SlideShare a Scribd company logo

RFC6749 et alia 20130504

Mattias Jidhage
Mattias Jidhage

Presentation of RFC6749 given at Omegapoint conference OPKoKo 13.1

1 of 66
Download to read offline
The standard RFC6749
Checkpoint The problem The history
1.1 Roles resource owner resource server authorization server client @Override protected AuthorizationCodeFlow initializeFlow() throws IOException …
1.2 Flow Authorization Request @Override protectedAuthorizationCodeFlowinitializeFlow() throwsIOException… Authorization Grant Authorization Grant Access Token Access Token Protected Resource
1.3 Authorization Grant •  Four grant types – authorization code – implicit – resource owner password credentials – client credentials – (extension grants…)
1.4 Access Token •  a string representing an authorization – usually opaque to the client •  may denote an identifier used to retrieve the authorization information •  may self-contain the authorization information in a verifiable manner •  details in companion specifications
1.5 Refresh Token •  credentials used to obtain access tokens – when access token has expired – long lived (forever and ever) – only sent to authorization server – denotes an identifier used to retrieve the authorization information – OPTIONAL
2.0 Client Registration •  Needs to be done (client type, redirect URI, keys) •  Details out-of-scope for RFC6749 – Manual – OAuth 2.0 Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-09 – OpenID Connect Dynamic Client Registration 1.0 - draft 08
•  Real world examples – Google – Facebook – Twitter 2.0 Client Registration
2.1 Client types •  Confidential – web application •  Public – user-agent-based application – native application
2.2/3 Identifier & Auth •  Client Identifier – client_id (string, not secret) •  Client Authentication (confidential client type) – Basic Authentication (client_id:client_secret) •  And – Other Authentication Methods – Unregistered
3.0 Protocol Endpoints •  authorization server endpoints (URL:s) – Authorization endpoint – Token endpoint •  client endpoint – Redirection endpoint •  resource server – As required…
4.0 Obtaining Authorization •  Our main target is getting an Access Token – There are a couple of ways to do it •  depending on the client type
4.1 Authorization Code Grant Authorization Request Authorization Grant Authorization Grant Access Token Access Token Protected Resource @override Authentication
4.2 Implicit Grant Authorization Request Access Token Redirection URI Script Access Token Protected Resource @override Authentication @override resource
4.3 Resource Owner Password Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
4.4 Client Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth %3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3 RhbnQ9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant- type:saml2-bearer &assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ 9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
5. Issuing an Access Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
5.1 Successful response •  access_token –  REQUIRED •  token_type –  REQUIRED •  expires_in –  RECOMMENDED •  refresh_token –  OPTIONAL •  scope –  OPTIONAL/REQUIRED
6.0 Refreshing an Access Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
7. Accessing Protected Resources •  Present access token – How depends on token_type •  Server validates (out of scope) – Generally interaction with Authorization Server
7.1 Access Token Types •  What type of token? – Compare with concept of grant_type •  Not defined by OAuth2 – A registry is defined •  Contents – Bearer (RFC6750) – Mac (Oauth-HTTP-MAC)
Extensibility •  Defining Access Token Types •  Defining New Endpoint Parameters •  Defining New Authorization Grant Types •  Defining New Authorization Endpoint Response Type •  Defining Additional Error Codes
Critiscism •  Not that specified •  A consultants dream
Related Standards
‘oauth’ in ietf.org
Bearer Token Usage •  RFC6750 – Details on OAuth2 access_token – Defines token_type bearer (first) •  “A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of- possession).”
Bearer Token Usage •  does not specify the encoding or the contents of the token?? •  Methods – Authorization Request Header Field – Form-Encoded Body Parameter – URI Query Parameter
Mac Token •  draft-ietf-oauth-v2-http-mac-03 – access_token •  token_type = mac (second, not yet approved) – integrity
OAuth Assertions Framework •  draft-ietf-oauth-assertions-11 – Framework, needs instances •  ietf-oauth-saml2-bearer •  ietf-oauth-jwt-bearer
SAML2 Bearer Assertions Authorization Grant Access Token Access Token Protected Resource @override
SAML2 Bearer Assertion •  Note: ‘Bearer’ now used to describe assertion on Authorization Grant – not Access Token •  SAML2 Assertion – another possible grant_type
JWT Bearer Tokens Authorization Grant Access Token Access Token Protected Resource @override
JWT Bearer Tokens •  Similar to SAML2 •  grant_type: urn:ietf:params:oauth:grant- type:jwt-bearer
JWT Tokens •  JSON Web Token (JWT) is a compact means of representing claims to be transferred between two parties. – JSW (JSON Web Signature) – JWE (JSON Web Encryption) •  Enables MAC/signed/encrypted
OpenID Connect •  a simple identity layer on top of the OAuth 2.0 protocol. •  allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server
OpenID Connect: flow •  Authorization Code Flow – response_type = code id_token •  Implicit Flow (RECOMMENDED) – response_type = token id_token
OpenID Connect: scope •  openid - REQUIRED •  profile - OPTIONAL •  email - OPTIONAL •  address - OPTIONAL •  phone - OPTIONAL
additions •  response_type: id_token •  endpoint: /check_id, /userinfo •  id_token is returned •  send as access_token to /check_id •  control info returned •  send access_token to /userinfo •  user_info is returned
Recap Authorization Request @Override protectedAuthorizationCodeFlowinitializeFlow() throwsIOException… Authorization Grant Authorization Grant Access Token Access Token Protected Resource
?Thank You! @mjidhage www.sakerhetspodcasten.se
The actual problem 46 Lisa
47 Information Lisa
48 Lisa
49 Service Provider Lisa
50 Lisa
51 Consumer Lisa
52 Lisa
Why – the plot? 53 : Hmm, don’t know - could it be, lisa@hotmail.com? : h4pp1n3ss! : Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake : Ok, great! What’s your password?fake : Hi Lisa, what’s your username? fake
54 How? Authorization in 5 easy steps • Intent • Request Token • Authorize Request Token • Exchange Token • Access Data
55 : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from Step 1: Intent
56 Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! Step 2: Request Token
57 Step 3: Authorize Request Token : Sure, just redirect my browser and I will be done in a second! : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your .
58 Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed.
59 Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you!
60 Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you!
61 Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else?
62 Take Away •  No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. •  => Not an authentication protocol/standard/ technology •  API independent –  there are lots of different implementations on both client and server side The Standard
History
64 —  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. —  2007-04 A Google group started to write a draft protocol specification —  2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification When? t
65 • 2007-12 Initial version OAuth 1.0 ready • mainly based on the Flickr Auth API and Google AuthSub • 2009-06 Revised version 1.0a due to a security flaw • http://oauth.net/core/1.0a • 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” • OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 • New protocol, not backward compatible with OAuth1 • Simplify and create a better user experience • Less secure due to no digital signature? When? t
66 2011-05-06 The Standard

