The document discusses OAuth 2.0 and adapting to traffic beyond the browser. It notes that for successful companies, 80% of traffic will come from beyond the browser. OAuth 2.0 defines an authorization framework for RESTful services that supports a variety of clients, including servers and mobile apps. It puts users in control of what resources are shared.

1. OAuth 2.0 101
Adapting to the Web Beyond the Browser
Anand Sharma
IT Architect
April 2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

2. Beyond the Browser:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

5. For the successful companies, 80% of traffic will be coming from beyond the browser.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

6. The resource is some website; the user is the consumer
Authorization is granted by the an Admin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

7. The resource is owned by the user
The application consumes the resource
The application is given too much power
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

8. The resource is owned by the user
The application consumes the resource
The application is given too much power
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

9. Because, Services (APIs) and Passwords don’t mix well
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

10. OAuth 2.0:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

11. Defines Authorization & Authentication
framework for RESTful services
Supports variety of clients – from Servers to
Mobile Apps
Puts the user in control of what resources are
shared – mitigates password anti-pattern
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

12. Application that calls API (Client)
Software application that calls REST APIs
Human User using the App (Resource Owner)
End-user whose data is offered up through an API to Clients
API Proxy or Host (Resource Server)
Accepts access tokens on API calls in order to authenticate calling client
Token Server (Authorization Server)
Issues Access tokens after Authenticating the client and/or Resource Owner
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

13. Short-lived Token (Access Token)
Applications authenticate to APIs using an Access Token
Long-lived Token (Refresh Token)
Refresh Tokens, if present, can be used to get a new Access Token
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

14. 1. Client Gets Token
2. Client Uses Token
3. Resource Server Validates Token
4. Client Refreshes Token (Optional)
95% of OAuth (and OAuth Complexity) is about:
- Step #1: How to get Access Token
- OAuth’s Confusing terminology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

15. Client Identity
Human User
Identity
Access
Token
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

16. Directly exchanges Client’s credentials for
an Access token
For accessing client-owned resources (no
Human User involvement)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

17. Directly exchanges Human User’s
credentials for an access token
Useful where the Client is well-trusted by
the user and where a browser redirect
would be awkward
Commonly used with trusted Mobile apps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

18. Similar to OAuth 1.0a flow
- Starts with redirect to provider for
authorization
- After authorization, redirects back to
client with code query parameter
– Code is exchanged for access token
Client is able to keep tokens confidential
Commonly used for web apps connecting
with providers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

19. Simplified Authorization flow
– After Authorization, redirects back to
client with Access token in fragment
parameter
Reduced round-trips
Refresh token is not supported
Commonly used by in browser JavaScript
apps or widgets
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

20. The client sends an access token request
to the authorization server that includes a
SAML 2.0 Assertion
The authorization server validates the
Assertion per the processing rules defined
in this specification and issues an access
token.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

21. OAuth Challenges:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

22. OAuth: What version should we
use?
Standardize on OAuth 2.0 Draft 20
Lack of Understanding
Book(s), Brown-bags
Lack of tools and frameworks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

23. “Getting Started with OAuth 2.0” O’Reilly Book
OAuth 2.0 Draft 25 (http://bit.ly/dft-oauth)
Search for “OAuth 2.0” in Google
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

24. Backup Slides
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24