SlideShare a Scribd company logo

O auth 2.0 authorization framework

Download as PPTX, PDF
John Temoty Roca
John Temoty Roca

A short discussion and brief understanding on OAuth 2.0 Authorization Framework. Focuses on world example.

Engineering
1 of 36
OAuth 2.0 Authorization Framework By : John Roca
?
?
OAuth 2.0 Authorization Framework By : John Roca
Objectives To give an eye opener to the audience about the authorization technology in the web To give the audience a basic understanding on how an authorization framework does its job
Terminologies Authentication Authorization User Credentials User Resource / User Data / Resource Resource Owner Resource Server Client
Agenda A.Introduction a. Traditional Client-Server Authentication Model b. Roles c. Protocol Flow d. Authorization Grant i. Authorization Code ii. Resource Owner Password Credentials B. Protocol Endpoints
A.Introduction CLIENT SERVER Auth Layer Requests access /users Denied request if not Authenticated Authenticated access to /users Returns /users resource Traditional client-server authentication model
A.Introduction Traditional client-server authentication model CLIENT SERVER Requests access /user Denied request if not Authenticated Authenticated access to /user Returns /user resource Auth Layer
Grading System Example GRADING SYSTEM ( Shows grades in different subject ) USERNAME PASSWORD LOGIN Juan Grades Science : 87 Math : 87 English : 87 USER
Grading System Example GRADING SYSTEM ( Shows grades in different subject ) USERNAME PASSWORD LOGIN Juan Grades Science : 87 Math : 87 English : 87 USER GWA COMPUTING SYSTEM? How???
A.Introduction GWA COMPUTING SYSTEM? GRADING SYSTEM / SERVER Auth Layer Requests access /users Denied request if not Authenticated Authenticated access to /users Shares Credentials USER / RESOURCE OWNER Returns /users resource Traditional client-server authentication model
A.Introduction Traditional client-server authentication model GWA COMPUTING SYSTEM? GRADING SYSTEM / SERVER Requests access /users Denied request if not Authenticated Authenticated access to /users Shares Credentials User / Resource Owner Returns /users resource Auth Layer
A.Introduction Sharing Credentials creates several problems: Third-party applications are required to store the resource owner's credentials for future use, typically a password in clear-text. Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.
A.Introduction Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.
A.Introduction -> Roles Resource Owner Resource Server Client Authorization Server
A.Introduction -> Roles -> Resource Owner Resource Owner An entity capable of granting access to protected resource. When a resource owner is a person, it is usually referred to as end-user. USER
A.Introduction -> Roles -> Resource Server Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. GRADING SYSTEM / SERVER
A.Introduction -> Roles -> Client Client An Application making protected resource requests on behalf of other resource owner and with its authorization. GWA COMPUTING SYSTEM?
Client Registration (Client Types) OAuth defines two client types, based on their ability to authenticate securely with the authorization server: Confidential Clients capable of maintaining the confidentiality of their credentials or capable of secure client authentication using other means. (e.g clients implemented on secure server with restricted access to the client credentials), Public Clients incapable of maintaining the confidentiality of their credentials and incapable of secure client authentication about the client type.
