OAuth 2.0 101

1,926 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,926
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

OAuth 2.0 101

  1. 1. OAuth 2.0 101Adapting to the Web Beyond the BrowserAnand SharmaIT ArchitectApril 2012© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  2. 2. Beyond the Browser:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. For the successful companies, 80% of traffic will be coming from beyond the browser.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  5. 5. The resource is some website; the user is the consumer Authorization is granted by the an Admin© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  6. 6. The resource is owned by the user The application consumes the resource The application is given too much power© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  7. 7. The resource is owned by the user The application consumes the resource The application is given too much power© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  8. 8. Because, Services (APIs) and Passwords don’t mix well© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  9. 9. OAuth 2.0:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  10. 10. Defines Authorization & Authentication framework for RESTful services Supports variety of clients – from Servers to Mobile Apps Puts the user in control of what resources are shared – mitigates password anti-pattern© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  11. 11. Application that calls API (Client) Software application that calls REST APIs Human User using the App (Resource Owner) End-user whose data is offered up through an API to Clients API Proxy or Host (Resource Server) Accepts access tokens on API calls in order to authenticate calling client Token Server (Authorization Server) Issues Access tokens after Authenticating the client and/or Resource Owner© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  12. 12. Short-lived Token (Access Token) Applications authenticate to APIs using an Access Token Long-lived Token (Refresh Token) Refresh Tokens, if present, can be used to get a new Access Token© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  13. 13. 1. Client Gets Token 2. Client Uses Token 3. Resource Server Validates Token 4. Client Refreshes Token (Optional) 95% of OAuth (and OAuth Complexity) is about: - Step #1: How to get Access Token - OAuth’s Confusing terminology© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  14. 14. Client Identity Human User Identity Access Token© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  15. 15. Directly exchanges Client’s credentials for an Access token For accessing client-owned resources (no Human User involvement)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  16. 16. Directly exchanges Human User’s credentials for an access token Useful where the Client is well-trusted by the user and where a browser redirect would be awkward Commonly used with trusted Mobile apps© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  17. 17. Similar to OAuth 1.0a flow - Starts with redirect to provider for authorization - After authorization, redirects back to client with code query parameter – Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  18. 18. Simplified Authorization flow – After Authorization, redirects back to client with Access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by in browser JavaScript apps or widgets© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  19. 19. The client sends an access token request to the authorization server that includes a SAML 2.0 Assertion The authorization server validates the Assertion per the processing rules defined in this specification and issues an access token.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  20. 20. OAuth Challenges:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  21. 21. OAuth: What version should weuse?Standardize on OAuth 2.0 Draft 20Lack of UnderstandingBook(s), Brown-bagsLack of tools and frameworks© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  22. 22. “Getting Started with OAuth 2.0” O’Reilly BookOAuth 2.0 Draft 25 (http://bit.ly/dft-oauth)Search for “OAuth 2.0” in Google© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  23. 23. Backup Slides Q&A© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

×