SlideShare a Scribd company logo

INTERFACE by apidays - The State of OAuth by Aaron Parecki,

apidays
apidays

INTERFACE by apidays The State of OAuth Aaron Parecki, Author of "OAuth 2.0 Simplified: A Guide to Building OAuth 2.0 Servers"

Technology
1 of 49
Download to read offline
The State of OAuth Aaron Parecki Senior Security Architect, Okta Interface API Days • June 2020
@aaronpkJune 2020 oauth.net/2
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes
@aaronpkJune 2020
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes RFC6750 Bearer Tokens TokenUsage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020
@aaronpkJune 2020 OAuth Server OAuth Client Passing Data via the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020
@aaronpkJune 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token CORS
@aaronpkJune 2020 caniuse.com/cors
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
@aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
@aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
@aaronpkJune 2020 Password oauth.net/2/oauth-best-practice
@aaronpkJune 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to enable migrating applications from HTTP Basic Auth or using a stored password to OAuth
@aaronpkJune 2020 Password • Exposes the username and password to the application • Even for first-party / trusted clients, this increases the attack surface • Trains users that it's okay to enter their password in more than one place • Difficult or impossible to extend to support multifactor or passwordless authentication (WebCrypto, WebAuthn)
@aaronpkJune 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for public clients must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
@aaronpkJune 2020 In-Progress Work • JWT Profile for Access Tokens • DPoP (Proof of Possession)
@aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiO iJodHRwczovL2F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1 wbGUuY29tLyIsInN1YiI6IiA1YmE1NTJkNjciLCJhdWQiO iJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4cCI6MTU 5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iL CJzY29wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCI sImp0aSI6IjAxODEwMmE1LTkzYmQtNDE0OC05ODI2LThlY TE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4MzA0OH0.lWWmEU2 kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8
@aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"} { "iss": "https://authorization-server.example.com/", "sub": " 5ba552d67", "aud": "https://rs.example.com/", "exp": 1544645174, "client_id": "s6BhdRkqt3_", "scope": "openid profile reademail" }
@aaronpkJune 2020 DPoP oauth.net/2/dpop POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIj oiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwia WF0IjoxNTYyMjYyNjE2fQ.2-GxA6T8lP4vfrg8v-FdWP0A0zdrj8igiMLvqRMUvwnQg 4PtFLbdLXiOSsX0x7NVY-FNyJK70nfbV37xRZT3Lg grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-
@aaronpkJune 2020 New OAuth Extensions • Rich Authorization Requests (RAR) • Pushed Authorization Requests (PAR) • JWT Authorization Requests (JAR)
@aaronpkJune 2020 Rich Authorization Requests (RAR) • OAuth "scope" is limited to fixed lists of scopes • Need a way to authorize fine-grained transactions or resources • and present that to the user in the authorization interface oauth.net/2/rich-authorization-requests
@aaronpkJune 2020 Pay Merchant123 €123.50 
 from your account ending in 8603
@aaronpkJune 2020 Rich Authorization Requests (RAR) oauth.net/2/rich-authorization-requests
@aaronpkJune 2020 Pushed Authorization Requests (PAR) • Currently, the authorization request is sent in the front-channel • Front-channel is susceptible to inspection and modification • PAR initiates the OAuth flow from the back-channel oauth.net/2/pushed-authorization-requests
@aaronpkJune 2020 Pushed Authorization Requests (PAR) GET /authorize?response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: as.example.com POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb Instead of: Push the request to the AS: oauth.net/2/pushed-authorization-requests
@aaronpkJune 2020 Pushed Authorization Requests (PAR) { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", "expires_in": 90 } GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1 AS responds with a URL: User visits that URL, authorization request details are hidden! oauth.net/2/pushed-authorization-requests
@aaronpkJune 2020 JWT Authorization Requests (JAR) • Create a signed JWT with the authorization request details • Prevents front-channel tampering with the request, similar to PAR • Authenticates the request so the AS knows the client really did initiate it tools.ietf.org/html/draft-ietf-oauth-jwsreq
@aaronpkJune 2020 JWT Authorization Requests (JAR) { "iss": "s6BhdRkqt3", "aud": "https://server.example.com", "response_type": "code id_token", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", "scope": "openid", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 } eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2 lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2 HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6 JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g tools.ietf.org/html/draft-ietf-oauth-jwsreq
@aaronpkJune 2020 JWT Authorization Requests (JAR) https://server.example.com/authorize?request=eyJhbGciOiJS... Either passed by value in the URL: https://server.example.com/authorize?request_uri=https://example.org/r... ...by reference in the URL: POST https://server.example.com/authorize request=eyJhbGciOiJS... ...or pushed using PAR: tools.ietf.org/html/draft-ietf-oauth-jwsreq
@aaronpkJune 2020 RFC6749 RFC6750 CLIENTTYPE AUTH GRANT TYPE RFC6819 RFC7009RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTPSIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR
@aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
@aaronpkJune 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body
OAuth 2.1 oauth.net/2.1
@aaronpkJune 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published
@aaronpkJune 2020 OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented
@aaronpkJune 2020 OAuth 2.1 RFC6749 - OAuth 2.0 Core RFC6750 - Bearer Token Usage RFC7636 - PKCE Native App & Browser-Based App BCPs Security BCP • MUST support PKCE for all OAuth clients • No password grant • No implicit flow • Exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens must be sender-constrained or one-time use
@aaronpkJune 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1
@aaronpkJune 2020 oauth.net/3 ? ? ?
OAuth 3 aka XYZ aka XAuth
@aaronpkJune 2020 OAuth 3 • In development under a new IETF working group (GNAP) • Re-thinking OAuth from the ground up • Not backwards compatible • Consolidate all the various use cases in OAuth into a new framework
@aaronpkJune 2020 GNAP / TxAuthvery much in progress!
Thank you! @aaronpk aaronpk.com oauth.wtf