A.Introduction -> Roles -> Authorization Server Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. GRADING SYSTEM / SERVER
A.Introduction -> Protocol Flow Client Resource Owner Authorization Server Resource Server ( A ) Authorization Request ( B ) Authorization Grant ( C ) Authorization Grant ( D ) Access Token ( E ) Access Token ( F ) Protected Resources
A.Introduction -> Protocol Flow Client Resource Owner Authorization Server Resource Server ( A ) Authorization Request ( B ) Authorization Grant ( C ) Authorization Grant ( D ) Access Token ( E ) Access Token ( F ) Protected Resources
Protocol Flow in Real World Situation ( A ) Give me the key of your car ( B ) It’s with key holder, I will give you a chit, show this to key holder and ask for key. ( C ) Give me car key. Here is the chit of approve from owner ( D ) Ok, This is accepted, here is the key ( E ) Give me car to repair, this is the key ( F ) Ok, have the car Mechanic Car Owner Key Holder Car Park
A.Introduction -> Authorization Grant An authorization grant is a credential representing the resource owner’s authorization ( to access its protected resources ) used by the client to obtain an access token. The OAuth specification has four (4) grants types: Authorization code Resource owner password credentials Implicit Client credentials
A. Introduction -> Authorization Grant -> Authorization Code The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner.
Authorization a client using FB Account USER www.scribd.com FB AUTHORIZATION SERVER User visits a client CLIENT Redirects upon clicking login with fb button FB Server redirects back the user to scribd.com
Authorization Code Grant RESOURCE OWNER USER-AGENT ( Browser / Google Chrome Browser ) CLIENT AUTHORIZATION SERVER (A) (C) (B) (A) Client Identifier & Redirection URI (B) User Authenticates (C) Authorization Code (D) Authorization Code & Redirection URI (E) Access Token (w/ Optional Refresh Token)
Authorization Code Grant RESOURCE OWNER USER-AGENT ( Browser / Google Chrome Browser ) CLIENT AUTHORIZATION SERVER (A) (C) (B) (A) Client Identifier & Redirection URI (B) User Authenticates (C) Authorization Code (D) Authorization Code & Redirection URI (E) Access Token (w/ Optional Refresh Token)
A. Introduction -> Authorization Grant -> Resource owner password credentials The resource owner password credentials ( i.e., username and password) can be used directly as an authorization grant to obtain an access token. Should be used only when there is a high degree of trust between the resource owner and the client.
Resource Owner Password Credentials Grant RESOURCE OWNER CLIENT AUTHORIZATION SERVER (A) Resource Owner Password Credentials (B) Resource Owner Password Credentials (C) Access Token (w/ Optional Refresh Token)
Facebook Native Application and Facebook FB SERVER
Protocol Endpoints The authorization process utilizes two authorization server endpoints: Authorization Endpoint Used by the client to obtain authorization from resource owner via user-agent redirection. Token Endpoint Used by the client to exchange an authorization grant for an access token, typically with client authentication. As well as one client endpoint Redirection endpoint
Web links Demo OAuth 2.0 The OAuth 2.0 Authorization Framework OAuth V.1.0 VS OAuth 2.0 Which OAUTH 2.0 Grant should I use? Security Considerations Notes : OAuth2 + API Security By Amila Paranawithana
O auth 2.0 authorization framework

