OAuth 2.0                            Amit Harsola                            Wipro Technologies1   © 2012 WIPRO LTD | WWW....
Objective    The purpose of the presentation is to explain the need for an    authorization standard and how does OAuth ad...
Agenda    1   Social Web Integration    2   What is OAuth and Why?    3   History    4   Insight    5   Client Libraries  ...
Social Web Integration    The evolving world of Information Technology is changing the way people    socialize, share info...
Social Web Integration    In a typical web authentication model, user owning the resource shares    credentials with other...
Social Web Integration    Several proprietary authorization protocols have emerged to address the    integration problem i...
What is OAuth?    OAuth stands for “Open Authorization”    An open standard protocol that provides simple and secure autho...
Why OAuth?    OAuth is created by studying each of the proprietary protocols and extracting the    best practices to suppo...
History    OAuth Core specification 1.0 was published in Dec 2007    To fix a security issue, a revised specification was ...
Insight – 1.0 & 1.0a     OAuth 1.0 protocol mandates cryptographic signatures to be sent with each call     to verify the ...
Insight – Introduction     OAuth eliminates the need for cryptographic signatures in 2.0 through use of SSL.     It mandat...
Insight – Introduction       User accesses consumer application which first gets user authenticated        through API Pr...
Insight – Building Blocks                 Building Blocks of OAuth             Roles            Registration              ...
Insight – Roles                                                                                     Resource Owner     Cli...
Insight – Client Registration     OAuth requires Clients to register with the authorization server before making     any A...
Insight – Client Profiles     OAuth supports three client types     •   Server Side Web Application            Client is ...
Insight – Tokens     OAuth protocol supports bearer tokens. Once authorized, using bearer token     client can request to ...
Insight – Grant Types     Grant is a credential which represents owner’s authorization and used by client to     access ow...
Insight – End Points     Endpoints are the URIs which Client uses to make requests. Protocol supports     following author...
Insight – Authorization Flows     OAuth defines four authorization flows       Server Side Web Application Flow       Us...
Insight – Server Side Web Application Flow     Key Features     1. Two step protocol i.e. request for authorization code a...
Insight – Server Side Application Flow       Client                                       Resource Owner                 A...
Insight – Server Side Web Application Flow     Authorization Flow Steps     1.   The client initiates the flow by directin...
Insight – Server Side Web Application Flow     Authorization Request – Step 1 & 2     As part of the request URI (Authoriz...
Insight – Server Side Web Application Flow     Authorization Response – Step 3     The response generated by the authoriza...
Insight – Server Side Web Application Flow     Error Response – Step 3     If the authorization request fails due to any r...
Insight – Server Side Web Application Flow     Access Token Request – Step 4     After successful authorization, client ma...
Insight – Server Side Web Application Flow     Access Token Response – Step 5     For a valid and authorized access token ...
Insight – User Agent Application Flow     Key Features     1. No separate authorization and access token request     2. Cl...
Insight – Server Side Application Flow - I     Client                User Agent           Resource Owner                 A...
Insight – User Agent Application Flow - I     Authorization Flow Steps     1.   The client initiates the flow by directing...
Insight – Server Side Application Flow - II                                                                               ...
Insight – User Agent Application Flow - II     Authorization Flow Steps     1.   The client initiates the flow by directin...
Insight – User Agent Application Flow     Authorization Request – Step 1 & 2     As part of the request URI (Authorization...
Insight – User Agent Application Flow     Access Token Response – Step 3     The authorization server issues an access tok...
Insight – User Agent Application Flow     Parsing Access Token – Step 4, 5, 6 & 7 or 4     The access token received as pa...
Insight - Resource Owner Credentials Grant Flow     Key Features     1. There is exchange of user’s credential for tokens ...
Insight - Resource Owner Credentials Grant Flow      Resource Owner                                            Client     ...
Insight - Resource Owner Credentials Grant Flow     Authorization Flow Steps     1. The resource owner provides the client...
Insight - Resource Owner Credentials Grant Flow     Access Token Request – Step 1 & 2     Client makes request for access ...