Recommended

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 

Recommended

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
HTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive ListHTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive ListMainstreethost
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Http Status Code Errors in SEO
Http Status Code Errors in SEOHttp Status Code Errors in SEO
Http Status Code Errors in SEOAdela Roger
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OPNat Sakimura
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, OktaINTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Oktaapidays
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 

More Related Content

What's hot

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
HTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive ListHTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive ListMainstreethost
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Http Status Code Errors in SEO
Http Status Code Errors in SEOHttp Status Code Errors in SEO
Http Status Code Errors in SEOAdela Roger
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OPNat Sakimura
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 

What's hot (20)

Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
HTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive ListHTTP Status Codes Cheat Sheet: An Exhaustive List
HTTP Status Codes Cheat Sheet: An Exhaustive List
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
Http Status Code Errors in SEO
Http Status Code Errors in SEOHttp Status Code Errors in SEO
Http Status Code Errors in SEO
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 

Similar to INTERFACE by apidays - The State of OAuth by Aaron Parecki,

INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, OktaINTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Oktaapidays
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...Eric Shupps
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 

Similar to INTERFACE by apidays - The State of OAuth by Aaron Parecki, (20)

INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, OktaINTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 

More from apidays

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 

More from apidays (20)

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 

Recently uploaded

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

INTERFACE by apidays - The State of OAuth by Aaron Parecki,

  • 1. The State of OAuth Aaron Parecki Senior Security Architect, Okta Interface API Days • June 2020
  • 3. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes
  • 5. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes RFC6750 Bearer Tokens TokenUsage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 7. @aaronpkJune 2020 OAuth Server OAuth Client Passing Data via the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?
  • 8. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 9. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 10. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 14. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 15. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  • 16. @aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
  • 17. @aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
  • 18. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  • 20. @aaronpkJune 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to enable migrating applications from HTTP Basic Auth or using a stored password to OAuth
  • 21. @aaronpkJune 2020 Password • Exposes the username and password to the application • Even for first-party / trusted clients, this increases the attack surface • Trains users that it's okay to enter their password in more than one place • Difficult or impossible to extend to support multifactor or passwordless authentication (WebCrypto, WebAuthn)
  • 22. @aaronpkJune 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for public clients must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  • 23. @aaronpkJune 2020 In-Progress Work • JWT Profile for Access Tokens • DPoP (Proof of Possession)
  • 24. @aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiO iJodHRwczovL2F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1 wbGUuY29tLyIsInN1YiI6IiA1YmE1NTJkNjciLCJhdWQiO iJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4cCI6MTU 5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iL CJzY29wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCI sImp0aSI6IjAxODEwMmE1LTkzYmQtNDE0OC05ODI2LThlY TE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4MzA0OH0.lWWmEU2 kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8
