SlideShare a Scribd company logo

OAuth 2.0 Updates #technight

Nov Matake
Nov Matake

The document discusses OAuth 2.0 and its updates. It provides a brief history of OAuth including versions 1.0 and 2.0. It explains the core specification of OAuth 2.0 including authorization servers, resource owners, clients, access tokens, and response types. It also summarizes the token type specification and security considerations for OAuth implementations.

Technology
1 of 51
Download to read offline
OAuth 2.0 Updates
@nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
OAuth in 5 min OpenID TechNight #7
Current Trend Mobile Game Social OpenID TechNight #7
API Integration Access Control for APIs OpenID TechNight #7
API Integration Basic Auth OpenID TechNight #7
OpenID TechNight #7
I’m using same password on 10+ services. OpenID TechNight #7
OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
OAuth Everywhere Mobile Game Social OpenID TechNight #7
B2B is slow though.. OpenID TechNight #7
Rough History OpenID TechNight #7
2007.12 OAuth 1.0 OpenID TechNight #7
Twitter API OpenID TechNight #7
2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
Facebook Graph API OpenID TechNight #7
2010.07 dra, 10 OpenID TechNight #7
mixi Graph API OpenID TechNight #7
OpenID TechNight #7
2011.07 dra, 20 OpenID TechNight #7
Review by 8/12 OpenID TechNight #7
Latest Spec http://j.mp/oauth2_20 OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #7
Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #7
Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #7
Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #7
Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
Token Bearer Token Access Token Response OpenID TechNight #7
Token API Access (Bearer) OpenID TechNight #7
Token MAC Token Access Token Response OpenID TechNight #7
Token API Access (MAC) OpenID TechNight #7
Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
Review by 8/12 OpenID TechNight #7
github.com/nov OpenID TechNight #7

Recommended

Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple
Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
Masaru Kurahayashi
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 

Recommended

Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple
Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
Masaru Kurahayashi
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
Eugene Siow
 
Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応
Naohiro Fujie
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
WSO2
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
Ryo Ito
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Nov Matake
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Cloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOICloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOI
Tatsuo Kudo
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Foundation Japan
 

More Related Content

What's hot

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
Eugene Siow
 
Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応
Naohiro Fujie
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
WSO2
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
Ryo Ito
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Nov Matake
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 

What's hot (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 

Viewers also liked

Cloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOICloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOI
Tatsuo Kudo
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Foundation Japan
 
110728 Trust Framework - Shingo Yamanaka
110728 Trust Framework - Shingo Yamanaka110728 Trust Framework - Shingo Yamanaka
110728 Trust Framework - Shingo Yamanaka
OpenID Foundation Japan
 
110728 Trust Framework - Akiko Orita
110728 Trust Framework - Akiko Orita110728 Trust Framework - Akiko Orita
110728 Trust Framework - Akiko Orita
OpenID Foundation Japan
 
110728 Trust Framework - Takashi Shitamichi
110728 Trust Framework - Takashi Shitamichi110728 Trust Framework - Takashi Shitamichi
110728 Trust Framework - Takashi Shitamichi
OpenID Foundation Japan
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Nat Sakimura
 
AWS紹介&AWSとオープンデータの事例紹介
AWS紹介&AWSとオープンデータの事例紹介AWS紹介&AWSとオープンデータの事例紹介
AWS紹介&AWSとオープンデータの事例紹介
Yasuhiro Horiuchi
 

Viewers also liked (7)

Cloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOICloud Identity Summit 2011 TOI
Cloud Identity Summit 2011 TOI
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7
 
110728 Trust Framework - Shingo Yamanaka
110728 Trust Framework - Shingo Yamanaka110728 Trust Framework - Shingo Yamanaka
110728 Trust Framework - Shingo Yamanaka
 
110728 Trust Framework - Akiko Orita
110728 Trust Framework - Akiko Orita110728 Trust Framework - Akiko Orita
110728 Trust Framework - Akiko Orita
 