Insight - Resource Owner Credentials Grant Flow     Access Token Response     For a valid and authorized access token requ...
Insight – Client Credentials Flow     Key Features     1. No support for Refresh Token     2. No authorization grant42    ...
Insight - Client Credentials Flow                                                                               Authorizat...
Insight - Client Credentials Flow     Authorization Flow Steps     1. The client authenticates with the authorization serv...
Insight - Client Credentials Flow     Authorization Request and Response     Since the client authentication is used as th...
Insight - Client Credentials Flow     Access Token Request – Step 1     Client makes request for access token to the token...
Insight - Client Credentials Flow     Access Token Response     For a valid and authorized access token request, authoriza...
Insight - Client Credentials Flow      When to use Client Credentials Flow      1. Client itself is the resource owner    ...
Insight – Refresh Token     Tokens can have expiry. If authorization server has issued refresh token, clients can     requ...
Insight – SAML Assertion     SAML has become a de-facto standard for exchanging authentication and     authorization data ...
Insight – SAML Assertion        Using SAML Assertion as an Authorization Grant                                            ...
Insight - SAML Assertion     Authorization Flow Steps     1. After fetching SAML assertion from its Identity Provider, the...
Insight - SAML Assertion     Access Token Request – Step 1     To use a SAML Bearer Assertion as an authorization grant, c...
Insight - SAML Assertion     Access Token Response – Step 2     To use a SAML Bearer Assertion as an authorization grant, ...
Insight – SAML Assertion     Access Token Response     For a valid and authorized access token request, authorization serv...
Insight – SAML Assertion     SAML Assertion can also be used as a client authentication mechanism. The     use of an Asser...
Libraries     OAuth flows are simple enough to be used with HTTP APIs by any API     consumer. But client libraries are al...
Libraries     To implement the OAuth protocol, not enough matured libraries are available. However,     there are few opti...
Use Cases     Few OAuth use cases     Social Portals     Financials     Cloud     Applicable across industry where open an...
Use Cases – Social Portals     Social Portals          It is the most common use case where organization intends to levera...
Use Cases - Financial     Financial          Another use case of OAuth could be Personal Finance Management Applications. ...
Use Cases - Cloud     Cloud          Protocol could be handy for Organizations wanting to utilize the services offered on ...
Challenges     1. Protocol gaining visibility in the industry but not yet a standard     2. OAuth 2.0 Specification is in ...
References     Website     http://oauth.net/2     Specifications     http://tools.ietf.org/html/draft-ietf-oauth-v2-30 (ma...
Amit Harsola                                                              Senior Architect                                ...
Upcoming SlideShare
Loading in …5
×

Understanding OAuth 2.0

14,028 views

Published on

Explains the need for standard authorization and concepts of OAuth 2.0

Published in: Technology
  • Be the first to comment

Understanding OAuth 2.0

  1. 1. OAuth 2.0 Amit Harsola Wipro Technologies1 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  2. 2. Objective The purpose of the presentation is to explain the need for an authorization standard and how does OAuth addresses requirements2 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  3. 3. Agenda 1 Social Web Integration 2 What is OAuth and Why? 3 History 4 Insight 5 Client Libraries 6 Provider Implementation 7 Use Cases 8 Challenges 9 References3 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  4. 4. Social Web Integration The evolving world of Information Technology is changing the way people socialize, share information and access applications. Applications over the web allows organizations ways to leverage their users to communicate or provide value added services using their offerings This necessitates need for Applications to exchange protected information Social Web Integration is about how web based applications integrate and share protected data which benefits both consumer and provider in some way Such integration typically involves User Authorization before any sharing of data4 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  5. 5. Social Web Integration In a typical web authentication model, user owning the resource shares credentials with other applications to provide them access to their protected data The above approach presents significant challenges for the resource owners 1. It requires sharing of passwords in clear text which third party applications stores for any future use 2. Any compromise of third party application results in compromise of user’s password and its data 3. Resource access revocation is only possible by user through password change 4. Third party applications have full access to user’s data i.e. no data level or data scope access5 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  6. 6. Social Web Integration Several proprietary authorization protocols have emerged to address the integration problem i.e. AuthSub (Google), OpenAuth (AOL), BBAuth (Yahoo), Amazon Web Services API, etc These proprietary protocols burdens the API consumers with implementations, all serving the same purpose i.e. web integration for exchange of protected data. Internet Engineering Task Force (IETF) have proposed an OAuth protocol which integrates the commonalities and adopts the best practices of the proprietary Web authorization protocols into a single open standard6 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  7. 