2. OAuth
• OAuth is an open standard of authorization. (Wikipedia)
• OAuth attempts to provide a standard way for developers to
offer their services via an API without forcing their users to
expose their passwords (and other credentials). (oauth.net)
• Standard
– RFC 6749: The OAuth 2.0 Authorization Framework
– RFC 5849: The OAuth 1.0 Protocol
• Implementation
– Apache Oltu (http://oltu.apache.org/)
– Others on .NET, PHP, Ruby, Python, …
Ubiquitous Computing & Ambient Networking Laboratory
Page : 2
4. OAuth 2.0: Case Study
• Resource owner
– You
• Client
– Google Calendar APIs Explorer
• Authorization server
– Google OAuth 2.0 Server
• API
– Google Calendar APIs
• Resource Server
– Google Calendar
Ubiquitous Computing & Ambient Networking Laboratory
Page : 4
5. OAuth 2.0: Case Study (con’t)
(3) Authorization
Request
(1) Authorization
Request
(2) Authorization
Grant
Resource Owner
(User)
Google
Calendar
APIs
Explorer
(4) Access
Token
(5) Access
Token
(6) Protected
Resource
Google OAuth 2.0
Server
Google
Calendar
APIs
Ubiquitous Computing & Ambient Networking Laboratory
Google Calendar
Server (to access your
Google calendar data)
Page : 5
6. Authorization Grant
•
There are four ways how a user grants the authorization to a client
– Authorization Code
•
•
•
•
The client directs the user to authorization server
The user inputs ID/PWD on authorization server.
The authorization server sends authorization code to client
The client sends authorization code to authorization server for obtaining the access token
– Implicit
• Simplifying the above process, the client can directly obtain the access token
– Resource Owner Password Credentials (less security)
• The users inputs ID/PWD on the client
• The client sends the ID/PWD to authorization server for obtaining the access token
– Client Credentials
• Used when the client is also the resource owner or
• The authorization of access protected resources are previously arranged to the client with the
authorization server
Ubiquitous Computing & Ambient Networking Laboratory
Page : 6
7. Access Token
• Access token
– is a credential used to access protected resources.
– is a string (usually opaque to the client) representing an
authorization issued to the client.
– represents specific scopes and durations of access,
granted by the resource owner, and enforced by the
resource server and authorization server.
• Standard
– RFC 6750: The OAuth 2.0 Authorization Framework:
Bearer Token Usage
Ubiquitous Computing & Ambient Networking Laboratory
Page : 7