  • 25. @aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"} { "iss": "https://authorization-server.example.com/", "sub": " 5ba552d67", "aud": "https://rs.example.com/", "exp": 1544645174, "client_id": "s6BhdRkqt3_", "scope": "openid profile reademail" }
  • 26. @aaronpkJune 2020 DPoP oauth.net/2/dpop POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIj oiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwia WF0IjoxNTYyMjYyNjE2fQ.2-GxA6T8lP4vfrg8v-FdWP0A0zdrj8igiMLvqRMUvwnQg 4PtFLbdLXiOSsX0x7NVY-FNyJK70nfbV37xRZT3Lg grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-
  • 27. @aaronpkJune 2020 New OAuth Extensions • Rich Authorization Requests (RAR) • Pushed Authorization Requests (PAR) • JWT Authorization Requests (JAR)
  • 28. @aaronpkJune 2020 Rich Authorization Requests (RAR) • OAuth "scope" is limited to fixed lists of scopes • Need a way to authorize fine-grained transactions or resources • and present that to the user in the authorization interface oauth.net/2/rich-authorization-requests
  • 29. @aaronpkJune 2020 Pay Merchant123 €123.50 
 from your account ending in 8603
  • 30. @aaronpkJune 2020 Rich Authorization Requests (RAR) oauth.net/2/rich-authorization-requests
  • 31. @aaronpkJune 2020 Pushed Authorization Requests (PAR) • Currently, the authorization request is sent in the front-channel • Front-channel is susceptible to inspection and modification • PAR initiates the OAuth flow from the back-channel oauth.net/2/pushed-authorization-requests
  • 32. @aaronpkJune 2020 Pushed Authorization Requests (PAR) GET /authorize?response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: as.example.com POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb Instead of: Push the request to the AS: oauth.net/2/pushed-authorization-requests
  • 33. @aaronpkJune 2020 Pushed Authorization Requests (PAR) { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", "expires_in": 90 } GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1 AS responds with a URL: User visits that URL, authorization request details are hidden! oauth.net/2/pushed-authorization-requests
  • 34. @aaronpkJune 2020 JWT Authorization Requests (JAR) • Create a signed JWT with the authorization request details • Prevents front-channel tampering with the request, similar to PAR • Authenticates the request so the AS knows the client really did initiate it tools.ietf.org/html/draft-ietf-oauth-jwsreq
  • 35. @aaronpkJune 2020 JWT Authorization Requests (JAR) { "iss": "s6BhdRkqt3", "aud": "https://server.example.com", "response_type": "code id_token", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", "scope": "openid", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 } eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2 lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2 HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6 JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g tools.ietf.org/html/draft-ietf-oauth-jwsreq
  • 36. @aaronpkJune 2020 JWT Authorization Requests (JAR) https://server.example.com/authorize?request=eyJhbGciOiJS... Either passed by value in the URL: https://server.example.com/authorize?request_uri=https://example.org/r... ...by reference in the URL: POST https://server.example.com/authorize request=eyJhbGciOiJS... ...or pushed using PAR: tools.ietf.org/html/draft-ietf-oauth-jwsreq
  • 37. @aaronpkJune 2020 RFC6749 RFC6750 CLIENTTYPE AUTH GRANT TYPE RFC6819 RFC7009RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTPSIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR
  • 38. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  • 39. @aaronpkJune 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body
  • 41. @aaronpkJune 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published
  • 42. @aaronpkJune 2020 OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented
  • 43. @aaronpkJune 2020 OAuth 2.1 RFC6749 - OAuth 2.0 Core RFC6750 - Bearer Token Usage RFC7636 - PKCE Native App & Browser-Based App BCPs Security BCP • MUST support PKCE for all OAuth clients • No password grant • No implicit flow • Exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens must be sender-constrained or one-time use
  • 46. OAuth 3 aka XYZ aka XAuth
  • 47. @aaronpkJune 2020 OAuth 3 • In development under a new IETF working group (GNAP) • Re-thinking OAuth from the ground up • Not backwards compatible • Consolidate all the various use cases in OAuth into a new framework
  • 48. @aaronpkJune 2020 GNAP / TxAuthvery much in progress!