7. What is OAuth? OAuth stands for “Open Authorization” An open standard protocol that provides simple and secure authorization for different types of applications A simple and safe method for consumers to interact with protected data Allows providers to give access to users without any exchange of credentials Designed for use only with HTTP protocol. It does not support any other protocol7 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  8. 8. Why OAuth? OAuth is created by studying each of the proprietary protocols and extracting the best practices to support new implementations as well as a smooth transition for existing services to support OAuth It is flexible, compatible and designed to work with mobile devices and desktop applications Provides a method for users to grant third-party access to their resources without sharing their credentials. Provides a way to grant limited access in terms of scope and duration Has support from big players in the industry8 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  9. 9. History OAuth Core specification 1.0 was published in Dec 2007 To fix a security issue, a revised specification was published in June 2009 OAuth 2.0 is a completely new protocol which is not backwards compatible with previous versions. However, it retains the overall architecture and approach established by the previous versions. Latest OAuth 2.0 daft is v30. Expected to get finalized by end of 2012 Various Services on the Web already support OAuth 2.0  Facebooks Graph API  Foursquare  Github  Google  Salesforce  Windows Live9 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  10. 10. Insight – 1.0 & 1.0a OAuth 1.0 protocol mandates cryptographic signatures to be sent with each call to verify the identity and authorization of client In OAuth 1.0, the API client and server share a token. Client generates a signature on every API call by encrypting information using the token. The server generates the same signature and grant access only if both signatures match Does not specify authorization for non-web applications OAuth 1.0a is a patch release that fixes the attack against the OAuth Request Token approval flow10 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  11. 11. Insight – Introduction OAuth eliminates the need for cryptographic signatures in 2.0 through use of SSL. It mandates to use TLS with the protocol SSL is required for all the interactions required to generate the token, thus reducing complexity Supports authorizations in mobile, browser and JavaScript applications Clearly separates the roles of different actors and part of protocol they are responsible for11 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  12. 12. Insight – Introduction  User accesses consumer application which first gets user authenticated through API Provider application for any exchange of information  Once authenticated, consumer application and Provider exchange tokens for authorization  After successful authorization, consumer application gets access to users resources on Provider application Data Exchange Access Consumer API Application Provider User12 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  13. 13. Insight – Building Blocks Building Blocks of OAuth Roles Registration Tokens Authorization Profiles Grants Flows Request/Response Endpoints Parameters13 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  14. 14. Insight – Roles Resource Owner Client Authorization Grant Request An entity referring to a system An or a person (end-user) owning applicatio the resources n that makes request Authorization Server for Access Token protected resources Request Server responsible for issuing on behalf access tokens to the client of after successfully Resource authenticating the resource Owner owner and obtaining with its authorization authorizati Protected Resource on Access Request Resource Server An entity referring to a system or a person (end- user) owning the resources The authorization server may be the same server as the resource server or a separate entity14 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  15. 15. Insight – Client Registration OAuth requires Clients to register with the authorization server before making any API requests Protocol leaves the registration mechanism open to API Provider As part of registration, OAuth expects  Client Type  Redirections URI(s)  Any other information required by API (data specific to the provider) Example: Visit  http://code.google.com/apis/console  https://developers.facebook.com/apps Successful registration results in issuance of credentials (Client ID & Client Secret) to client15 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  16. 16. Insight – Client Profiles OAuth supports three client types • Server Side Web Application  Client is a server hosting the client application  When accessed by Resource Owner, Client Application makes API calls using appropriate programming language.  Secret or access tokens are not exposed to the user  Client requires repetitive access to protected resources • User Agent based Application  JavaScript, Flash plug-in, browser extension or any downloaded executing in browser could be OAuth client  Protocol data and credentials are easily accessible (and often visible) to the resource owner  There is no concern on token leakage to entrusted users or applications • Native Application  OAuth client is installed and executed on the resource owner’s device  Protocol data and credentials are accessible to resource owner  Possible limitations on use of web browser and its usage  Official applications released by API provider  Migration of existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token16 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  17. 