The document summarizes an OAuth tutorial presentation given at IETF #79 in Beijing. It discusses the problem of secure data sharing that OAuth addresses, provides examples of OAuth flows and exchanges, and describes the involved entities. The history of OAuth is outlined, from its inception in 2006 to its standardization efforts in the IETF. Security aspects like access tokens and message signing are also summarized.

1. Hannes Tschofenig, Blaine Cook
(IETF#79, Beijing)

2. Acknowledgements
• I would like to thank to Pasi Eronen. We are
re-using some of his slides in this
presentation.
12/29/12 IETF #79, OAuth Tutorial Beijing 2

3. The Problem: Secure Data Sharing
12/29/12 IETF #79, OAuth Tutorial Beijing 3

4. 12/29/12 IETF #79, OAuth Tutorial Beijing 4

5. Example OAuth Exchange
12/29/12 IETF #79, OAuth Tutorial Beijing 5

6. Entities
User Agent
(Web Browser)
Authorization Request User
Resource Consumer
(LinkedIn) Token request Authorization Server
(Yahoo)
Access Request
(incl. Token) Resource Server
(Yahoo)
12/29/12 IETF #79, OAuth Tutorial Beijing 6

7. User navigates to Resource Client
12/29/12 IETF #79, OAuth Tutorial Beijing 7

8. User authenticated by
Authorization Server
12/29/12 IETF #79, OAuth Tutorial Beijing 8

9. User authorizes Resource Consumer to
access Resource Server
12/29/12 IETF #79, OAuth Tutorial Beijing 9

10. Resource Client calls the
Resource Server API
12/29/12 IETF #79, OAuth Tutorial Beijing 10

11. Remark: Authentication
• Yahoo in our example may outside the authentication part to
other providers (e.g. using OpenID).
• Authorization Server and Resource Server do not need to be
operated by the same entity.
12/29/12 IETF #79, OAuth Tutorial Beijing 11

12. Remark: Authorization
• Asking the user for consent prior to share
information is considered privacy-friendly.
• User interfaces for obtaining user content may
not always be great.
12/29/12 IETF #79, OAuth Tutorial Beijing 12

13. Remark: Authorization, cont.
12/29/12 IETF #79, OAuth Tutorial Beijing 13

14. Remark: Authorization, cont.

15. Remark: Authorization, cont.
12/29/12 IETF #79, OAuth Tutorial Beijing 15

16. Remark: Prior-Registration
• Many Resource Server require registration of
Resource Client’s prior to usage.
• Example: http://developer.cliqset.com/api
12/29/12 IETF #79, OAuth Tutorial Beijing 16

17. Remark,
cont.
12/29/12 IETF #79, OAuth Tutorial Beijing 17

18. History
12/29/12 IETF #79, OAuth Tutorial Beijing 18

19. History
• November 2006: Blaine Cook was looking into the possibility of
using OpenID to accomplish the functionality for delegated
authentication. He got in touch with some other folks that had
a similar need.
• December 2006: Blaine wrote a "reference implementation" for
Twitter based on all the existing OAuth-patterned APIs, which
Blaine and Kellan Elliott-McCrea turned into a rough functional
draft
• April 2007: Google group was created with a small group of
implementers to write a proposal for an open protocol.
• July 2007: OAuth 1.0 (with code for major programming
languages)
• September 2007: Re-write of specification to focus on a single
flow (instead of "web", "mobile", and "desktop" flows)
• Deployment of OAuth well on it’s way:
http://wiki.oauth.net/ServiceProviders
12/29/12 IETF #79, OAuth Tutorial Beijing 19

