Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth 2.0 Updates #technight

9,836 views

Published on

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

Published in: Technology

OAuth 2.0 Updates #technight

  1. 1. OAuth 2.0 Updates
  2. 2. @novOpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specsWeb Developer @ iKnow!OAuth.jpRuby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
  3. 3. OAuth in 5 min OpenID TechNight #7
  4. 4. Current TrendMobile Game Social OpenID TechNight #7
  5. 5. API IntegrationAccess Control for APIs OpenID TechNight #7
  6. 6. API Integration Basic Auth OpenID TechNight #7
  7. 7. OpenID TechNight #7
  8. 8. I’m using same password on 10+ services. OpenID TechNight #7
  9. 9. OAuthNo password sharingLimited access lifetime Expire a,er N weeksLimited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  10. 10. OAuth EverywhereMobile Game Social OpenID TechNight #7
  11. 11. B2B is slow though.. OpenID TechNight #7
  12. 12. Rough History OpenID TechNight #7
  13. 13. 2007.12 OAuth 1.0 OpenID TechNight #7
  14. 14. Twitter API OpenID TechNight #7
  15. 15. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
  16. 16. Facebook Graph API OpenID TechNight #7
  17. 17. 2010.07 dra, 10 OpenID TechNight #7
  18. 18. mixi Graph API OpenID TechNight #7
  19. 19. OpenID TechNight #7
  20. 20. 2011.07 dra, 20 OpenID TechNight #7
  21. 21. Review by 8/12 OpenID TechNight #7
  22. 22. Latest Spechttp://j.mp/oauth2_20 OpenID TechNight #7
  23. 23. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  24. 24. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  25. 25. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  26. 26. Core Spec Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access Token Type Spec OpenID TechNight #7
  27. 27. Core Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  28. 28. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  29. 29. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  30. 30. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  31. 31. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
  32. 32. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
  33. 33. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
  34. 34. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
  35. 35. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
  36. 36. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
  37. 37. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
  38. 38. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
  39. 39. Attacker Client Authorization Server Initiate Require Approval Approve CodeCode Code Code Access Token OpenID TechNight #7
  40. 40. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter accountCode Code Code Access Token OpenID TechNight #7
  41. 41. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code StateStateCode Code State “state” verification failed!! OpenID TechNight #7
  42. 42. Token Type Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  43. 43. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  44. 44. Token Bearer Token Access Token Response OpenID TechNight #7
  45. 45. Token API Access (Bearer) OpenID TechNight #7
  46. 46. Token MAC Token Access Token Response OpenID TechNight #7
  47. 47. Token API Access (MAC) OpenID TechNight #7
  48. 48. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
  49. 49. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
  50. 50. Review by 8/12 OpenID TechNight #7
  51. 51. github.com/nov OpenID TechNight #7

×