Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Summary of OAuth 2.0 memo
        (based draft 8 Spec)


                  2010/06/20
                      =ritou


     ...
Warning!

‫ ﻪ‬This document is summary of OAuth 2.0
  spec at Draft 8.




                                          2
Overview

‫ ﻪ‬Client Type and Profile
‫ ﻪ‬Endpoint
‫ ﻪ‬Resource Access




                            3
Client Type and Profile

‫ 4 ﻪ‬Client types
  ‫ﻩ‬   Web Servers
  ‫ﻩ‬   User-Agents
  ‫ﻩ‬   Native Applications
  ‫ﻩ‬   Au...
Web Server Profile
                            ‫ ﻪ‬Client Credential
                               ‫ ﻩ‬Client ID
User-Age...
6
User-Agent Profile
                            ‫ ﻪ‬Client on User-Agent
                               ‫ ﻩ‬Twitter : @anyw...
8
Native Applications

‫ ﻪ‬External User-Agent : UA Profile
  ‫ ﻩ‬Use custom URI scheme
  ‫ ﻩ‬Polling UA window
‫ ﻪ‬Embedded...
Autonomous Clients

‫ ﻪ‬Clients = Resource Owner
  ‫( ﻩ‬Client Credential Profile)
‫ ﻪ‬Exsisting Trust Relationship / Fram...
Client credential

‫ ﻪ‬Client credential
  ‫ ﻩ‬client identifier
  ‫ ﻩ‬client secret(option)
‫ ﻪ‬AuthN schemes
  ‫ ﻩ‬Reque...
Endpoint

‫ ﻪ‬End-user authZ endpoint : Indirect
  Communication
  ‫ ﻩ‬Obtaining End-User Authorization
‫ ﻪ‬Token Endpoint...
End-user authZ endpoint

‫ ﻪ‬Request format
  ‫ ﻩ‬HTTP GET
‫ ﻪ‬Request Params
  ‫ ﻩ‬type,client_id,redirect_uri,state,scop...
End-user authZ endpoint

‫ ﻪ‬Response format
  ‫ ﻩ‬type = web_server : query parameters
  ‫ ﻩ‬type = user_agent : URI frag...
Token endpoint

‫ ﻪ‬Request format
  ‫ ﻩ‬HTTP POST
‫ ﻪ‬Request params
  ‫ ﻩ‬Client credential + Specific params
  ‫ ﻩ‬gran...
Token endpoint

‫ ﻪ‬Response format
  ‫ ﻩ‬JSON
‫ ﻪ‬Response params
  ‫ ﻩ‬access_token, expires_in, refresh_token, scope


...
Accessing a Protected Resource

‫ ﻪ‬Params
  ‫ ﻩ‬Access Token
‫ ﻪ‬Method
  ‫ ﻩ‬The Authorization Request Header Field
  ‫ ...
OLD SPEC

           18
Username and Password Profile

                           ‫ ﻪ‬Like Twitter xAuth
End-User    AuthZ Server



 Client      ...
Client Credentials Profile
                          ‫ ﻪ‬Like OAuth Consumer
                            Request (2-legged...
Assertion Profile
                          ‫ ﻪ‬SAML etc...

           AuthZ Server



Client       Protected
           ...
Upcoming SlideShare
Loading in …5
×

Summary of OAuth 2.0 draft 8 memo

1,413 views

Published on

OAuth 2.0 draft 8時点のSpec+αを並べただけの自分用メモです。

Published in: Technology
  • Be the first to comment

Summary of OAuth 2.0 draft 8 memo

  1. 1. Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
  2. 2. Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
  3. 3. Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
  4. 4. Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
  5. 5. Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
  6. 6. 6
  7. 7. User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
  8. 8. 8
  9. 9. Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
  10. 10. Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
  11. 11. Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
  12. 12. Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
  13. 13. End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
  14. 14. End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
  15. 15. Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
  16. 16. Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
  17. 17. Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
  18. 18. OLD SPEC 18
  19. 19. Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
  20. 20. Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
  21. 21. Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21

×