OAuth 2.0 is an open standard for authorization that allows third-party applications to obtain limited access to a user's data without requiring them to share their passwords. It allows users to securely authorize third-party access to their private resources like photos, videos, contact lists, and calendars without sharing their passwords. The latest OAuth 2.0 specification was published in October 2021 and defines authorization flows and token types for confidential and public clients.

1. OAuth 2.0 Updates
11 9 8

2. @nov
OpenID Foundation Japan Translation & Education WG
Translated OpenID 2.0, OAuth 1.0 & 2.0 specs
Web Developer @ iKnow!
OAuth.jp
Ruby Libraries
rack-oauth2, fb_graph, openid_connect etc.
OpenID TechNight #7
11 9 8

3. OAuth in 5 min
OpenID TechNight #7
11 9 8

4. Current Trend
Mobile Game Social
OpenID TechNight #7
11 9 8

5. API Integration
Access Control for APIs
OpenID TechNight #7
11 9 8

6. API Integration
Basic Auth
OpenID TechNight #7
11 9 8

7. OpenID TechNight #7
11 9 8

8. I’m using same password
on 10+ services.
OpenID TechNight #7
11 9 8

9. OAuth
No password sharing
Limited access lifetime
Expire a,er N weeks
Limited access scope
Status Update : OK
Read Inbox : NG
OpenID TechNight #7
11 9 8

10. OAuth Everywhere
Mobile Game Social
OpenID TechNight #7
11 9 8

11. In B2B area too
OpenID TechNight #7
11 9 8

12. OpenID TechNight #7
11 9 8

13. OpenID Connect
OpenID TechNight #7
11 9 8

14. Rough History
OpenID TechNight #7
11 9 8

15. 2007.12 OAuth 1.0
OpenID TechNight #7
11 9 8

16. Twitter API
OpenID TechNight #7
11 9 8

17. 2010.04 OAuth 2.0
(dra, 0)
OpenID TechNight #7
11 9 8

18. Facebook Graph API
OpenID TechNight #7
11 9 8

19. 2010.07 dra, 10
OpenID TechNight #7
11 9 8

20. mixi Graph API
OpenID TechNight #7
11 9 8

21. OpenID TechNight #7
11 9 8

22. 2011.07 dra, 20
OpenID TechNight #7
11 9 8

23. Review by 8/12
OpenID TechNight #7
11 9 8

24. WG Feedback
(mainly on Security Considerations)
OpenID TechNight #7
11 9 8

25. 2011.09 dra, 21
OpenID TechNight #7
11 9 8

26. Latest Spec
http://j.mp/oauth2_21
OpenID TechNight #7
11 9 8

27. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
11 9 8

28. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
11 9 8

29. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
11 9 8

30. Core Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
Token Type Spec OpenID TechNight #7
11 9 8

31. Core Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
11 9 8

32. Core Response Type
Code Token
Secure Efficient
2 HTTP request 1 HTTP request
Require Approval Both at once
Get Access Token
+ extensions
OpenID TechNight #7
11 9 8

33. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
OpenID TechNight #7
11 9 8

34. Core response_type = token
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
OpenID TechNight #7
11 9 8

35. Core Client Type
Confidential Public
Has client secret No client secret
Eg.) Web app Eg.) Mobile/JS app
OpenID TechNight #7
11 9 8

36. Core response_type = code
Resource Owner Client Authorization Server
Initiate client_id=...&
response_type=code&
redirect_uri=https://...
Require Approval
Approve
Code
Code
Access Token
OpenID TechNight #7
11 9 8

37. Core response_type = code
Resource Owner Client Authorization Server
Initiate client_id=...&
response_type=code&
redirect_uri=https://...
Require Approval
Approve
code=...&
client_id=...&
client_secret=...&
Code
redirect_uri=https://...
Code
Access Token
OpenID TechNight #7
11 9 8