17. Insight – Tokens OAuth protocol supports bearer tokens. Once authorized, using bearer token client can request to access resource What is Bearer Token? A security token is something that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can which requiring bearer to present proof-of-possession Protocol defines two types of tokens used in the process • Access Token These are credentials required to access the protected resources. Represents the grants scope, duration, and other attributes granted by the authorization grant • Refresh Token Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires etc17 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  18. 18. Insight – Grant Types Grant is a credential which represents owner’s authorization and used by client to access owner’s protected resources. Grant types defined by the specification Authorization Code Suited for Server Side Clients Implicit Optimized for User agent (browser) based clients Resource Owner Password Credentials Resource Owner’s credentials (username/password) could be used to obtain access token. Could be used by trusted clients like mobile application Client Credentials Typically used by application to obtain access token for resources owned by the client or if there is some offline authorization agreed with an authorization server18 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  19. 19. Insight – End Points Endpoints are the URIs which Client uses to make requests. Protocol supports following authorization server endpoints Authorization Endpoint Endpoint used by client to obtain resource authorization from resource owner Token Endpoint Used by client to retrieve access or refresh token Redirection Endpoint Authorization server uses the endpoint to redirect after authorization process19 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  20. 20. Insight – Authorization Flows OAuth defines four authorization flows  Server Side Web Application Flow  User Agent (Browser) Application Flow  Resource Owner Password Flow  Client Credentials Flow20 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  21. 21. Insight – Server Side Web Application Flow Key Features 1. Two step protocol i.e. request for authorization code and access token request 2. Support for Refresh Tokens 3. Authorization code is used to obtain both access and refresh token21 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  22. 22. Insight – Server Side Application Flow Client Resource Owner Authorization Server User Agent Step 1. Redirection Step 1. Client Identifier and Redirection URI Step 2. Step 2. User Authorizes Step 3. Authorization Code Step3. Step 4. Authorization Code and Redirection URI Step 5. Access Token (with Optional Refresh Token) Step 6. Access Protected Resources using Access Token22 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  23. 23. Insight – Server Side Web Application Flow Authorization Flow Steps 1. The client initiates the flow by directing the resource owners user-agent (browser) to the authorization endpoint. The client includes its client credentials , scope, state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) 2. The authorization server authenticates the resource owner and determines whether the resource owner grants or denies the clients access request 3. The authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes an authorization code and state provided by the client earlier 4. The client requests an access token from the authorization servers token endpoint by including the authorization code. The client includes the redirection URI used to obtain the authorization code for verification 5. The authorization server authenticates the client, validates the authorization code, and ensures the redirection URI received matches the URI used to redirect the client in step (3). If valid, the authorization server responds back with an access token and optionally, a refresh token 6. Using access token, client access the resource owner’s protected resources23 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  24. 24. Insight – Server Side Web Application Flow Authorization Request – Step 1 & 2 As part of the request URI (Authorization Endpoint), Client is required to pass following parameters 1. response_type (required): Value set to ‘code’ 2. client_id (required) : Value set to the client id received during registration 3. redirect_uri (optional): Not required, if the URI was provided during client registration 4. scope (optional): Represents application data scope. Usually contains a space- delimited strings. The valid values are provided by API Provider 5. state (optional): Optional but recommended to be used to prevent cross site request forgery. Contains some random string to maintain state between request and callback24 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  25. 25. Insight – Server Side Web Application Flow Authorization Response – Step 3 The response generated by the authorization server contains the authorization code and the state present in the request URI 1. code (required): The authorization code generated by the authorization server 2. state (optional): Required only if state parameter was part of the authorization request URI25 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  26. 