Recommended

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003Syed Ali Raza
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 

Recommended

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003Syed Ali Raza
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 PresentaionBhargav Surimenu
 
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019UA Mobile
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIsJonathan LeBlanc
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .netSathyaish Chakravarthy
 

More Related Content

What's hot

OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019UA Mobile
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 

What's hot (20)

OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIs
 

Similar to O auth 2.0 authorization framework

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .netSathyaish Chakravarthy
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2 Sean Whitesell
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 

Similar to O auth 2.0 authorization framework (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .net
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
O auth 2
O auth 2O auth 2
O auth 2
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
O auth
O authO auth
O auth
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 

Recently uploaded

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 

Recently uploaded (20)

DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 

O auth 2.0 authorization framework

  • 1. OAuth 2.0 Authorization Framework By : John Roca
  • 2. ?
  • 3.
  • 4. ?
  • 5. OAuth 2.0 Authorization Framework By : John Roca
  • 6. Objectives To give an eye opener to the audience about the authorization technology in the web To give the audience a basic understanding on how an authorization framework does its job
  • 7. Terminologies Authentication Authorization User Credentials User Resource / User Data / Resource Resource Owner Resource Server Client
  • 8. Agenda A.Introduction a. Traditional Client-Server Authentication Model b. Roles c. Protocol Flow d. Authorization Grant i. Authorization Code ii. Resource Owner Password Credentials B. Protocol Endpoints
  • 9. A.Introduction CLIENT SERVER Auth Layer Requests access /users Denied request if not Authenticated Authenticated access to /users Returns /users resource Traditional client-server authentication model
  • 10. A.Introduction Traditional client-server authentication model CLIENT SERVER Requests access /user Denied request if not Authenticated Authenticated access to /user Returns /user resource Auth Layer
  • 11. Grading System Example GRADING SYSTEM ( Shows grades in different subject ) USERNAME PASSWORD LOGIN Juan Grades Science : 87 Math : 87 English : 87 USER
  • 12. Grading System Example GRADING SYSTEM ( Shows grades in different subject ) USERNAME PASSWORD LOGIN Juan Grades Science : 87 Math : 87 English : 87 USER GWA COMPUTING SYSTEM? How???
  • 13. A.Introduction GWA COMPUTING SYSTEM? GRADING SYSTEM / SERVER Auth Layer Requests access /users Denied request if not Authenticated Authenticated access to /users Shares Credentials USER / RESOURCE OWNER Returns /users resource Traditional client-server authentication model
  • 14. A.Introduction Traditional client-server authentication model GWA COMPUTING SYSTEM? GRADING SYSTEM / SERVER Requests access /users Denied request if not Authenticated Authenticated access to /users Shares Credentials User / Resource Owner Returns /users resource Auth Layer
  • 15. A.Introduction Sharing Credentials creates several problems: Third-party applications are required to store the resource owner's credentials for future use, typically a password in clear-text. Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.
  • 16. A.Introduction Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.
  • 17. A.Introduction -> Roles Resource Owner Resource Server Client Authorization Server
  • 18. A.Introduction -> Roles -> Resource Owner Resource Owner An entity capable of granting access to protected resource. When a resource owner is a person, it is usually referred to as end-user. USER
  • 19. A.Introduction -> Roles -> Resource Server Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. GRADING SYSTEM / SERVER
