A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
In this document we survey some of Single-Sign-On web authentication protocols and compare their security and performance. In this survey we concentrate on OAuth 2.0 Authorization Framework, OpenID Connect 1.0, Central Authentication Service (CAS) 3.0 and Security Assertion Markup Language (SAML) 2.0 protocols.
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
In this document we survey some of Single-Sign-On web authentication protocols and compare their security and performance. In this survey we concentrate on OAuth 2.0 Authorization Framework, OpenID Connect 1.0, Central Authentication Service (CAS) 3.0 and Security Assertion Markup Language (SAML) 2.0 protocols.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019UA Mobile
Десятиліття тому Інтернет був зовсім не торт і мобільні пристрої не були вишенькою. Вразливості у доступі до персональних даних стирчали з таких місць, куди сьогодні може дістатись і дитина, та під час перегляду свинки Пеппи злити доступ до всіх ваших кредитних карт.
Прихід протоколу OAuth не зміг врятувати нас від ремейків Філіпа Кіркорова та клауд-репу, але спробував убезпечити доступ до наших даних. Але він не допоможе тобі, юзернейм, якщо ти не вмієш користуватися ним як слід.
Так що влаштовуйся покомфортніше на кухні мобільної авторизації, будемо готувати OAuth2 та OpenId.
Протягом цієї сесії я розповім:
- Що таке SAML (та про ледачі банки)
- Чим авторизація відрізняється від аутентифікації
- Що таке OAuth та OpenID та навіщо вони потрібні
- Які є OpenID SDK та чи варто їх використовувати?
http://uamobile.org/uk/topics/openid-and-oauth2-rear-medium-well-done
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
API creation within JavaScript introduces a whole new array of security and request issues that traditional APIs never encounter. In this session we’ll explore several principles behind JavaScript API design and architecture, including OAuth 2 in the JavaScript model, Cross-Origin Resource Sharing for browser security constraints, building action automation with HATEOAS, and
challenges behind secure resource consumption through JavaScript
This is a slide deck I created and used to explain what OAuth is and how to use it with the .NET framework to write clients for Facebook and Google.
My slides usually do not have a lot of text on them so it might be difficult to get the ideas I am trying to convey in each individual slide. They're only relevant with the commentary I present during a talk. I use slides as a secondary tool, the primary one being my narration.
Within May 2015, I will edit and upload the video of my talk on YouTube, and provide a link to the YouTube video here. That may make these slides more useful.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019UA Mobile
Десятиліття тому Інтернет був зовсім не торт і мобільні пристрої не були вишенькою. Вразливості у доступі до персональних даних стирчали з таких місць, куди сьогодні може дістатись і дитина, та під час перегляду свинки Пеппи злити доступ до всіх ваших кредитних карт.
Прихід протоколу OAuth не зміг врятувати нас від ремейків Філіпа Кіркорова та клауд-репу, але спробував убезпечити доступ до наших даних. Але він не допоможе тобі, юзернейм, якщо ти не вмієш користуватися ним як слід.
Так що влаштовуйся покомфортніше на кухні мобільної авторизації, будемо готувати OAuth2 та OpenId.
Протягом цієї сесії я розповім:
- Що таке SAML (та про ледачі банки)
- Чим авторизація відрізняється від аутентифікації
- Що таке OAuth та OpenID та навіщо вони потрібні
- Які є OpenID SDK та чи варто їх використовувати?
http://uamobile.org/uk/topics/openid-and-oauth2-rear-medium-well-done
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
API creation within JavaScript introduces a whole new array of security and request issues that traditional APIs never encounter. In this session we’ll explore several principles behind JavaScript API design and architecture, including OAuth 2 in the JavaScript model, Cross-Origin Resource Sharing for browser security constraints, building action automation with HATEOAS, and
challenges behind secure resource consumption through JavaScript
This is a slide deck I created and used to explain what OAuth is and how to use it with the .NET framework to write clients for Facebook and Google.
My slides usually do not have a lot of text on them so it might be difficult to get the ideas I am trying to convey in each individual slide. They're only relevant with the commentary I present during a talk. I use slides as a secondary tool, the primary one being my narration.
Within May 2015, I will edit and upload the video of my talk on YouTube, and provide a link to the YouTube video here. That may make these slides more useful.
