OAuth 2.0 Updates #technight

9,673 views

Published on

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

Published in: Technology

OAuth 2.0 Updates #technight

  1. 1. OAuth 2.0 Updates
  2. 2. @novOpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specsWeb Developer @ iKnow!OAuth.jpRuby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
  3. 3. OAuth in 5 min OpenID TechNight #7
  4. 4. Current TrendMobile Game Social OpenID TechNight #7
  5. 5. API IntegrationAccess Control for APIs OpenID TechNight #7
  6. 6. API Integration Basic Auth OpenID TechNight #7
  7. 7. OpenID TechNight #7
  8. 8. I’m using same password on 10+ services. OpenID TechNight #7
  9. 9. OAuthNo password sharingLimited access lifetime Expire a,er N weeksLimited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  10. 10. OAuth EverywhereMobile Game Social OpenID TechNight #7
  11. 11. B2B is slow though.. OpenID TechNight #7
  12. 12. Rough History OpenID TechNight #7
  13. 13. 2007.12 OAuth 1.0 OpenID TechNight #7
  14. 14. Twitter API OpenID TechNight #7
  15. 15. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
  16. 16. Facebook Graph API OpenID TechNight #7
  17. 17. 2010.07 dra, 10 OpenID TechNight #7
  18. 18. mixi Graph API OpenID TechNight #7
  19. 19. OpenID TechNight #7
  20. 20. 2011.07 dra, 20 OpenID TechNight #7
  21. 21. Review by 8/12 OpenID TechNight #7
  22. 22. Latest Spechttp://j.mp/oauth2_20 OpenID TechNight #7
  23. 23. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  24. 24. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  25. 25. Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access OpenID TechNight #7
  26. 26. Core Spec Authorization Server AuthorizeClient Access Access Token Resource ServerResource Owner API Client Access Token Type Spec OpenID TechNight #7
  27. 27. Core Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  28. 28. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  29. 29. Core response_type = codeResource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  30. 30. Core response_type = tokenResource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  31. 31. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
  32. 32. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
  33. 33. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
  34. 34. Core response_type = codeResource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
  35. 35. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
  36. 36. Core response_type = tokenResource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
  37. 37. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
  38. 38. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
  39. 39. Attacker Client Authorization Server Initiate Require Approval Approve CodeCode Code Code Access Token OpenID TechNight #7
  40. 40. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter accountCode Code Code Access Token OpenID TechNight #7
  41. 41. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code StateStateCode Code State “state” verification failed!! OpenID TechNight #7
  42. 42. Token Type Spec Authorization Server Authorize Client Access Access Token Resource ServerResource Owner Client API Access OpenID TechNight #7
  43. 43. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  44. 44. Token Bearer Token Access Token Response OpenID TechNight #7
  45. 45. Token API Access (Bearer) OpenID TechNight #7
  46. 46. Token MAC Token Access Token Response OpenID TechNight #7
  47. 47. Token API Access (MAC) OpenID TechNight #7
  48. 48. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
  49. 49. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
  50. 50. Review by 8/12 OpenID TechNight #7
  51. 51. github.com/nov OpenID TechNight #7

×