Recommended

TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
Jennifer Estrada
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 

Recommended

TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
Jennifer Estrada
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
G Jayendra Kartheek
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
Felipe Prado
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514
Mattias Jidhage
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419
Mattias Jidhage
 

More Related Content

What's hot

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
G Jayendra Kartheek
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
Felipe Prado
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 

What's hot (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 

Viewers also liked

Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514
Mattias Jidhage
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419
Mattias Jidhage
 
Who Are You 20120922
Who Are You 20120922Who Are You 20120922
Who Are You 20120922
Mattias Jidhage
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Wolters Kluwer Belgium
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerable
mrlanrat
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
Barry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
Helge Tennø
 

Viewers also liked (7)

Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514Gentlemen, Start Your Engines 20120514
Gentlemen, Start Your Engines 20120514
 
Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419Gentlemen, Start Your Engines 20120419
Gentlemen, Start Your Engines 20120419
 
Who Are You 20120922
Who Are You 20120922Who Are You 20120922
Who Are You 20120922
 
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
Futuristische demonstratie uit de autosector (Bosch) - Belgian Insurance Conf...
 
Fast and Vulnerable
Fast and VulnerableFast and Vulnerable
Fast and Vulnerable
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Similar to RFC6749 et alia 20130504

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorization
Mithun Shanbhag
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Api security
Api security Api security
Api security
teodorcotruta
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 

Similar to RFC6749 et alia 20130504 (20)

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorization
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Full stack security
Full stack securityFull stack security
Full stack security
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Api security
Api security Api security
Api security
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 

