SlideShare a Scribd company logo

ietf oauth proof-of-possession.ppt sdfsdfs

Download as PPT, PDF
D
DucAnhLe56

sdsf sdfsdf

Environment
1 of 16
1 IETF OAuth Proof-of-Possession Hannes Tschofenig
2 Status  Finished various specifications, including  OAuth Core: RFC 6749  Bearer Tokens: RFC 6750  Security Threats: RFC 6819  Discussion about an enhancement to Bearer Token security (now called “Proof-of-Possession”) since the early days of the working group.  Design Team work late 2012/early 2013, which lead to requirements, use cases, and solution strawman proposals.  Work on solution documents lead to new work items.
3 I Client Authorization Server Resource Server II III Architecture Relevant document: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
4 I Client Authorization Server Resource Server II III Variants: • Key Distribution at Access Token Issuance • Key Distribution at Client Registration AS <-> Client Interaction Relevant specifications: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
5 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key Request access token. I support PoP tokens
6 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS creates PoP-enabled access token
7 PoP Token: Symmetric Key Example { "alg":"RSA1_5", "enc":"A128CBC-HS256", "cty":"jwk+json" } { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf":{ "jwk": "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJB MTI4Q0JDLUhTMjU2IiwiY3R5IjoiandrK ... (remainder of JWE omitted for brevity)" } } { "kty":"oct", "alg":"HS256", "k":"ZoRSOrFzN_FzUA5XKM YoVHyzff5oRJxl-IXRtztJ6uE" } Binds a symmetric key to the access token
8 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & symmetric key
9 AS <-> Client Interaction  AS needs to bind a key to the access token.  Key can be an fresh and unique symmetric key, or  (ephemeral) public key  This requires two extensions:  New elements within the JWT to include the (encrypted symmetric key) or the public key. JWT is also integrity protected.  Mechanism for conveying ephemeral key from AS to client and for client to provide directives to AS.  Details in draft-ietf-oauth-pop-key-distribution  Transport symmetric key from AS to client.  Transport (ephemeral) asymmetric key from AS to client.  Transport public key from client to AS.  Algorithm indication
10 Dynamic Client Registration  Attempt to simplify developer interaction with AS when they deploy client applications.  Today, developers need to register various parameters (manually), such as  Authentication mechanism & client authentication credentials  Redirect URIs  Grant types  Meta data (client name, client logo, scopes, contact information, etc.)  Also allows meta-data, including public keys, to be uploaded to AS.  Two documents:  draft-ietf-oauth-dyn-reg  draft-ietf-oauth-dyn-reg-metadata  WGLC in progress.
11 I Client Authorization Server Resource Server II III Building Blocks: a) Proof of possession of PoP key b) Message integrity (+ Channel Binding) c) RS-to-client authentication Client <-> RS Interaction Relevant specification : http://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
12 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & Authenticator Authenticator = Keyed Message Digest Computed Over Request.
13 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key RS “unwraps” access token and obtains symmetric key. RS verifies authenticator. Shared Long Term Key
14 Channel Binding Channel bindings bind the application layer security to the underlying channel security mechanism. Various approaches for providing channel bindings:  PoP public key use in TLS (as described in HOTK draft)  tls-unique: TLS Finish message  tls-server-end-point: hash of the TLS server's certificate:  Currently, no channel bindings described in <draft-ietf-oauth- signed-http-request>  Be aware: New attacks have been identified with TLS-based channel bindings, see http://www.ietf.org/proceedings/89/slides/slides-89-tls-3.pdf
15 ` I Client Authorization Server Resource Server II III Variants: a) Token introspection b) Out-of-band RS <-> AS Interaction [optional] Relevant specification: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
16 Next Steps Reviews for the document bundle needed. Open Issues will be added to the WG tracker. Main issues with the client<->resource server communication. Challenges:  Dealing with intermediaries modifying headers  Offering flexibility to developer  Reducing payload replicating  Minimizing canonicalization  Authentication of the server to the client  Channel binding functionality

Recommended

OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
IRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET Journal
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenIDSouth Tyrol Free Software Conference
 
A Deep Dive into REST API Framework Survey
A Deep Dive into REST API Framework SurveyA Deep Dive into REST API Framework Survey
A Deep Dive into REST API Framework SurveyIRJET Journal
 
HTTP 완벽가이드 1장.
HTTP 완벽가이드 1장.HTTP 완벽가이드 1장.
HTTP 완벽가이드 1장.HyeonSeok Choi
 

Recommended

OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
IRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET- An Overview of Web Sockets: The Future of Real-Time Communication
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET Journal
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenIDSouth Tyrol Free Software Conference
 
A Deep Dive into REST API Framework Survey
A Deep Dive into REST API Framework SurveyA Deep Dive into REST API Framework Survey
A Deep Dive into REST API Framework SurveyIRJET Journal
 
