Nov Matake, profile picture
Uploaded byNov Matake
PDF, PPTX3,956 views

OAuth 2.0 Updates #technight

The document discusses OAuth 2.0 and its updates. It provides a brief history of OAuth including versions 1.0 and 2.0. It explains the core specification of OAuth 2.0 including authorization servers, resource owners, clients, access tokens, and response types. It also summarizes the token type specification and security considerations for OAuth implementations.

Embed presentation

Download as PDF, PPTX
OAuth 2.0 Updates
@nov OpenID Foundation Japan Translation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
OAuth in 5 min OpenID TechNight #7
Current Trend Mobile Game Social OpenID TechNight #7
API Integration Access Control for APIs OpenID TechNight #7
API Integration Basic Auth OpenID TechNight #7
OpenID TechNight #7
I’m using same password on 10+ services. OpenID TechNight #7
OAuth No password sharing Limited access lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
OAuth Everywhere Mobile Game Social OpenID TechNight #7
B2B is slow though.. OpenID TechNight #7
Rough History OpenID TechNight #7
2007.12 OAuth 1.0 OpenID TechNight #7
Twitter API OpenID TechNight #7
2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
Facebook Graph API OpenID TechNight #7
2010.07 dra, 10 OpenID TechNight #7
mixi Graph API OpenID TechNight #7
OpenID TechNight #7
2011.07 dra, 20 OpenID TechNight #7
Review by 8/12 OpenID TechNight #7
Latest Spec http://j.mp/oauth2_20 OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #7
Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #7
Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #7
Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #7
Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
Token Bearer Token Access Token Response OpenID TechNight #7
Token API Access (Bearer) OpenID TechNight #7
Token MAC Token Access Token Response OpenID TechNight #7
Token API Access (MAC) OpenID TechNight #7
Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
Review by 8/12 OpenID TechNight #7
github.com/nov OpenID TechNight #7

More Related Content

PDF
Sign in with Apple
byNov Matake
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
byNov Matake
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
エンタープライズの視点からFIDOとFederationのビジネスを考える
byMasaru Kurahayashi
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
byNaoki Nagazumi
 
PDF
ID連携入門 (実習編) - Security Camp 2016
byNov Matake
 
PDF
OpenID Connect 101 @ OpenID TechNight vol.11
byNov Matake
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
Sign in with Apple
byNov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
byNov Matake
 
Full stack security
byDPC Consulting Ltd
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
byMasaru Kurahayashi
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
byNaoki Nagazumi
 
ID連携入門 (実習編) - Security Camp 2016
byNov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
byNov Matake
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 

What's hot

PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
PPTX
OpenID Connect 1.0 Explained
byEugene Siow
 
PDF
Ad(microsoftの方)のOpenId Connect対応
byNaohiro Fujie
 
PDF
Getting Started with FIDO2
byFIDO Alliance
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
PDF
Enterprise Single Sign On
byWSO2
 
PDF
Open id connect claims idcon mini vol1
byRyo Ito
 
PDF
Webauthn Tutorial
byFIDO Alliance
 
PPTX
The Client is not always right! How to secure OAuth authentication from your...
byMike Schwartz
 
PDF
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
PPT
Understanding OpenID
byPrabath Siriwardena
 
PDF
RPで受け入れる認証器を選択する ~Idance lesson 2~
by5 6
 
PPTX
OpenID Connect: An Overview
byPat Patterson
 
PDF
W3C Web Authentication - #idcon vol.24
byNov Matake
 
PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
PDF
OAuth 2.0 Updates #technight in Osaka
byNov Matake
 
PDF
Introduction to SAML 2.0
byMika Koivisto
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
OpenID Connect 1.0 Explained
byEugene Siow
 
Ad(microsoftの方)のOpenId Connect対応
byNaohiro Fujie
 
Getting Started with FIDO2
byFIDO Alliance
 
FIDO2 Specifications Overview
byFIDO Alliance
 
Enterprise Single Sign On
byWSO2
 
Open id connect claims idcon mini vol1
byRyo Ito
 
Webauthn Tutorial
byFIDO Alliance
 
The Client is not always right! How to secure OAuth authentication from your...
byMike Schwartz
 
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
Understanding OpenID
byPrabath Siriwardena
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
by5 6
 
OpenID Connect: An Overview
byPat Patterson
 
W3C Web Authentication - #idcon vol.24
byNov Matake
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
OAuth 2.0 Updates #technight in Osaka
byNov Matake
 
Introduction to SAML 2.0
byMika Koivisto
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 

Viewers also liked

PDF
Cloud Identity Summit 2011 TOI
byTatsuo Kudo
 
PDF
OpenID Connect - Nat Sakimura at OpenID TechNight #7
byOpenID Foundation Japan
 