Recently uploaded

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 

RFC6749 et alia 20130504

  • 2.
  • 4.
  • 5. 1.1 Roles resource owner resource server authorization server client @Override protected AuthorizationCodeFlow initializeFlow() throws IOException …
  • 7. 1.3 Authorization Grant •  Four grant types – authorization code – implicit – resource owner password credentials – client credentials – (extension grants…)
  • 8. 1.4 Access Token •  a string representing an authorization – usually opaque to the client •  may denote an identifier used to retrieve the authorization information •  may self-contain the authorization information in a verifiable manner •  details in companion specifications
  • 9. 1.5 Refresh Token •  credentials used to obtain access tokens – when access token has expired – long lived (forever and ever) – only sent to authorization server – denotes an identifier used to retrieve the authorization information – OPTIONAL
  • 10. 2.0 Client Registration •  Needs to be done (client type, redirect URI, keys) •  Details out-of-scope for RFC6749 – Manual – OAuth 2.0 Dynamic Client Registration Protocol •  draft-ietf-oauth-dyn-reg-09 – OpenID Connect Dynamic Client Registration 1.0 - draft 08
  • 11. •  Real world examples – Google – Facebook – Twitter 2.0 Client Registration
  • 12. 2.1 Client types •  Confidential – web application •  Public – user-agent-based application – native application
  • 13. 2.2/3 Identifier & Auth •  Client Identifier – client_id (string, not secret) •  Client Authentication (confidential client type) – Basic Authentication (client_id:client_secret) •  And – Other Authentication Methods – Unregistered
  • 14. 3.0 Protocol Endpoints •  authorization server endpoints (URL:s) – Authorization endpoint – Token endpoint •  client endpoint – Redirection endpoint •  resource server – As required…
  • 15. 4.0 Obtaining Authorization •  Our main target is getting an Access Token – There are a couple of ways to do it •  depending on the client type
  • 16. 4.1 Authorization Code Grant Authorization Request Authorization Grant Authorization Grant Access Token Access Token Protected Resource @override Authentication
  • 17. 4.2 Implicit Grant Authorization Request Access Token Redirection URI Script Access Token Protected Resource @override Authentication @override resource
  • 18. 4.3 Resource Owner Password Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
  • 19. 4.4 Client Credentials Grant Authorization Grant Access Token Access Token Protected Resource @override
  • 20. 4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth %3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3 RhbnQ9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
  • 21. 4.5 Extension Grants POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant- type:saml2-bearer &assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ 9IjIwMTEtMDU [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- ------ Example is OAuth-SAML2
  • 22. 5. Issuing an Access Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  • 23. 5.1 Successful response •  access_token –  REQUIRED •  token_type –  REQUIRED •  expires_in –  RECOMMENDED •  refresh_token –  OPTIONAL •  scope –  OPTIONAL/REQUIRED
  • 24. 6.0 Refreshing an Access Token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
  • 25. 7. Accessing Protected Resources •  Present access token – How depends on token_type •  Server validates (out of scope) – Generally interaction with Authorization Server
  • 26. 7.1 Access Token Types •  What type of token? – Compare with concept of grant_type •  Not defined by OAuth2 – A registry is defined •  Contents – Bearer (RFC6750) – Mac (Oauth-HTTP-MAC)
  • 27. Extensibility •  Defining Access Token Types •  Defining New Endpoint Parameters •  Defining New Authorization Grant Types •  Defining New Authorization Endpoint Response Type •  Defining Additional Error Codes
  • 28. Critiscism •  Not that specified •  A consultants dream
  • 31. Bearer Token Usage •  RFC6750 – Details on OAuth2 access_token – Defines token_type bearer (first) •  “A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of- possession).”
  • 32. Bearer Token Usage •  does not specify the encoding or the contents of the token?? •  Methods – Authorization Request Header Field – Form-Encoded Body Parameter – URI Query Parameter
