Yury Roa, profile picture
Uploaded byYury Roa
PDF, PPTX194 views

Demystifying OAuth 2.0

OAuth is a protocol that allows clients limited access to protected resources on behalf of a resource owner through delegated authorization. It addresses issues with directly sharing user credentials by using tokens issued by an authorization server to represent temporary and limited authorization to access a resource on behalf of a resource owner. The key components in OAuth are the resource owner, client, authorization server, and protected resource. OAuth uses grant types like authorization code, implicit, client credentials, and resource owner password credentials to obtain access tokens from the authorization server to access protected resources.

Embed presentation

Download as PDF, PPTX
Demystifying OAuth 2
Nice to meet you Software Engineer @Colpatria Scotiabank Making things happen! Loves reading, programming and teaching. @yurynino @yurynino @yurynino yury.nino.roa
Agenda ● Why OAuth? ● What is OAuth? ● How to OAuth works? ● OAuth Grant Types
What is the problem? You have DIFFERENT accounts for LinkedIn and Google. LinkedIn wants to add your Google contacts to your LinkedIn profile.
The bad old days: credential sharing
Think in this …. Taken from Oauth 2.0 in Action
It was bad because ... ● Same credentials at the client and the protected resource are required. ● It exposed the user’s password to the client application. Taken from Oauth 2.0 in Action
What if we were able to have this kind of limited credential, issued separately for each client and each user combination, to be used at a protected resource?
OAuth is a protocol designed to do exactly that: Delegating.
Taken from Oauth 2.0 in Action What is the new with OAuth?
A client is a piece of software that attempts to access the protected resource on behalf of the resource owner. Taken from Oauth 2.0 in Action
An Access Token is an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. Taken from Oauth 2.0 in Action
A protected resource is available through an HTTP server and it requires an OAuth token to be accessed. Taken from Oauth 2.0 in Action
A resource owner is the entity that has the authority to delegate access to the client. It isn’t a piece of software. Taken from Oauth 2.0 in Action
An authorization server is an HTTP server that provides mechanisms for allowing resource owners to authorize clients, and issues tokens to the clients. Taken from Oauth 2.0 in Action
Tokens, scopes, and authorization grants An access token, sometimes known as just a token is an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. OAuth a token represents the combination of the client’s requested access, the resource owner that authorized the client, and the rights conferred during that authorization. A scope is a representation of a set of rights at a protected resource. They are a mechanism for limiting the access granted to a client.
Are you paying attention? 1. Which components are no software? 2. Which components should know the token content?
OAuth Dancing
Step 1
Response from the Client Redirect is a GET
Step 2
Step 3
Step 5
Step 4
Step 6
Step 7
What is the new with OAuth?
Are you paying attention? 1. How does Resource Owner authenticate before Authorization Server grant the access to the Resource? 2. How do you think a granted authorization is removed?
RFC 5849 https://tools.ietf.org/html/rfc5849
RFC 6749 https://tools.ietf.org/html/rfc6749
OAuth 2.0 is a delegation protocol, letting someone, who controls a resource, allow a software application to access that resource on their behalf. Taken from Oauth 2.0 in Action
Real-life examples of OAuth 2.0 in action ● StackOverflow allowing you to log in with your Google account. ● Posting a status update from your phone using the Facebook app. ● LinkedIn suggesting contacts for you to add by looking at your Google contacts.
Fundamental to the power of OAuth 2.0 is the notion of delegation. Although OAuth 2.0 is often called an authorization protocol (and this is the name given to it in the RFC which defines it), it is a delegation protocol.
How to get an access token … Grant Types
Authorization Code
Implicit Grant Type Taken from Oauth 2.0 in Action
Implicit Grant Type
Client credentials Taken from Oauth 2.0 in Action
Client credentials
Resource owner credentials Taken from Oauth 2.0 in Action
Resource owner credentials
Assertion grant types Taken from Oauth 2.0 in Action
Choosing the appropriate grant type
OAuth 2.0 the good, the bad, and the ugly
Demystifying OAuth 2.0

More Related Content

PDF
Introduction to OAuth2.0
byOracle Corporation
 
PDF
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
PDF
Auth experience - vol 1.0
byHaggai Philip Zagury
 
PDF
OAuth2 primer
byManish Pandit
 
PPT
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
PPTX
OAuth2 Presentaion
byBhargav Surimenu
 
DOCX
6.designing secure and efficient biometric based secure access mechanism for ...
byVenkat Projects
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
Introduction to OAuth2.0
byOracle Corporation
 
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
Auth experience - vol 1.0
byHaggai Philip Zagury
 
OAuth2 primer
byManish Pandit
 
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
OAuth2 Presentaion
byBhargav Surimenu
 
6.designing secure and efficient biometric based secure access mechanism for ...
byVenkat Projects
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 

What's hot

PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PDF
1000 ways to die in mobile oauth
byPriyanka Aash
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PDF
OpenID and OAuth
byAndrea Chiodoni
 
PDF
Spring security oauth2
byaxykim00
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PDF
OpenID Connect 101 @ OpenID TechNight vol.11
byNov Matake
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
byNov Matake
 
PPT
Grid security
byjosephineusha
 
DOC
Certification authority
byproser tech
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PDF
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
PPT
Openid & Oauth: An Introduction
bySteve Ivy
 
PDF
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
PPTX
OpenID Connect 1.0 Explained
byEugene Siow
 
PPT
Google Apps Secure Data Connector
byGuus Disselkoen
 
PDF
iaetsd Robots in oil and gas refineries
byIaetsd Iaetsd
 
PDF
Basic security concepts essential for all architects
byDebasis Chakraborty
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
1000 ways to die in mobile oauth
byPriyanka Aash
 