38. Core response_type = code
Resource Owner Client Authorization Server
Initiate client_id=...&
response_type=code&
Public clients CANNOT do
Require Approval Client Authentication
redirect_uri=https://...
“client_secret” is NOT REQUIRED for public clients
Approve
code=...&
Rely on “redirect_uri” verification instead
client_id=...&
client_secret=...&
Code
Public clients MUST pre-register “redirect_uri”
redirect_uri=https://...
Code
Access Token
OpenID TechNight #7
11 9 8

39. Core response_type = token
Resource Owner Client Authorization Server
Initiate
client_id=...&
response_type=token&
redirect_uri=https://...
Require Approval
Approve
Access Token
OpenID TechNight #7
11 9 8

40. Core response_type = token
Resource Owner Client Authorization Server
Initiate
client_id=...&
response_type=token&
redirect_uri=https://...
Require Approval
Approve
All clients MUST pre-register “redirect_uri”
Access Token
OpenID TechNight #7
11 9 8

41. Core Notes
For Servers
Do you support public clients?
Do you need iPhone/Android apps support?
Require full redirect URI registration
Narrower scopes / shorter lifetime for public clients
For Clients
Don’t include client secret in your mobile app
OpenID TechNight #7
11 9 8

42. Core Security Considerations
Don’t issue “client_secret” to public clients
“redirect_uri” verification is important especially for
public clients
Consider security policy per client type
Use “state” param against CSRF / code injection attack
etc.
OpenID TechNight #7
11 9 8

43. Attacker Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Code
Code
Access Token
OpenID TechNight #7
11 9 8

44. Attacker Client Authorization Server
Initiate
Require Approval
Approve
Allow attacker to login
Code
with attacker’s Twitter account
Code
Code
Code
Access Token
OpenID TechNight #7
11 9 8

45. Attacker Client Authorization Server
Store “state”
Initiate in Cookie etc.
Require Approval State
Approve
Code State
State
Code
Code State “state”
verification
failed!!
OpenID TechNight #7
11 9 8

46. In dra, 21, “state” is RECOMMENDED
OpenID TechNight #7
11 9 8

47. Token Type Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
11 9 8

48. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
+ extensions
OpenID TechNight #7
11 9 8

49. Token Bearer Token
Access Token Response
OpenID TechNight #7
11 9 8

50. Token API Access (Bearer)
OpenID TechNight #7
11 9 8

51. Token MAC Token
Access Token Response
OpenID TechNight #7
11 9 8

52. Token API Access (MAC)
OpenID TechNight #7
11 9 8

53. Token Notes
For Servers
Access Token Response
Set “token_type” as “bearer”
Resource Request
Support both “OAuth” and “Bearer” auth header
Support both “oauth_token” and “access_token”
query/body params
OpenID TechNight #7
11 9 8

54. Token Notes
For Clients
Move from “OAuth” to “Bearer”
Move from “oauth_token” to “access_token”
Only for Facebook API developers
Access token response will be JSON
OpenID TechNight #7
11 9 8

55. APPENDIX
OpenID TechNight #7
11 9 8

56. FB OAuth Updates
OpenID TechNight #7
11 9 8

57. OAuth Migration
(by 2011.09.30)
Using legacy FB APIs? (~2010.04)
No more “fb_sig” and “fb_sig_session_key”
Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth)
Your library might not work anymore
OpenID TechNight #7
11 9 8

58. OAuth Migration
(by 2011.09.30)
Developing canvas or page tab apps?
No more “fb_sig”
Migrate to “signed_request”
Obtain SSL certificate
OpenID TechNight #7
11 9 8

59. OAuth Migration
(by 2011.09.30)
Using FB.login (or <fb:login-button>) and FB cookie?
Now “code” is in the cookie, not “access_token”
Needs to exchange the code with access token
OpenID TechNight #7
11 9 8

60. OAuth Spec Updates
Using “response_type=code_and_token”?
Use “response_type=code%20token” instead
OpenID TechNight #7
11 9 8

61. github.com/nov
OpenID TechNight #7
11 9 8