26. Insight – Server Side Web Application Flow Error Response – Step 3 If the authorization request fails due to any reason, the authorization server informs the client by adding parameters to the redirection URI 1. error (required): Value set to one of the following  invalid_request  unauthorized_client  access_denied  unsupported_response_type  invalid_scope  server_error  temporarily_unavailable 2. error_description (optional): Additional information about the error 3. error_uri (optional): A web page with information about the error 4. state (optional): Required only if state parameter was part of the authorization request URI26 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  27. 27. Insight – Server Side Web Application Flow Access Token Request – Step 4 After successful authorization, client makes request for access token passing 1. grant_type (required) : Value set to ‘authorization_code’ 2. code (required) : Value set to authorization code received during request authorization 3. redirect_uri (required) : Required, if the "redirect_uri" parameter was included in the authorization request and values are identical 4. client_id (required) : Value set to the client id received during registration27 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  28. 28. Insight – Server Side Web Application Flow Access Token Response – Step 5 For a valid and authorized access token request, authorization server issues an access token and optional refresh token in JSON encoded format { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":“bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", }28 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  29. 29. Insight – User Agent Application Flow Key Features 1. No separate authorization and access token request 2. Client receives the access token in response to authorization request 3. Does not support Refresh Tokens29 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  30. 30. Insight – Server Side Application Flow - I Client User Agent Resource Owner Authorization Server Step1. Redirection Step 1. Client Identifier and Redirection URI Step 2. Step 2. User Authorizes Step 3. Redirection URI with Access Token in Fragment Step 4. Step 5. Access Protected Resources using Access Token30 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  31. 31. Insight – User Agent Application Flow - I Authorization Flow Steps 1. The client initiates the flow by directing the resource owners user-agent (browser) to the authorization endpoint. The client includes its client credentials , scope, state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) 2. The authorization server authenticates the resource owner and establishes whether the resource owner grants or denies the clients access request 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment 4. The user-agent extracts the access token and passes it to the client 5. Using access token, client access the resource owner’s protected resources31 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  32. 32. Insight – Server Side Application Flow - II Web Hosted Client User Agent Resource Owner Authorization Client Resource Server Step1. Step 1. Client Identifier and Redirection URI Step 2. Step 2. User Authorizes Step 3. Redirection URI with Access Token in Fragment Step 4. Redirection URI without Fragment Step 5. Access Token (with Optional Refresh Token) Step 6. Step 7. Step 8. Access Protected Resources using Access Token32 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  33. 33. Insight – User Agent Application Flow - II Authorization Flow Steps 1. The client initiates the flow by directing the resource owners user-agent (browser) to the authorization endpoint. The client includes its client credentials , scope, state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied) 2. The authorization server authenticates the resource owner and establishes whether the resource owner grants or denies the clients access request 3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment 4. The user-agent follows the redirection instructions by making a request to the web-hosted client resource. The user-agent retains the fragment information locally 5. The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment 6. The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token and passes it to the client 7. Using access token, client access the resource owner’s protected resources33 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  34. 34. Insight – User Agent Application Flow Authorization Request – Step 1 & 2 As part of the request URI (Authorization Endpoint URI), Client is required to pass same parameters as Server Side Web Application Flow34 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  35. 35. Insight – User Agent Application Flow Access Token Response – Step 3 The authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI 1. access_token (Required): The access token issued by authorization server 2. token_type (Required): Value set to bearer 3. expires_in (Optional): Recommended to define the lifetime in seconds. If omitted, the authorization server should provide the expiration time via other means or document the default value 4. scope (Optional): Optional, if identical to the scope requested by the client, otherwise Required 5. state (Optional): Required only if state parameter was part of the authorization request URI35 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  36. 36. Insight – User Agent Application Flow Parsing Access Token – Step 4, 5, 6 & 7 or 4 The access token received as part of the URL in the Access Token Response is extracted by the User Agent and send to the client36 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  37. 37. Insight - Resource Owner Credentials Grant Flow Key Features 1. There is exchange of user’s credential for tokens 2. Trusted Relationship between resource owner and the client37 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  38. 