110728 Trust Framework - Takashi Shitamichi
110728 Trust Framework - Takashi Shitamichi110728 Trust Framework - Takashi Shitamichi
110728 Trust Framework - Takashi Shitamichi
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
 
AWS紹介&AWSとオープンデータの事例紹介
AWS紹介&AWSとオープンデータの事例紹介AWS紹介&AWSとオープンデータの事例紹介
AWS紹介&AWSとオープンデータの事例紹介
 

Similar to OAuth 2.0 Updates #technight

OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012
Nov Matake
 
OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7
Nov Matake
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
Derek Binkley
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
Paul Madsen
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
Jeff Fontas
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
Ben Adida
 

Similar to OAuth 2.0 Updates #technight (20)

OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012
 
OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 

More from Nov Matake

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19
Nov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Nov Matake
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24
Nov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)
Nov Matake
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
Nov Matake
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22
Nov Matake
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
Nov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
Nov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onNov Matake
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technightNov Matake
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
Self isssued-idp
Self isssued-idpSelf isssued-idp
Self isssued-idp
Nov Matake
 
IIW 16th Report at #idcon
IIW 16th Report at #idconIIW 16th Report at #idcon
IIW 16th Report at #idcon
Nov Matake
 
Whats wrong oauth_authn
Whats wrong oauth_authnWhats wrong oauth_authn
Whats wrong oauth_authnNov Matake
 

More from Nov Matake (20)

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technight
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
 
Self isssued-idp
Self isssued-idpSelf isssued-idp
Self isssued-idp
 
IIW 16th Report at #idcon
IIW 16th Report at #idconIIW 16th Report at #idcon
IIW 16th Report at #idcon
 
Whats wrong oauth_authn
Whats wrong oauth_authnWhats wrong oauth_authn
Whats wrong oauth_authn
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 

OAuth 2.0 Updates #technight

  • 2. @nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
  • 3. OAuth in 5 min OpenID TechNight #7
  • 4. Current Trend Mobile Game Social OpenID TechNight #7
  • 5. API Integration Access Control for APIs OpenID TechNight #7
  • 6. API Integration Basic Auth OpenID TechNight #7
  • 8. I’m using same password on 10+ services. OpenID TechNight #7
  • 9. OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  • 10. OAuth Everywhere Mobile Game Social OpenID TechNight #7
  • 11. B2B is slow though.. OpenID TechNight #7
  • 12. Rough History OpenID TechNight #7
  • 13. 2007.12 OAuth 1.0 OpenID TechNight #7
  • 14. Twitter API OpenID TechNight #7
  • 15. 2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
  • 16. Facebook Graph API OpenID TechNight #7
  • 17. 2010.07 dra, 10 OpenID TechNight #7
  • 18. mixi Graph API OpenID TechNight #7
  • 20. 2011.07 dra, 20 OpenID TechNight #7
  • 21. Review by 8/12 OpenID TechNight #7
  • 22. Latest Spec http://j.mp/oauth2_20 OpenID TechNight #7
  • 23. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 24. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 25. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 26. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #7
  • 27. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
  • 28. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  • 29. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 30. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  • 31. Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
  • 32. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 33. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 34. Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 35. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
  • 36. Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
  • 37. Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
  • 38. Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
  • 39. Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #7
  • 40. Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #7
  • 41. Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #7
  • 42. Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
  • 43. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  • 44. Token Bearer Token Access Token Response OpenID TechNight #7
  • 45. Token API Access (Bearer) OpenID TechNight #7
  • 46. Token MAC Token Access Token Response OpenID TechNight #7
  • 47. Token API Access (MAC) OpenID TechNight #7
  • 48. Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
  • 49. Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
  • 50. Review by 8/12 OpenID TechNight #7
  • 51. github.com/nov OpenID TechNight #7