  • 20. A.Introduction -> Roles -> Client Client An Application making protected resource requests on behalf of other resource owner and with its authorization. GWA COMPUTING SYSTEM?
  • 21. Client Registration (Client Types) OAuth defines two client types, based on their ability to authenticate securely with the authorization server: Confidential Clients capable of maintaining the confidentiality of their credentials or capable of secure client authentication using other means. (e.g clients implemented on secure server with restricted access to the client credentials), Public Clients incapable of maintaining the confidentiality of their credentials and incapable of secure client authentication about the client type.
  • 22. A.Introduction -> Roles -> Authorization Server Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. GRADING SYSTEM / SERVER
  • 23. A.Introduction -> Protocol Flow Client Resource Owner Authorization Server Resource Server ( A ) Authorization Request ( B ) Authorization Grant ( C ) Authorization Grant ( D ) Access Token ( E ) Access Token ( F ) Protected Resources
  • 24. A.Introduction -> Protocol Flow Client Resource Owner Authorization Server Resource Server ( A ) Authorization Request ( B ) Authorization Grant ( C ) Authorization Grant ( D ) Access Token ( E ) Access Token ( F ) Protected Resources
  • 25. Protocol Flow in Real World Situation ( A ) Give me the key of your car ( B ) It’s with key holder, I will give you a chit, show this to key holder and ask for key. ( C ) Give me car key. Here is the chit of approve from owner ( D ) Ok, This is accepted, here is the key ( E ) Give me car to repair, this is the key ( F ) Ok, have the car Mechanic Car Owner Key Holder Car Park
  • 26. A.Introduction -> Authorization Grant An authorization grant is a credential representing the resource owner’s authorization ( to access its protected resources ) used by the client to obtain an access token. The OAuth specification has four (4) grants types: Authorization code Resource owner password credentials Implicit Client credentials
  • 27. A. Introduction -> Authorization Grant -> Authorization Code The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner.
  • 28. Authorization a client using FB Account USER www.scribd.com FB AUTHORIZATION SERVER User visits a client CLIENT Redirects upon clicking login with fb button FB Server redirects back the user to scribd.com
  • 29. Authorization Code Grant RESOURCE OWNER USER-AGENT ( Browser / Google Chrome Browser ) CLIENT AUTHORIZATION SERVER (A) (C) (B) (A) Client Identifier & Redirection URI (B) User Authenticates (C) Authorization Code (D) Authorization Code & Redirection URI (E) Access Token (w/ Optional Refresh Token)
  • 30. Authorization Code Grant RESOURCE OWNER USER-AGENT ( Browser / Google Chrome Browser ) CLIENT AUTHORIZATION SERVER (A) (C) (B) (A) Client Identifier & Redirection URI (B) User Authenticates (C) Authorization Code (D) Authorization Code & Redirection URI (E) Access Token (w/ Optional Refresh Token)
  • 31. A. Introduction -> Authorization Grant -> Resource owner password credentials The resource owner password credentials ( i.e., username and password) can be used directly as an authorization grant to obtain an access token. Should be used only when there is a high degree of trust between the resource owner and the client.
  • 32. Resource Owner Password Credentials Grant RESOURCE OWNER CLIENT AUTHORIZATION SERVER (A) Resource Owner Password Credentials (B) Resource Owner Password Credentials (C) Access Token (w/ Optional Refresh Token)
  • 33. Facebook Native Application and Facebook FB SERVER
  • 34. Protocol Endpoints The authorization process utilizes two authorization server endpoints: Authorization Endpoint Used by the client to obtain authorization from resource owner via user-agent redirection. Token Endpoint Used by the client to exchange an authorization grant for an access token, typically with client authentication. As well as one client endpoint Redirection endpoint
  • 35. Web links Demo OAuth 2.0 The OAuth 2.0 Authorization Framework OAuth V.1.0 VS OAuth 2.0 Which OAUTH 2.0 Grant should I use? Security Considerations Notes : OAuth2 + API Security By Amila Paranawithana

