentation
Kaunas jug presentationAdamsus
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0   The Path to Heaven from HellO Auth 2.0   The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 

Similar to OAuth 2.0 Authorization Framework Explained (20)

(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Kaunas jug presentation
Kaunas jug presentationKaunas jug presentation
Kaunas jug presentation
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0   The Path to Heaven from HellO Auth 2.0   The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 

Recently uploaded

Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptxNikhil Raut
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingBootNeck1
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 

Recently uploaded (20)

Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptx
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 

OAuth 2.0 Authorization Framework Explained

  • 1. Introduction to OAuth 2.0 RFC 6749 - Simplified
  • 2. RFC 6749 -The OAuth 2.0 Authorization Framework
  • 4. Resource Owner An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user
  • 5. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens
  • 6. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  • 7. Client An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
  • 8. ClientTypes Confidential Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means. Web Application User-Agent-Based Application Public Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means. Native Apllication
  • 9. Protocol Flow Authorization Grant Authorization Request Access Token Authorization Grant Protected Reource AccessToken
  • 10. Protocol Endpoints The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. Authorization The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. Token
  • 11. Authorization Endpoint The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. the authorization server MAY support including the client credentials in the request- body using the following parameters: • client_id REQUIRED. The client identifier issued to the client during the registration process described by Section 2.2. • client_secret REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty string. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3 &client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  • 14. Authorization Code 1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. 4. The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. 5. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (3). If valid, the authorization server responds back with an access token and, optionally, a refresh token.
  • 15. Request • grant_type REQUIRED. Value MUST be set to "authorization_code". • code REQUIRED. The authorization code received from the authorization server. • redirect_uri REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical. • client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3 &client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  • 17. Implicit 1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). 2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. 4. The redirection URI includes the access token in the URI fragment.The user-agent follows the redirection instructions by making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]). 5. The user-agent retains the fragment information locally.The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment. 6. The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token. 7. The user-agent passes the access token to the client.
  • 18. Request • response_type REQUIRED. Value MUST be set to "token". • client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1. • redirect_uri OPTIONAL. As described in Section 3.1.2. • state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback.The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12. GET /authorize? response_type=token &client_id=s6BhdRkqt3 &state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample %2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 19. Resource Owner Password Credential 1. The resource owner provides the client with its username and password. 2. The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server. 3. The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token. 2 3 1
  • 20. Request • grant_type REQUIRED. Value MUST be set to "client_credentials". • client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3 &client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  • 21. Client Credential 1. The client authenticates with the authorization server and requests an access token from the token endpoint. 2. The authorization server authenticates the client, and if valid, issues an access token. 1 2
  • 22. Request • grant_type REQUIRED. Value MUST be set to "client_credentials". • client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3 &client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  • 23. Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" }
  • 24. RefreshToken POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3 &client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
  • 25. Scope The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued. The value of the scope parameter is expressed as a list of space- delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.