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
https://www.hackmiami.com/hmc5-speakers-day-2
OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.
Slides for my presentation about OAuth, going in depth in the details of the Authorization Code Grant and PKCE, also describing several security threats to OAuth
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
Similar to O auth 2.0 authorization framework (20)
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
6. Objectives
To give an eye opener to the audience about the authorization technology
in the web
To give the audience a basic understanding on how an authorization
framework does its job
8. Agenda
A.Introduction
a. Traditional Client-Server Authentication Model
b. Roles
c. Protocol Flow
d. Authorization Grant
i. Authorization Code
ii. Resource Owner Password Credentials
B. Protocol Endpoints
11. Grading System Example
GRADING SYSTEM
( Shows grades in different
subject )
USERNAME
PASSWORD
LOGIN
Juan Grades
Science
: 87
Math
: 87
English
: 87
USER
12. Grading System Example
GRADING SYSTEM
( Shows grades in
different subject )
USERNAME
PASSWORD
LOGIN
Juan Grades
Science
: 87
Math
: 87
English
: 87
USER
GWA COMPUTING
SYSTEM?
How???
14. A.Introduction
Traditional client-server authentication model
GWA
COMPUTING
SYSTEM? GRADING SYSTEM
/ SERVER
Requests access /users
Denied request if not
Authenticated
Authenticated access to /users
Shares Credentials
User / Resource Owner
Returns /users
resource
Auth
Layer
15. A.Introduction
Sharing Credentials creates several problems:
Third-party applications are required to store the resource owner's
credentials for future use, typically a password in clear-text.
Third-party applications gain overly broad access to the resource owner's
protected resources, leaving resource owners without any ability to
restrict duration or access to a limited subset of resources.
16. A.Introduction
Resource owners cannot revoke access to an individual third party without
revoking access to all third parties, and must do so by changing the third
party's password.
Compromise of any third-party application results in compromise of the
end-user's password and all of the data protected by that password.
18. A.Introduction -> Roles -> Resource Owner
Resource Owner
An entity capable of granting access to protected resource.
When a resource owner is a person, it is usually referred to as end-user.
USER
19. A.Introduction -> Roles -> Resource Server
Resource Server
The server hosting the protected resources, capable of accepting and responding to
protected resource requests using access tokens.
GRADING SYSTEM
/ SERVER
20. A.Introduction -> Roles -> Client
Client
An Application making protected resource requests on behalf of other resource owner and
with its authorization.
GWA COMPUTING
SYSTEM?
21. Client Registration (Client Types)
OAuth defines two client types, based on their ability to authenticate securely with the authorization
server:
Confidential
Clients capable of maintaining the confidentiality of their credentials or capable of secure
client authentication using other means.
(e.g clients implemented on secure server with restricted access to the client
credentials),
Public
Clients incapable of maintaining the confidentiality of their credentials and incapable of
secure client authentication about the client type.
22. A.Introduction -> Roles -> Authorization Server
Authorization Server
The server issuing access tokens to the client after successfully authenticating the resource
owner and obtaining authorization.
GRADING SYSTEM /
SERVER
23. A.Introduction -> Protocol Flow
Client
Resource Owner
Authorization
Server
Resource Server
( A ) Authorization Request
( B ) Authorization Grant
( C ) Authorization Grant
( D ) Access Token
( E ) Access Token
( F ) Protected Resources
24. A.Introduction -> Protocol Flow
Client
Resource Owner
Authorization
Server
Resource Server
( A ) Authorization Request
( B ) Authorization Grant
( C ) Authorization Grant
( D ) Access Token
( E ) Access Token
( F ) Protected Resources
25. Protocol Flow in Real World Situation
( A ) Give me the key of your car
( B ) It’s with key holder, I will give you a chit, show
this to key holder and ask for key.
( C ) Give me car key. Here is the chit of approve
from owner
( D ) Ok, This is accepted, here is the key
( E ) Give me car to repair, this is the key
( F ) Ok, have the car
Mechanic
Car Owner
Key Holder
Car Park
26. A.Introduction -> Authorization Grant
An authorization grant is a credential representing the resource owner’s
authorization ( to access its protected resources ) used by the client to
obtain an access token.