Editor's Notes

  1. Authentication is any process by which a system verifies the identity of a User who wishes to access it. Authorization is the process of giving someone permission to do or have something. Resource Owner - An entity capable of granting access to a protected resource. Resource Server- The server hosting the protected resources, \ Client - An application which accesses protected resources on behalf of the resource owner (such as a user). The client could be hosted on a server, desktop, mobile or other device. Example. The mobile fb app is a client. The web fb is a client. Anything that access the resource server in behalf of a user is a client. Authorization Server - A server authenticates a client and resource owner, and authorizing the request. Access Token - Is a token “String” used by any client to access protected resource in behalf of someone.
  2. In this diagram we show a traditional client-server authentication model. We can think of this diagram like logging in a Grading System. Client in this diagram refers to user ( e.g me ) and the server as Grading System in LNU ( The one you are using right now to view your grades ) NEXT >>>
  3. In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) but first go to the authentication process <NEXT> and get denied <NEXT> if the credentials given by the client are not authenticated and get passed <NEXT> if authenticated. The server then returns <NEXT> the requested resource by the client. <NEXT> >>>
  4. I have here a Grading System Diagram Example In which the user logins to the grading system to view the user grades. Now here comes a problem. I want to create a GWA Computing System that will use the grades of the user. <NEXT> >>>
  5. The problem is how can we get the grades of Juan so we can use it in our GWA Computing System? Anyone? Some of you might have ideas and is just afraid to share. But this is how they solve this problem. They solve this problem by sharing the username and password to the GWA Computing System. NEXT >>>
  6. This is the diagram for our application. <NEXT> >>>
  7. First, the resource owner share credentials ( username and password ) to the 3rd party client ( our application ). The 3rd party client uses <NEXT> the resource owner credentials to authenticate to the server through the auth layer. And gets denied <NEXT> if the credentials given are not correct and <NEXT> passes thru if authenticated. The server then returns <NEXT> the requested resource to the 3rd party client. Question: It seems correct right? But what are the downside or the disadvantages of sharing the resource owners credentials or your username and password to a 3rd party client? NEXT >>>
  8. <READ> NEXT >>>
  9. <READ> Now you may ask. What should we do then to avoid the said problems. In order for our application to use the needed data? NEXT >>>
  10. In order for us to understand OAuth thoroughly, we have to understand the four roles OAuth defines : <READ> NEXT >>> Note that : The interaction between the authorization server and resource server is beyond the scope of this presentation. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
  11. OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):
  12. This image is the abstract OAuth 2.0 flow that describes the interaction between the four roles and includes the following steps <NEXT> >>>:
  13. The client requests authorization from the resource owner <NEXT> >>>. The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary. The client receives <NEXT>>> an authorization grant, Which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server. The client requests <NEXT> >>> an access token by authenticating with the authorization server and presenting the authorization grant. The authorization server authenticates the client and validates the authorization grant, and if valid <NEXT> >>>, issues an access token. The client requests the protected resource from the resource server <NEXT> >>> and authenticates by presenting the access token. The resource server validates <NEXT> >>> the access token, and if valid, serves the request. NEXT >>>
  14. Now we have a real world example of Protocol Flow in OAuth Our example is a mechanic (Client) needs to get the car (Resource) of the car owner ( Resource Owner ). First the mechanic asks the key of the car of the owner and then the car owner gives a chit or a note/authorization ( Authorization Grant ) in order for the mechanic to get the key from the key holder. The mechanic presents the note to the key holder ( Authentication Server ). The key holder authenticates or see if the note is valid If the note is valid the key is given to the mechanic The mechanic then gets the car from the car park ( Resource Server ) presenting the key given by the key holder The Car park gives the car. Next >>>
  15. Now I have been mentioning the word “Authorization Grant”. What does it exactly means in laymans term? In OAuth Usage <READ>>> NEXT >>>
  16. <READ> What do you mean by authorization code??? Anyone? It’s a code used to authorize in behalf of someone. Like an authorization letter. Now facebook is using this authorization grant. Anyone? In which part facebook is using this authorization grant? NEXT >>>
  17. <READ> Now let’s try to view what really is happening in an authorization code grant NEXT >>>
  18. This is the flow of authorization code grant in OAuth. In our example earlier who is acting as the client? -> scribd.com. What is the user-agent? Browser -> Who is the resource owner? User -> Who is the authorization server? Facebook Authorization server. Let’s try to do this flow step by step you might recall where you encountered this flow. <NEXT>>>
  19. The client initiates the flow by directing the resource owner's <NEXT> user-agent to the authorization endpoint <NEXT>. The client includes its a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). This is the part where the user visits the browser and clicks on login with facebook button and scribd.com redirected us to the facebook authorization server. The authorization server authenticates the resource owner (via the user-agent) <NEXT> and establishes <NEXT> whether the resource owner grants or denies the client's access request. This is the part where the user clicks on the okay or close button. Assuming the resource owner grants access, the authorization server redirects <NEXT> the user-agent back to the client <NEXT> >>> using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code provided by the client earlier. This is the part where the facebook redirects the user back to the client. The next part becomes tricky -- What happens is you just authorize the client “scribd.com” to use your information from facebook.com. The client “scribd.com” has not yet access your information from facebook.com. The client requests an access token <NEXT> >>> from the authorization server's token endpoint by including the authorization code received in the previous step. This is the part where the client “scribd.com” asks for an access token to facebook.com. What is an access token? Is a token “String” used by any client to access protected resource in behalf of someone from the resource owner. Why we use access token? The reason is the server did not actually gave you an authorization you just authorize the client “scribd.com” to access your resource that is in the fb server. The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds <NEXT> >>> back with an access token and, optionally, a refresh token. The last part is the server gives access to the client.
  20. <READ> Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token. Do you have a guess on where you have encountered this authorization grant? Let us see the flow if anyone can recognize. NEXT >>>
  21. The flow illustrated in Figure 5 includes the following steps: The resource owner provides the client with its username and password. The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server. The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token. Anyone who can recognize now? Wild guess? Facebook mobile app is the very common. Lets try to go back to the definition of this grant.