  • 33. Mac Token •  draft-ietf-oauth-v2-http-mac-03 – access_token •  token_type = mac (second, not yet approved) – integrity
  • 34. OAuth Assertions Framework •  draft-ietf-oauth-assertions-11 – Framework, needs instances •  ietf-oauth-saml2-bearer •  ietf-oauth-jwt-bearer
  • 35. SAML2 Bearer Assertions Authorization Grant Access Token Access Token Protected Resource @override
  • 36. SAML2 Bearer Assertion •  Note: ‘Bearer’ now used to describe assertion on Authorization Grant – not Access Token •  SAML2 Assertion – another possible grant_type
  • 37. JWT Bearer Tokens Authorization Grant Access Token Access Token Protected Resource @override
  • 38. JWT Bearer Tokens •  Similar to SAML2 •  grant_type: urn:ietf:params:oauth:grant- type:jwt-bearer
  • 39. JWT Tokens •  JSON Web Token (JWT) is a compact means of representing claims to be transferred between two parties. – JSW (JSON Web Signature) – JWE (JSON Web Encryption) •  Enables MAC/signed/encrypted
  • 40. OpenID Connect •  a simple identity layer on top of the OAuth 2.0 protocol. •  allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server
  • 41. OpenID Connect: flow •  Authorization Code Flow – response_type = code id_token •  Implicit Flow (RECOMMENDED) – response_type = token id_token
  • 42. OpenID Connect: scope •  openid - REQUIRED •  profile - OPTIONAL •  email - OPTIONAL •  address - OPTIONAL •  phone - OPTIONAL
  • 43. additions •  response_type: id_token •  endpoint: /check_id, /userinfo •  id_token is returned •  send as access_token to /check_id •  control info returned •  send access_token to /userinfo •  user_info is returned
  • 53. Why – the plot? 53 : Hmm, don’t know - could it be, lisa@hotmail.com? : h4pp1n3ss! : Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake : Ok, great! What’s your password?fake : Hi Lisa, what’s your username? fake
  • 54. 54 How? Authorization in 5 easy steps • Intent • Request Token • Authorize Request Token • Exchange Token • Access Data
  • 55. 55 : Hi, ! I would like to order printouts of some of my on , they are marked as private. Could you please print them? : Sure, we just need to ask permission from Step 1: Intent
  • 56. 56 Hi ! This is speaking! Can I have a Request Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Thanks! Step 2: Request Token
  • 57. 57 Step 3: Authorize Request Token : Sure, just redirect my browser and I will be done in a second! : Hi , could you please go to to authorize the Request Token:9iKot2y5UQTDlS2V? When you have made the authorization, I can fetch your .
  • 58. 58 Step 3, Continued : , I would like to authorize 9iKot2y5UQTDlS2V : Sure - to be on the safe side; you are allowing to read your private pictures? We trust them, so there are no issues from our side. : Yes, that is correct! : Ok, good. Now get back too and tell them it is ok to proceed.
  • 59. 59 Step 3, Optional Notify : Hi , I just told that you are allowed to access my private pictures and they told me the pictures are ready for you to access them. : Perfect, thank you!
  • 60. 60 Step 4: Exchange Token : Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V for an Access Token? HMAC-SHA1 (Yours Truly, Moo.) : Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Perfect, thank you!
  • 61. 61 Step 5: Access Data : Hi , I would like to fetch the private pictures owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are , anything else?
  • 62. 62 Take Away •  No information on the identity of Lisa is passed to Moo and Moo have no idea of what Lisas credentials on Flickr is. •  => Not an authentication protocol/standard/ technology •  API independent –  there are lots of different implementations on both client and server side The Standard
  • 64. 64 —  2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation. —  2007-04 A Google group started to write a draft protocol specification —  2007-06 A first draft was ready and the group was opened for everyone interested in contributing to the specification When? t
  • 65. 65 • 2007-12 Initial version OAuth 1.0 ready • mainly based on the Flickr Auth API and Google AuthSub • 2009-06 Revised version 1.0a due to a security flaw • http://oauth.net/core/1.0a • 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol” • OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31 • New protocol, not backward compatible with OAuth1 • Simplify and create a better user experience • Less secure due to no digital signature? When? t