38. Insight - Resource Owner Credentials Grant Flow Resource Owner Client Authorization Server Step 1. Resource Owner Password Credentials Step 2. Resource Owner Password Credentials Step 3. Access Token (w/ Optional Refresh Token) Step 4. Access Protected Resources38 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  39. 39. Insight - Resource Owner Credentials Grant Flow Authorization Flow Steps 1. The resource owner provides the client with its username and password. 2. The client requests an access token from the authorization servers token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server. 3. The authorization server authenticates the client and validates the resource owner credentials, and if valid issues an access token 4. Using access token, client access the resource owner’s protected resources39 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  40. 40. Insight - Resource Owner Credentials Grant Flow Access Token Request – Step 1 & 2 Client makes request for access token passing following parameters 1. grant_type (required): Value set to "password". 2. username (required): Set to the resource owner username. 3. password (required): Value set to the resource owner password. 4. scope (optional): Represents application data scope. Usually contains a space- delimited strings. The valid values are provided by API Provider40 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  41. 41. Insight - Resource Owner Credentials Grant Flow Access Token Response For a valid and authorized access token request, authorization server issues an access token and optional refresh token in JSON encoded format { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":“bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", }41 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  42. 42. Insight – Client Credentials Flow Key Features 1. No support for Refresh Token 2. No authorization grant42 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  43. 43. Insight - Client Credentials Flow Authorization Client Server Step 1. Client Authentication Step 2. Access Token Step 3. Access Protected Resources43 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  44. 44. Insight - Client Credentials Flow Authorization Flow Steps 1. The client authenticates with the authorization server and requests an access token from the token endpoint. 2. The authorization server authenticates the client, and if valid issues an access token 3. Using access token, client access the resource owner’s protected resources44 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  45. 45. Insight - Client Credentials Flow Authorization Request and Response Since the client authentication is used as the authorization grant, no additional authorization request is needed45 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  46. 46. Insight - Client Credentials Flow Access Token Request – Step 1 Client makes request for access token to the token endpoint passing 1. grant_type (required): Value set to "client_credentials". 2. scope (optional): Represents application data scope. Usually contains a space- delimited strings. The valid values are provided by API Provider46 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  47. 47. Insight - Client Credentials Flow Access Token Response For a valid and authorized access token request, authorization server issues an access token in JSON encoded format { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":“bearer", "expires_in":3600, }47 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  48. 48. Insight - Client Credentials Flow When to use Client Credentials Flow 1. Client itself is the resource owner 2. Access to protected resources has been granted without use of OAuth protocol48 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  49. 49. Insight – Refresh Token Tokens can have expiry. If authorization server has issued refresh token, clients can request to refresh the access token by passing 1. grant_type (required) : Set to "refresh_token“ 2. refresh_token (required): Value set to the refresh token issued earlier 3. scope (optional): Identical to the scope sent in earlier request49 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  50. 50. Insight – SAML Assertion SAML has become a de-facto standard for exchanging authentication and authorization data between security domains. The core specification does not mention the use of SAML assertion for authorization. However, there is an extension to the core protocol specification that defines the use of SAML 2.0 Bearer Assertion grant type to request access token as well as client authentication The OAuth 2.0 Assertion Profile is an abstract extension to OAuth 2.0 that provides a framework for the use of Assertions as client credentials and/or authorization grants with OAuth 2.0. The processing of assertion is similar to the web SSO50 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  51. 51. Insight – SAML Assertion Using SAML Assertion as an Authorization Grant Authorization Server Step 1. SAML 2.0 Bearer Assertion Client Step 2. Access Token Identify Provider51 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  52. 52. Insight - SAML Assertion Authorization Flow Steps 1. After fetching SAML assertion from its Identity Provider, the client requests an access token with the authorization server (It is assumed there is existing trust relationship 2. The authorization server authenticates the client, and if valid issues an access token52 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  53. 