OAuth Base Camp
byOliver Pfaff
 
OpenID and OAuth
byAndrea Chiodoni
 
Spring security oauth2
byaxykim00
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
OpenID Connect 101 @ OpenID TechNight vol.11
byNov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
byNov Matake
 
Grid security
byjosephineusha
 
Certification authority
byproser tech
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
Openid & Oauth: An Introduction
bySteve Ivy
 
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
OpenID Connect 1.0 Explained
byEugene Siow
 
Google Apps Secure Data Connector
byGuus Disselkoen
 
iaetsd Robots in oil and gas refineries
byIaetsd Iaetsd
 
Basic security concepts essential for all architects
byDebasis Chakraborty
 

Similar to Demystifying OAuth 2.0

PDF
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
PPTX
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
byshyamraj55
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
Oauth2.0 tutorial
byHarikaReddy115
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
OAuth
byTom Elrod
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PDF
Spring Security
byKnoldus Inc.
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PDF
Lecture #25 : Oauth 2.0
byDr. Ramchandra Mangrulkar
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PDF
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
PDF
Oauth Behind The Scenes
byThang Tran Duc
 
PDF
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
PDF
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
O auth
byAshok Kumar N
 
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
Oauth 2.0 Introduction and Flows with MuleSoft
byshyamraj55
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Oauth2.0 tutorial
byHarikaReddy115
 
OAuth 2
byChrisWood262
 
OAuth
byTom Elrod
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
Spring Security
byKnoldus Inc.
 
Demystifying OAuth 2.0
byKarl McGuinness
 
OAuth2 + API Security
byAmila Paranawithana
 
Lecture #25 : Oauth 2.0
byDr. Ramchandra Mangrulkar
 
OAuth and why you should use it
bySergey Podgornyy
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
Oauth Behind The Scenes
byThang Tran Duc
 
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
slides-101-edu-sesse-introduction-to-oauth-20-01.pdf
byGopalKrishna703039
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
O auth
byAshok Kumar N
 

Recently uploaded

PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
The year in review - MarvelClient in 2025
bypanagenda
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 

Demystifying OAuth 2.0

  • 1.
  • 2.
    Nice to meetyou Software Engineer @Colpatria Scotiabank Making things happen! Loves reading, programming and teaching. @yurynino @yurynino @yurynino yury.nino.roa
  • 3.
    Agenda ● Why OAuth? ●What is OAuth? ● How to OAuth works? ● OAuth Grant Types
  • 4.
    What is theproblem? You have DIFFERENT accounts for LinkedIn and Google. LinkedIn wants to add your Google contacts to your LinkedIn profile.
  • 5.
    The bad olddays: credential sharing
  • 6.
    Think in this…. Taken from Oauth 2.0 in Action
  • 7.
    It was badbecause ... ● Same credentials at the client and the protected resource are required. ● It exposed the user’s password to the client application. Taken from Oauth 2.0 in Action
  • 8.
    What if wewere able to have this kind of limited credential, issued separately for each client and each user combination, to be used at a protected resource?
  • 9.
    OAuth is aprotocol designed to do exactly that: Delegating.
  • 10.
    Taken from Oauth2.0 in Action What is the new with OAuth?
  • 12.
    A client isa piece of software that attempts to access the protected resource on behalf of the resource owner. Taken from Oauth 2.0 in Action
  • 13.
    An Access Tokenis an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. Taken from Oauth 2.0 in Action
  • 14.
    A protected resource is availablethrough an HTTP server and it requires an OAuth token to be accessed. Taken from Oauth 2.0 in Action
  • 15.
    A resource owner isthe entity that has the authority to delegate access to the client. It isn’t a piece of software. Taken from Oauth 2.0 in Action
  • 16.
    An authorization server isan HTTP server that provides mechanisms for allowing resource owners to authorize clients, and issues tokens to the clients. Taken from Oauth 2.0 in Action
  • 17.
    Tokens, scopes, andauthorization grants An access token, sometimes known as just a token is an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. OAuth a token represents the combination of the client’s requested access, the resource owner that authorized the client, and the rights conferred during that authorization. A scope is a representation of a set of rights at a protected resource. They are a mechanism for limiting the access granted to a client.
  • 18.
    Are you payingattention? 1. Which components are no software? 2. Which components should know the token content?
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 28.
  • 29.
  • 30.
    What is thenew with OAuth?
  • 32.
    Are you payingattention? 1. How does Resource Owner authenticate before Authorization Server grant the access to the Resource? 2. How do you think a granted authorization is removed?
  • 33.
  • 34.
  • 35.
    OAuth 2.0 isa delegation protocol, letting someone, who controls a resource, allow a software application to access that resource on their behalf. Taken from Oauth 2.0 in Action
  • 36.
    Real-life examples ofOAuth 2.0 in action ● StackOverflow allowing you to log in with your Google account. ● Posting a status update from your phone using the Facebook app. ● LinkedIn suggesting contacts for you to add by looking at your Google contacts.
  • 37.
    Fundamental to thepower of OAuth 2.0 is the notion of delegation. Although OAuth 2.0 is often called an authorization protocol (and this is the name given to it in the RFC which defines it), it is a delegation protocol.
  • 38.
    How to getan access token … Grant Types
  • 39.
  • 40.
    Implicit Grant Type Takenfrom Oauth 2.0 in Action
  • 41.
  • 42.
    Client credentials Taken fromOauth 2.0 in Action
  • 43.
  • 44.
    Resource owner credentials Takenfrom Oauth 2.0 in Action
  • 45.
  • 46.
    Assertion grant types Takenfrom Oauth 2.0 in Action
  • 47.
  • 48.
    OAuth 2.0 thegood, the bad, and the ugly