OAuth 2.0 Updates #technight in Osaka

1,587 views

Published on

Published in: Technology, Travel
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,587
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
46
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

OAuth 2.0 Updates #technight in Osaka

  1. 1. OAuth 2.0 Updates11 9 8
  2. 2. @nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, openid_connect etc. OpenID TechNight #711 9 8
  3. 3. OAuth in 5 min OpenID TechNight #711 9 8
  4. 4. Current Trend Mobile Game Social OpenID TechNight #711 9 8
  5. 5. API Integration Access Control for APIs OpenID TechNight #711 9 8
  6. 6. API Integration Basic Auth OpenID TechNight #711 9 8
  7. 7. OpenID TechNight #711 9 8
  8. 8. I’m using same password on 10+ services. OpenID TechNight #711 9 8
  9. 9. OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #711 9 8
  10. 10. OAuth Everywhere Mobile Game Social OpenID TechNight #711 9 8
  11. 11. In B2B area too OpenID TechNight #711 9 8
  12. 12. OpenID TechNight #711 9 8
  13. 13. OpenID Connect OpenID TechNight #711 9 8
  14. 14. Rough History OpenID TechNight #711 9 8
  15. 15. 2007.12 OAuth 1.0 OpenID TechNight #711 9 8
  16. 16. Twitter API OpenID TechNight #711 9 8
  17. 17. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #711 9 8
  18. 18. Facebook Graph API OpenID TechNight #711 9 8
  19. 19. 2010.07 dra, 10 OpenID TechNight #711 9 8
  20. 20. mixi Graph API OpenID TechNight #711 9 8
  21. 21. OpenID TechNight #711 9 8
  22. 22. 2011.07 dra, 20 OpenID TechNight #711 9 8
  23. 23. Review by 8/12 OpenID TechNight #711 9 8
  24. 24. WG Feedback (mainly on Security Considerations) OpenID TechNight #711 9 8
  25. 25. 2011.09 dra, 21 OpenID TechNight #711 9 8
  26. 26. Latest Spec http://j.mp/oauth2_21 OpenID TechNight #711 9 8
  27. 27. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  28. 28. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  29. 29. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #711 9 8
  30. 30. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #711 9 8
  31. 31. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  32. 32. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #711 9 8
  33. 33. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  34. 34. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #711 9 8
  35. 35. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #711 9 8
  36. 36. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #711 9 8
  37. 37. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  38. 38. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #711 9 8
  39. 39. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #711 9 8
  40. 40. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #711 9 8
  41. 41. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #711 9 8
  42. 42. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #711 9 8
  43. 43. Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #711 9 8
  44. 44. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #711 9 8
  45. 45. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #711 9 8
  46. 46. In dra, 21, “state” is RECOMMENDED OpenID TechNight #711 9 8
  47. 47. Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #711 9 8
  48. 48. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #711 9 8
  49. 49. Token Bearer Token Access Token Response OpenID TechNight #711 9 8
  50. 50. Token API Access (Bearer) OpenID TechNight #711 9 8
  51. 51. Token MAC Token Access Token Response OpenID TechNight #711 9 8
  52. 52. Token API Access (MAC) OpenID TechNight #711 9 8
  53. 53. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #711 9 8
  54. 54. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #711 9 8
  55. 55. APPENDIX OpenID TechNight #711 9 8
  56. 56. FB OAuth Updates OpenID TechNight #711 9 8
  57. 57. OAuth Migration (by 2011.09.30) Using legacy FB APIs? (~2010.04) No more “fb_sig” and “fb_sig_session_key” Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth) Your library might not work anymore OpenID TechNight #711 9 8
  58. 58. OAuth Migration (by 2011.09.30) Developing canvas or page tab apps? No more “fb_sig” Migrate to “signed_request” Obtain SSL certificate OpenID TechNight #711 9 8
  59. 59. OAuth Migration (by 2011.09.30) Using FB.login (or <fb:login-button>) and FB cookie? Now “code” is in the cookie, not “access_token” Needs to exchange the code with access token OpenID TechNight #711 9 8
  60. 60. OAuth Spec Updates Using “response_type=code_and_token”? Use “response_type=code%20token” instead OpenID TechNight #711 9 8
  61. 61. github.com/nov OpenID TechNight #711 9 8

×