20. History, cont.
• 1st OAuth BOF (Minneapolis, November 2008, IETF#73)
– BOF Chairs: Sam Hartman, Mark Nottingham
– BOF went OK but a couple of charter questions couldn’t be resolved.
• 2nd OAuth BOF (San Francisco, March 2009, IETF#74)
– BOF Chairs: Hannes Tschofenig, Blaine Cook
– Charter discussed on the mailing list and also during the meeting. Finalized
shortly after the meeting
• IETF wide review of the OAuth charter text (28 th April 2009)
– Announcement: http://www.ietf.org/mail-archive/web/ietf-
announce/current/msg06009.html
• OAuth working group was created (May 2009)
– Chairs: Blaine Cook, Peter Saint Andre
• Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC:
–
12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html
IETF #79, OAuth Tutorial Beijing 20

21. History, cont.
• March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig
became Blaine’s co-chair.
• March 2010: IETF OAuth meeting in Anaheim
• April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran,
Dick, David.
• May 2010: First OAuth interim meeting co-located with IIW to discuss open issues.
• July 2010: Maastricht IETF meeting
• November 2010: Document split into “abstract” specification and separate bearer
token and message signing specification.
• November 2010: Beijing IETF meeting – no official OAuth working group meeting.
Discussions about security for OAuth
12/29/12 IETF #79, OAuth Tutorial Beijing 21

22. Entities
User Agent
Authorization Request User
Resource Consumer
Token request Authorization Server
Access Request
(incl. Token) Resource Server
12/29/12 IETF #79, OAuth Tutorial Beijing 22

23. Scope of the OAuth WG
• Currently only one working group item:
– http://tools.ietf.org/html/draft-ietf-oauth-v2
– Unlike OAuth v1.0 it does not contain signature
mechanisms
• We have a punch of other documents as individual
items
– Providing security related extensions
– User interface considerations
– Token formats
– Token by reference
– Use case descriptions
– Other OAuth profiles OAuth Tutorial Beijing
12/29/12 IETF #79, 23

24. Work Areas
User Interface
User Agent
Authentication
Authorization Request User
Resource Consumer Token Format
Token Request
And Content Authorization Server
Authz Server
Data Exchange
Interaction
Access Request
(incl. Token) Resource Server
Request Security
OAuth Profiles
12/29/12 IETF #79, OAuth Tutorial Beijing 24

25. Web Server Flow

26. 12/29/12 IETF #79, OAuth Tutorial Beijing 26

27. A little bit about OAuth security…
Se curity

28. Work Areas
User Interface
User Agent
Authentication
Authorization Request User
Resource Consumer
Token Request
Authorization Server
Authz Server
Data Exchange
Interaction
Access Request
(incl. Token) Resource Server
OAuth Profiles
12/29/12 IETF #79, OAuth Tutorial Beijing 28

29. “Bearer Token”
Authorization
Server
Request
Token
TLS
Resource Token Resource
Consumer TLS
Server

30. “Message Signing”
Authorization
Server
Request
Token,SK,
TLS
{SK}Bob
Resource Resource
Consumer Token, Server
{Request}SK,
{SK}Bob

31. Conclusion
• Open Web Authentication (OAuth) is developed in
the IETF to provide delegated authentication for
Web-based environments.
– Usage for non-Web based applications has been proposed
as well.
• Work is in progress and re-chartering will expand the
work to include new features and use cases as well
as security.
• Join the OAuth mailing list at
http://datatracker.ietf.org/wg/oauth/charter/ to
make your contribution.
12/29/12 IETF #79, OAuth Tutorial Beijing 31

32. Backup Slides
12/29/12 IETF #79, OAuth Tutorial Beijing 32

33. JavaScript Flow
(User Agent Flow in Draft)

34. 12/29/12 IETF #79, OAuth Tutorial Beijing 34

35. Native Application Flow

36. 12/29/12 IETF #79, OAuth Tutorial Beijing 36

37. Autonomous Flow

38. 12/29/12 IETF #79, OAuth Tutorial Beijing 38

39. Device Flow

40. 12/29/12 IETF #79, OAuth Tutorial Beijing 40

41. 12/29/12 IETF #79, OAuth Tutorial Beijing 41