PDF
110728 Trust Framework - Shingo Yamanaka
byOpenID Foundation Japan
 
PDF
110728 Trust Framework - Akiko Orita
byOpenID Foundation Japan
 
PDF
110728 Trust Framework - Takashi Shitamichi
byOpenID Foundation Japan
 
PPTX
Open id specifications_work_update-tokyo_2011
byNat Sakimura
 
PDF
AWS紹介&AWSとオープンデータの事例紹介
byYasuhiro Horiuchi
 
Cloud Identity Summit 2011 TOI
byTatsuo Kudo
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
byOpenID Foundation Japan
 
110728 Trust Framework - Shingo Yamanaka
byOpenID Foundation Japan
 
110728 Trust Framework - Akiko Orita
byOpenID Foundation Japan
 
110728 Trust Framework - Takashi Shitamichi
byOpenID Foundation Japan
 
Open id specifications_work_update-tokyo_2011
byNat Sakimura
 
AWS紹介&AWSとオープンデータの事例紹介
byYasuhiro Horiuchi
 

Similar to OAuth 2.0 Updates #technight

PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PDF
Distributed Identities with OpenID
byBastian Hofmann
 
PPTX
OpenID Connect Demo at OpenID Tech Night
byDaisuke Fuke
 
PPTX
Making Sense of API Access Control
byCA API Management
 
PDF
OAuth 2.0 #idit2012
byNov Matake
 
PDF
OAuth: Trust Issues
byLorna Mitchell
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PPTX
Lecture 20101124
byAnderson Liang
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
PDF
OpenID and OAuth
byAndrea Chiodoni
 
PPT
Oauth tutorial
by乐费 胡
 
PDF
Iiw2007b Madsen 01
byPaul Madsen
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
PPTX
Protecting Online Identities - MIX09
byJorgen Thelin
 
PPTX
Protecting Online Identities
bygoodfriday
 
PPTX
Protecting Online Identities
bygoodfriday
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
Distributed Identities with OpenID
byBastian Hofmann
 
Distributed Identities with OpenID
byBastian Hofmann
 
OpenID Connect Demo at OpenID Tech Night
byDaisuke Fuke
 
Making Sense of API Access Control
byCA API Management
 
OAuth 2.0 #idit2012
byNov Matake
 
OAuth: Trust Issues
byLorna Mitchell
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
When and Why Would I use Oauth2?
byDave Syer
 
Lecture 20101124
byAnderson Liang
 
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
OpenID and OAuth
byAndrea Chiodoni
 
Oauth tutorial
by乐费 胡
 
Iiw2007b Madsen 01
byPaul Madsen
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
Protecting Online Identities - MIX09
byJorgen Thelin
 
Protecting Online Identities
bygoodfriday
 
Protecting Online Identities
bygoodfriday
 

More from Nov Matake

PDF
#idcon vol.29 - #fidcon WebAuthn, Next Stage
byNov Matake
 
PDF
FedCM - OpenID TechNight vol.19
byNov Matake
 
PDF
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
byNov Matake
 
PDF
FIDO @ LINE - #idcon vol.24
byNov Matake
 
PDF
NIST SP 800-63C - Federation and Assertions (FINAL)
byNov Matake
 
PDF
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
byNov Matake
 
PDF
NIST SP 800-63C #idcon vol.22
byNov Matake
 
PDF
NIST SP 800-63-3 #idcon vol.22
byNov Matake
 
PDF
ID連携概要 - OpenID TechNight vol.13
byNov Matake
 
PDF
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
byNov Matake
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
PDF
FIDO alliance #idcon vol.18
byNov Matake
 
PDF
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
byNov Matake
 
PDF
OAuth認証再考からのOpenID Connect #devlove
byNov Matake
 
PDF
ID & IT 2013 - OpenID Connect Hands-on
byNov Matake
 
PDF
JWT Translation #technight
byNov Matake
 
PDF
MIT-KIT Intro at #idcon sattelite
byNov Matake
 
PDF
Self isssued-idp
byNov Matake
 
PDF
IIW 16th Report at #idcon
byNov Matake
 
PDF
Whats wrong oauth_authn
byNov Matake
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
byNov Matake
 
FedCM - OpenID TechNight vol.19
byNov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
byNov Matake
 
FIDO @ LINE - #idcon vol.24
byNov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
byNov Matake
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
byNov Matake
 
NIST SP 800-63C #idcon vol.22
byNov Matake
 
NIST SP 800-63-3 #idcon vol.22
byNov Matake
 
ID連携概要 - OpenID TechNight vol.13
byNov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
byNov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
byNov Matake
 
FIDO alliance #idcon vol.18
byNov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
byNov Matake
 
OAuth認証再考からのOpenID Connect #devlove
byNov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
byNov Matake
 