HTTP 완벽가이드 1장.
HTTP 완벽가이드 1장.HTTP 완벽가이드 1장.
HTTP 완벽가이드 1장.HyeonSeok Choi
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Marcin Bielak
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Shaun Murakami
 
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...HostedbyConfluent
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Ben Robb
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and PracticesLaunchAny
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenancePort80 Software
 
Cloud APIs Overview Tucker
Cloud APIs Overview TuckerCloud APIs Overview Tucker
Cloud APIs Overview TuckerInfrastructure 2.0
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)Channy Yun
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdfZani10
 
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130Suhani Kapoor
 
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999Tina Ji
 

More Related Content

Similar to ietf oauth proof-of-possession.ppt sdfsdfs

Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Marcin Bielak
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Shaun Murakami
 
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...HostedbyConfluent
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Ben Robb
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and PracticesLaunchAny
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenancePort80 Software
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)Channy Yun
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdfZani10
 

Similar to ietf oauth proof-of-possession.ppt sdfsdfs (20)

Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
 
Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...Open stack ocata summit enabling aws lambda-like functionality with openstac...
Open stack ocata summit enabling aws lambda-like functionality with openstac...
 
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010Introduction to the Client OM in SharePoint 2010
Introduction to the Client OM in SharePoint 2010
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and Practices
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016
 
Sergey Stoyan 2016
Sergey Stoyan 2016Sergey Stoyan 2016
Sergey Stoyan 2016
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server Maintenance
 
Cloud APIs Overview Tucker
Cloud APIs Overview TuckerCloud APIs Overview Tucker
Cloud APIs Overview Tucker
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf
 

Recently uploaded

VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130Suhani Kapoor
 
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999Tina Ji
 
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...ranjana rawat
 
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130Suhani Kapoor
 
Sustainable Clothing Strategies and Challenges
Sustainable Clothing Strategies and ChallengesSustainable Clothing Strategies and Challenges
Sustainable Clothing Strategies and ChallengesDr. Salem Baidas
 
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...ranjana rawat
 
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Bookingtanu pandey
 
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service Gorakhpur
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service GorakhpurVIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service Gorakhpur
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service GorakhpurSuhani Kapoor
 
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000Sapana Sha
 
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur Escorts
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur EscortsCall Girl Nagpur Roshni Call 7001035870 Meet With Nagpur Escorts
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130Suhani Kapoor
 
Freegle User Survey as visual display - BH
Freegle User Survey as visual display - BHFreegle User Survey as visual display - BH
Freegle User Survey as visual display - BHbill846304
 
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Standkumarajju5765
 
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service Mumbai
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service MumbaiCall Girls Mumbai Gayatri 8617697112 Independent Escort Service Mumbai
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service MumbaiCall girls in Ahmedabad High profile
 

Recently uploaded (20)

VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
VIP Call Girls Service Tolichowki Hyderabad Call +91-8250192130
 
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
Call Girls In Faridabad(Ballabgarh) Book ☎ 8168257667, @4999
 
Call Girls In Yamuna Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Yamuna Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Yamuna Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Yamuna Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(NANDITA) Hadapsar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
 
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130
VIP Call Girls Service Bandlaguda Hyderabad Call +91-8250192130
 
Sustainable Clothing Strategies and Challenges
Sustainable Clothing Strategies and ChallengesSustainable Clothing Strategies and Challenges
Sustainable Clothing Strategies and Challenges
 
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
(PARI) Viman Nagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune ...
 
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pune Airport Call Me 7737669865 Budget Friendly No Advance Booking
 
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service Gorakhpur
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service GorakhpurVIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service Gorakhpur
VIP Call Girl Gorakhpur Aashi 8250192130 Independent Escort Service Gorakhpur
 
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000
Call Girls In Okhla DELHI ~9654467111~ Short 1500 Night 6000
 
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur Escorts
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur EscortsCall Girl Nagpur Roshni Call 7001035870 Meet With Nagpur Escorts
Call Girl Nagpur Roshni Call 7001035870 Meet With Nagpur Escorts
 
9953056974 ,Low Rate Call Girls In Adarsh Nagar Delhi 24hrs Available
9953056974 ,Low Rate Call Girls In Adarsh Nagar Delhi 24hrs Available9953056974 ,Low Rate Call Girls In Adarsh Nagar Delhi 24hrs Available
9953056974 ,Low Rate Call Girls In Adarsh Nagar Delhi 24hrs Available
 
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service
(ANAYA) Call Girls Hadapsar ( 7001035870 ) HI-Fi Pune Escorts Service
 
Sustainable Packaging
Sustainable PackagingSustainable Packaging
Sustainable Packaging
 