53. Insight - SAML Assertion Access Token Request – Step 1 To use a SAML Bearer Assertion as an authorization grant, client passes the following parameters 1. grant_type (required): Value set to "urn:ietf:params:oauth:grant-type:saml2-bearer“ 2. assertion (required): Value set to single SAML 2.0 Assertion XML data encoded using base64 3. scope (optional): Represents application data scope. Usually contains a space- delimited strings. The valid values are provided by API Provider53 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  54. 54. Insight - SAML Assertion Access Token Response – Step 2 To use a SAML Bearer Assertion as an authorization grant, client passes the following parameters 1. grant_type (required): Value set to "urn:ietf:params:oauth:grant-type:saml2-bearer“ 2. assertion (required): Value set to single SAML 2.0 Assertion XML data encoded using base64 3. scope (optional): Represents application data scope. Usually contains a space-delimited strings. The valid values are provided by API Provider54 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  55. 55. Insight – SAML Assertion Access Token Response For a valid and authorized access token request, authorization server issues an access token in JSON encoded format { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":“urn:ietf:params:oauth:grant-type:saml2-bearer ", "expires_in":3600, }55 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  56. 56. Insight – SAML Assertion SAML Assertion can also be used as a client authentication mechanism. The use of an Assertion for client authentication is orthogonal and separable from using an Assertion as an authorization grant and the two can be used either in combination or in isolation. The process by which the client obtains the SAML Assertion, prior to exchanging it with the authorization server or using it for client authentication, is defined out of scope by specification56 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  57. 57. Libraries OAuth flows are simple enough to be used with HTTP APIs by any API consumer. But client libraries are also available which makes using OAuth more simpler Big API providers like Google, SaleForce, Yahoo, Facebook etc provide client libraries for integration with their APIs. These libraries abstract the OAuth 2.0 client implementation details and makes it easier for Clients Google provides client libraries for all popular programming languages like Java, PHP, JavaScript, Ruby and Python More details at @http://oauth.net/2/57 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  58. 58. Libraries To implement the OAuth protocol, not enough matured libraries are available. However, there are few options Apache provides an OAuth implementation in java which works with all API providers that support OAuth 2.0 http://incubator.apache.org/amber/ Scribe is another one that works with all APIs https://github.com/fernandezpablo85/scribe-java If there is a need for custom implementation, consider 1. Implementation of Authorization, Access and Refresh Token End Points 2. Generation, persistence and validation of Grants and Tokens 3. Use of JSON library for access token response generation 4. Client Registration application 5. Wrapper to abstract OAuth specific request and response processing58 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  59. 59. Use Cases Few OAuth use cases Social Portals Financials Cloud Applicable across industry where open and restricted authorization is required59 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  60. 60. Use Cases – Social Portals Social Portals It is the most common use case where organization intends to leverage the users of Social Applications and APIs offered by them Printing Flickr Application Access Printing Application Grant Access To Photos Retrieve Photos Print Photos Deliver Printed Photos60 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  61. 61. Use Cases - Financial Financial Another use case of OAuth could be Personal Finance Management Applications. Banking users could authorize bank to share all banking transactions with Money Finance Application which would provide an holistic view of user’s financials Personal Banking Finance App Application Add Account Access Application Authorize Retrieve Transactions61 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  62. 62. Use Cases - Cloud Cloud Protocol could be handy for Organizations wanting to utilize the services offered on the cloud for any background activity to be done on behalf of its users Authenticate Service dad Service Access Token Consumer Consume Service on behalf of its users Cloud62 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  63. 63. Challenges 1. Protocol gaining visibility in the industry but not yet a standard 2. OAuth 2.0 Specification is in draft state and not yet approved 3. There are no standard libraries available. Also, available libraries implement different draft versions. Apache Amber is still in incubator stage 4. Most of the Security related concerns are left to specification implementations63 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  64. 64. References Website http://oauth.net/2 Specifications http://tools.ietf.org/html/draft-ietf-oauth-v2-30 (main) http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-23 (extension) http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 (extension) http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-13 (extension) Books Getting.Started.with.OAuth.2.0 (Oreilly Publication) Not to forget Big Brother http://google.com64 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
  65. 65. Amit Harsola Senior Architect amit.harsola@wipro.com65 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

×