The OAuth specification has four (4) grants types:
Authorization code
Resource owner password credentials
Implicit
Client credentials
27. A. Introduction -> Authorization Grant -> Authorization Code
The authorization code is obtained by using an authorization server as an
intermediary between the client and resource owner.
28. Authorization a client using FB Account
USER
www.scribd.com
FB AUTHORIZATION SERVER
User visits a client
CLIENT
Redirects upon clicking login
with fb button
FB Server redirects back the
user to scribd.com
29. Authorization Code Grant
RESOURCE OWNER
USER-AGENT
( Browser / Google
Chrome Browser )
CLIENT
AUTHORIZATION
SERVER
(A) (C)
(B)
(A) Client Identifier & Redirection URI
(B) User Authenticates
(C) Authorization Code
(D) Authorization Code & Redirection URI
(E) Access Token (w/ Optional Refresh Token)
30. Authorization Code Grant
RESOURCE OWNER
USER-AGENT
( Browser / Google
Chrome Browser )
CLIENT
AUTHORIZATION
SERVER
(A) (C)
(B)
(A) Client Identifier & Redirection URI
(B) User Authenticates
(C) Authorization Code
(D) Authorization Code & Redirection URI
(E) Access Token (w/ Optional Refresh Token)
31. A. Introduction -> Authorization Grant -> Resource owner
password credentials
The resource owner password credentials ( i.e., username and password) can
be used directly as an authorization grant to obtain an access token.
Should be used only when there is a high degree of trust between the
resource owner and the client.
34. Protocol Endpoints
The authorization process utilizes two authorization server endpoints:
Authorization Endpoint
Used by the client to obtain authorization from resource owner via user-agent
redirection.
Token Endpoint
Used by the client to exchange an authorization grant for an access token, typically
with client authentication.
As well as one client endpoint
Redirection endpoint
35. Web links
Demo OAuth 2.0
The OAuth 2.0 Authorization Framework
OAuth V.1.0 VS OAuth 2.0
Which OAUTH 2.0 Grant should I use?
Security Considerations
Notes :
OAuth2 + API Security By Amila Paranawithana
Editor's Notes
Authentication is any process by which a system verifies the identity of a User who wishes to access it.
Authorization is the process of giving someone permission to do or have something.
Resource Owner - An entity capable of granting access to a protected resource.
Resource Server- The server hosting the protected resources, \
Client - An application which accesses protected resources on behalf of the resource owner (such as a user). The client could be hosted on a server, desktop, mobile or other device.
Example. The mobile fb app is a client. The web fb is a client. Anything that access the resource server in behalf of a user is a client.
Authorization Server - A server authenticates a client and resource owner, and authorizing the request.
Access Token - Is a token “String” used by any client to access protected resource in behalf of someone.
In this diagram we show a traditional client-server authentication model.
We can think of this diagram like logging in a Grading System.
Client in this diagram refers to user ( e.g me ) and the server as Grading System in LNU ( The one you are using right now to view your grades )
NEXT >>>
In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) but first go to the authentication process <NEXT> and get denied <NEXT> if the credentials given by the client are not authenticated and get passed <NEXT> if authenticated.
The server then returns <NEXT> the requested resource by the client.
<NEXT> >>>
I have here a Grading System Diagram Example
In which the user logins to the grading system to view the user grades.
Now here comes a problem. I want to create a GWA Computing System that will use the grades of the user.
<NEXT> >>>
The problem is how can we get the grades of Juan so we can use it in our GWA Computing System?
Anyone?
Some of you might have ideas and is just afraid to share.
But this is how they solve this problem. They solve this problem by sharing the username and password to the GWA Computing System.
NEXT >>>
This is the diagram for our application.
<NEXT> >>>
First, the resource owner share credentials ( username and password ) to the 3rd party client ( our application ).
The 3rd party client uses <NEXT> the resource owner credentials to authenticate to the server through the auth layer. And gets denied <NEXT> if the credentials given are not correct and <NEXT> passes thru if authenticated.
The server then returns <NEXT> the requested resource to the 3rd party client.
Question: It seems correct right?
But what are the downside or the disadvantages of sharing the resource owners credentials or your username and password to a 3rd party client?