JWT Translation #technight
byNov Matake
 
MIT-KIT Intro at #idcon sattelite
byNov Matake
 
Self isssued-idp
byNov Matake
 
IIW 16th Report at #idcon
byNov Matake
 
Whats wrong oauth_authn
byNov Matake
 

Recently uploaded

PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 

OAuth 2.0 Updates #technight

  • 1.
  • 2.
    @nov OpenID Foundation JapanTranslation & Education WG Translated OpenID 2.0, OAuth 1.0 & 2.0 specs Web Developer @ iKnow! OAuth.jp Ruby Libraries rack-oauth2, fb_graph, paypal-express etc. OpenID TechNight #7
  • 3.
    OAuth in 5min OpenID TechNight #7
  • 4.
    Current Trend Mobile Game Social OpenID TechNight #7
  • 5.
    API Integration Access Controlfor APIs OpenID TechNight #7
  • 6.
    API Integration Basic Auth OpenID TechNight #7
  • 7.
  • 8.
    I’m using samepassword on 10+ services. OpenID TechNight #7
  • 9.
    OAuth No password sharing Limitedaccess lifetime Expire a,er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
  • 10.
    OAuth Everywhere Mobile Game Social OpenID TechNight #7
  • 11.
    B2B is slowthough.. OpenID TechNight #7
  • 12.
    Rough History OpenID TechNight #7
  • 13.
    2007.12 OAuth 1.0 OpenID TechNight #7
  • 14.
    Twitter API OpenID TechNight #7
  • 15.
    2010.04 OAuth 2.0 (dra, 0) OpenID TechNight #7
  • 16.
    Facebook Graph API OpenID TechNight #7
  • 17.
    2010.07 dra, 10 OpenID TechNight #7
  • 18.
    mixi Graph API OpenID TechNight #7
  • 19.
  • 20.
    2011.07 dra, 20 OpenID TechNight #7
  • 21.
    Review by 8/12 OpenID TechNight #7
  • 22.
  • 23.
    Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 24.
    Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 25.
    Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
  • 26.
    Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #7
  • 27.
    Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
  • 28.
    Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
  • 29.
    Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 30.
    Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
  • 31.
    Core Client Type Confidential Public Has client secret No client secret Eg.) Web app Eg.) Mobile/JS app OpenID TechNight #7
  • 32.
    Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve Code Code Access Token OpenID TechNight #7
  • 33.
    Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& redirect_uri=https://... Require Approval Approve code=...& client_id=...& client_secret=...& Code redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 34.
    Core response_type = code Resource Owner Client Authorization Server Initiate client_id=...& response_type=code& Public clients CANNOT do Require Approval Client Authentication redirect_uri=https://... “client_secret” is NOT REQUIRED for public clients Approve code=...& Rely on “redirect_uri” verification instead client_id=...& client_secret=...& Code Public clients MUST pre-register “redirect_uri” redirect_uri=https://... Code Access Token OpenID TechNight #7
  • 35.
    Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve Access Token OpenID TechNight #7
  • 36.
    Core response_type = token Resource Owner Client Authorization Server Initiate client_id=...& response_type=token& redirect_uri=https://... Require Approval Approve All clients MUST pre-register “redirect_uri” Access Token OpenID TechNight #7
  • 37.
    Core Notes For Servers Do you support public clients? Do you need iPhone/Android apps support? Require full redirect URI registration Narrower scopes / shorter lifetime for public clients For Clients Don’t include client secret in your mobile app OpenID TechNight #7
  • 38.
    Core Security Considerations Don’t issue “client_secret” to public clients “redirect_uri” verification is important especially for public clients Consider security policy per client type Use “state” param against CSRF / code injection attack etc. OpenID TechNight #7
  • 39.
    Attacker Client Authorization Server Initiate Require Approval Approve Code Code Code Code Access Token OpenID TechNight #7
  • 40.
    Attacker Client Authorization Server Initiate Require Approval Approve Allow attacker to login Code with attacker’s Twitter account Code Code Code Access Token OpenID TechNight #7
  • 41.
    Attacker Client Authorization Server Store “state” Initiate in Cookie etc. Require Approval State Approve Code State State Code Code State “state” verification failed!! OpenID TechNight #7
  • 42.
    Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
  • 43.
    Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
  • 44.
    Token Bearer Token Access Token Response OpenID TechNight #7
  • 45.
    Token API Access (Bearer) OpenID TechNight #7
  • 46.
    Token MAC Token Access Token Response OpenID TechNight #7
  • 47.
    Token API Access (MAC) OpenID TechNight #7
  • 48.
    Token Notes For Servers Access Token Response Set “token_type” as “bearer” Resource Request Support both “OAuth” and “Bearer” auth header Support both “oauth_token” and “access_token” query/body params OpenID TechNight #7
  • 49.
    Token Notes For Clients Move from “OAuth” to “Bearer” Move from “oauth_token” to “access_token” Only for Facebook API developers Access token response will be JSON OpenID TechNight #7
  • 50.
    Review by 8/12 OpenID TechNight #7
  • 51.
    github.com/nov OpenID TechNight #7