SlideShare a Scribd company logo

Summary of OAuth 2.0 draft 8 memo

Ryo Ito
Ryo Ito

1. OAuth 2.0 provides a framework for authorization that defines four client types (web servers, user-agents, native applications, and autonomous clients) and three authorization flows (authorization code, implicit, and client credentials). 2. The authorization endpoint uses HTTP requests to obtain authorization from the resource owner via user-agent redirection or prompting the client directly. The token endpoint exchanges authorization codes or refresh tokens for access tokens via HTTP POST. 3. Access tokens are used by clients to access protected resources by passing the token in the authorization header, URI query parameter, or form-encoded body parameter of a request.

Technology
1 of 21
Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
6
User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
8
Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
OLD SPEC 18
Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21

Recommended

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 

Recommended

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7Ryo Ito
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 

More Related Content

What's hot

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 

What's hot (20)

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 

Similar to Summary of OAuth 2.0 draft 8 memo

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7Ryo Ito
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
Luis Ruiz Pavón
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 

Similar to Summary of OAuth 2.0 draft 8 memo (20)

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth2
OAuth2OAuth2
OAuth2
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 

More from Ryo Ito

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1
Ryo Ito
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirect
Ryo Ito
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiRyo Ito
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF Protection
Ryo Ito
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectRyo Ito
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いRyo Ito
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth
Ryo Ito
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
Ryo Ito
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1
Ryo Ito
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1
Ryo Ito
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門
Ryo Ito
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13Ryo Ito
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNSRyo Ito
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
Ryo Ito
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoRyo Ito
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9Ryo Ito
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationRyo Ito
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj
Ryo Ito
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1
Ryo Ito
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid Memo
Ryo Ito
 

More from Ryo Ito (20)

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirect
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixi
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF Protection
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID Connect
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来い
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNS
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_Demo
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC Authentication
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid Memo
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

Summary of OAuth 2.0 draft 8 memo

  • 1. Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
  • 2. Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
  • 3. Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
  • 4. Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
  • 5. Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
  • 6. 6
  • 7. User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
  • 8. 8
  • 9. Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
  • 10. Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
  • 11. Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
  • 12. Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
  • 13. End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
  • 14. End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
  • 15. Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
  • 16. Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
  • 17. Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
  • 18. OLD SPEC 18
  • 19. Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
  • 20. Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
  • 21. Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21