NEXT >>>
<READ>
NEXT >>>
<READ>
Now you may ask. What should we do then to avoid the said problems. In order for our application to use the needed data?
NEXT >>>
In order for us to understand OAuth thoroughly, we have to understand the four roles OAuth defines : <READ>
NEXT >>>
Note that :
The interaction between the authorization server and resource server is beyond the scope of this presentation.
The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):
This image is the abstract OAuth 2.0 flow that describes the interaction between the four roles and includes the following steps
<NEXT> >>>:
The client requests authorization from the resource owner <NEXT> >>>.
The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary.
The client receives <NEXT>>> an authorization grant,
Which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.
The client requests <NEXT> >>> an access token by authenticating with the authorization server and presenting the authorization grant.
The authorization server authenticates the client and validates the authorization grant, and if valid <NEXT> >>>, issues an access token.
The client requests the protected resource from the resource server <NEXT> >>> and authenticates by presenting the access token.
The resource server validates <NEXT> >>> the access token, and if valid, serves the request.
NEXT >>>
Now we have a real world example of Protocol Flow in OAuth
Our example is a mechanic (Client) needs to get the car (Resource) of the car owner ( Resource Owner ).
First the mechanic asks the key of the car of the owner and then the car owner gives a chit or a note/authorization ( Authorization Grant ) in order for the mechanic to get the key from the key holder.
The mechanic presents the note to the key holder ( Authentication Server ).
The key holder authenticates or see if the note is valid
If the note is valid the key is given to the mechanic
The mechanic then gets the car from the car park ( Resource Server ) presenting the key given by the key holder
The Car park gives the car.
Next >>>
Now I have been mentioning the word “Authorization Grant”. What does it exactly means in laymans term?
In OAuth Usage <READ>>>
NEXT >>>
<READ>
What do you mean by authorization code??? Anyone? It’s a code used to authorize in behalf of someone. Like an authorization letter.
Now facebook is using this authorization grant.
Anyone? In which part facebook is using this authorization grant?
NEXT >>>
<READ>
Now let’s try to view what really is happening in an authorization code grant
NEXT >>>
This is the flow of authorization code grant in OAuth.
In our example earlier who is acting as the client? -> scribd.com. What is the user-agent? Browser -> Who is the resource owner? User -> Who is the authorization server? Facebook Authorization server.
Let’s try to do this flow step by step you might recall where you encountered this flow.
<NEXT>>>
The client initiates the flow by directing the resource owner's <NEXT> user-agent to the authorization endpoint <NEXT>.
The client includes its a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied).
This is the part where the user visits the browser and clicks on login with facebook button and scribd.com redirected us to the facebook authorization server.
The authorization server authenticates the resource owner (via the user-agent) <NEXT> and establishes <NEXT> whether the resource owner grants or denies the client's access request.
This is the part where the user clicks on the okay or close button.
Assuming the resource owner grants access, the authorization server redirects <NEXT> the user-agent back to the client <NEXT> >>> using the redirection URI provided earlier (in the request or during client registration).
The redirection URI includes an authorization code provided by the client earlier.
This is the part where the facebook redirects the user back to the client.
The next part becomes tricky --
What happens is you just authorize the client “scribd.com” to use your information from facebook.com.
The client “scribd.com” has not yet access your information from facebook.com.
The client requests an access token <NEXT> >>> from the authorization server's token endpoint by including the authorization code received in the previous step.
This is the part where the client “scribd.com” asks for an access token to facebook.com.
What is an access token? Is a token “String” used by any client to access protected resource in behalf of someone from the resource owner.
Why we use access token? The reason is the server did not actually gave you an authorization you just authorize the client “scribd.com” to access your resource that is in the fb server.
The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds <NEXT> >>> back with an access token and, optionally, a refresh token.
The last part is the server gives access to the client.
<READ>
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
Do you have a guess on where you have encountered this authorization grant?
Let us see the flow if anyone can recognize.
NEXT >>>
The flow illustrated in Figure 5 includes the following steps:
The resource owner provides the client with its username and password.
The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.
The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token.
Anyone who can recognize now? Wild guess? Facebook mobile app is the very common. Lets try to go back to the definition of this grant.