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130
VIP Call Girls Service Chaitanyapuri Hyderabad Call +91-8250192130
 
Freegle User Survey as visual display - BH
Freegle User Survey as visual display - BHFreegle User Survey as visual display - BH
Freegle User Survey as visual display - BH
 
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Preet Vihar ☎ 9711199171 Book Your One night Stand
 
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service
(ANIKA) Call Girls Wagholi ( 7001035870 ) HI-Fi Pune Escorts Service
 
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service Mumbai
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service MumbaiCall Girls Mumbai Gayatri 8617697112 Independent Escort Service Mumbai
Call Girls Mumbai Gayatri 8617697112 Independent Escort Service Mumbai
 
Call Girls In Pratap Nagar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Pratap Nagar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Pratap Nagar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Pratap Nagar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 

ietf oauth proof-of-possession.ppt sdfsdfs

  • 2. 2 Status  Finished various specifications, including  OAuth Core: RFC 6749  Bearer Tokens: RFC 6750  Security Threats: RFC 6819  Discussion about an enhancement to Bearer Token security (now called “Proof-of-Possession”) since the early days of the working group.  Design Team work late 2012/early 2013, which lead to requirements, use cases, and solution strawman proposals.  Work on solution documents lead to new work items.
  • 4. 4 I Client Authorization Server Resource Server II III Variants: • Key Distribution at Access Token Issuance • Key Distribution at Client Registration AS <-> Client Interaction Relevant specifications: http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
  • 5. 5 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key Request access token. I support PoP tokens
  • 6. 6 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS creates PoP-enabled access token
  • 7. 7 PoP Token: Symmetric Key Example { "alg":"RSA1_5", "enc":"A128CBC-HS256", "cty":"jwk+json" } { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "cnf":{ "jwk": "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJB MTI4Q0JDLUhTMjU2IiwiY3R5IjoiandrK ... (remainder of JWE omitted for brevity)" } } { "kty":"oct", "alg":"HS256", "k":"ZoRSOrFzN_FzUA5XKM YoVHyzff5oRJxl-IXRtztJ6uE" } Binds a symmetric key to the access token
  • 8. 8 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & symmetric key
  • 9. 9 AS <-> Client Interaction  AS needs to bind a key to the access token.  Key can be an fresh and unique symmetric key, or  (ephemeral) public key  This requires two extensions:  New elements within the JWT to include the (encrypted symmetric key) or the public key. JWT is also integrity protected.  Mechanism for conveying ephemeral key from AS to client and for client to provide directives to AS.  Details in draft-ietf-oauth-pop-key-distribution  Transport symmetric key from AS to client.  Transport (ephemeral) asymmetric key from AS to client.  Transport public key from client to AS.  Algorithm indication
  • 10. 10 Dynamic Client Registration  Attempt to simplify developer interaction with AS when they deploy client applications.  Today, developers need to register various parameters (manually), such as  Authentication mechanism & client authentication credentials  Redirect URIs  Grant types  Meta data (client name, client logo, scopes, contact information, etc.)  Also allows meta-data, including public keys, to be uploaded to AS.  Two documents:  draft-ietf-oauth-dyn-reg  draft-ietf-oauth-dyn-reg-metadata  WGLC in progress.
  • 11. 11 I Client Authorization Server Resource Server II III Building Blocks: a) Proof of possession of PoP key b) Message integrity (+ Channel Binding) c) RS-to-client authentication Client <-> RS Interaction Relevant specification : http://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
  • 12. 12 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key AS sends access token to Client & Authenticator Authenticator = Keyed Message Digest Computed Over Request.
  • 13. 13 Client Authorization Server Resource Server AS <-> Client Interaction Example: Symmetric Key RS “unwraps” access token and obtains symmetric key. RS verifies authenticator. Shared Long Term Key
  • 14. 14 Channel Binding Channel bindings bind the application layer security to the underlying channel security mechanism. Various approaches for providing channel bindings:  PoP public key use in TLS (as described in HOTK draft)  tls-unique: TLS Finish message  tls-server-end-point: hash of the TLS server's certificate:  Currently, no channel bindings described in <draft-ietf-oauth- signed-http-request>  Be aware: New attacks have been identified with TLS-based channel bindings, see http://www.ietf.org/proceedings/89/slides/slides-89-tls-3.pdf
  • 15. 15 ` I Client Authorization Server Resource Server II III Variants: a) Token introspection b) Out-of-band RS <-> AS Interaction [optional] Relevant specification: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
  • 16. 16 Next Steps Reviews for the document bundle needed. Open Issues will be added to the WG tracker. Main issues with the client<->resource server communication. Challenges:  Dealing with intermediaries modifying headers  Offering flexibility to developer  Reducing payload replicating  Minimizing canonicalization  Authentication of the server to the client  Channel binding functionality