SlideShare a Scribd company logo

OAuth2

S
SPARK MEDIA

Introduction to OAuth2 framework

Technology
1 of 33
Download to read offline
OAUTH 2.0 Standard overview, 
 implementation, 
 JWT Maciek Leśniak
WHAT IS OAUTH 2 OAuth 2.0 is the industry-standard framework for authorization. Enables a third-party application to obtain limited access to an HTTP service 
 (either on behalf of resource owner, 
 or by allowing the third-party application to obtain access on its own). Transport Layer Security (TLS) 
 must be used to any request. https://oauth.net/2/
WHAT IS OAUTH 2 OAuth 2.0 is the industry-standard framework for authorization. Enables a third-party application to obtain limited access to an HTTP service 
 (either on behalf of resource owner, 
 or by allowing the third-party application to obtain access on its own). Transport Layer Security (TLS) 
 must be used to any request. All other trademarks cited herein are the property of their respective owners.
THE ROLES • Resource Owner 
 generally human, yourself • Resource Server 
 any server that has data with we want to get access to eg. Google profile data with personal information • Client 
 application that requests access to a resource server (backend, frontend, mobile application) • Authorization Server 
 server where access policy is defined nad based on that policy, it issues access tokens to clients Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
CLIENTTYPES Web application that runs
 entirely on the server User agent - based application Native applications Confidential Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), 
 or capable of secure client authentication using other means. Public Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
TOKENS Refresh Token • issuing a refresh token is optional at the discretion of the authorisation server; 
 this token is issued with the access token 
 but it is not sent in each request • requests for new token (mainly when old token has expired and we must renew an access token); 
 the scope of the new token could change • valid only in combination with client authentication • for security reasons, it is not always possible to obtain this token • unlike access tokens, refresh tokens are intended for use only with authorisation servers and are never sent to resource servers Access Token • allows the client to access the data from resource server • this token is sent by the client as a parameter or as a header in the request to the resource server. • has a limited lifetime, which is defined by 
 the authorisation server settings • must be kept confidential as soon as possible (for example by storing that kind of token in cookie with HttpOnly and Secure flag)
SCOPES • the scope is a parameter used to 
 limit the rights of the access token • this is the authorization server that defines the list of the available scopes (case sensitive) • the client must then send the scopes he wants to use while authorization process and AuthServer may override them https://YOUR_AUTH0_DOMAIN/authorize? scope=read%20profile& response_type=id_token& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& nonce=YOUR_CRYPTOGRAPHIC_NONCE state=YOUR_OPAQUE_VALUE
authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
AUTHORIZATION 
 CODE FLOW
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) code
 request HTTP/1.1 Host: client.com GET https://authserver.com/authorize?
 response_type= code&
 scope= booksapi manage&
 client_id= s6BhdRkqt3& state= xyz&
 redirect_uri= https://developers.google.com/…
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) code HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 code= SplxlOBeZQQYbYS6WxSbIA&
 state= xyz
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token
 request POST /token HTTP/1.1 Host: client.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type= authorization_code&
 code= SplxlOBeZQQYbYS6WxSbIA& redirect_uri= https://developers.google.com/…
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token token
 check HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "2YotnFZCsicMWpAA", “token_type": "bearer", "expires_in": 3600, "refresh_token": "tGzv3G5Qx2TlKWIA" } GET https://resource.com/profile HTTP/1.1 Host: client.com Authorization: Bearer 2YotnFZCsicMWpAA Content-Type: application/json;charset=UTF-8
AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) refresh
 token POST /token HTTP/1.1 Host: client.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type= refresh_token&
 refresh_token= tGzv3JOkF0XG5Qx2TlKWIA
IMPLICIT FLOW
IMPLICIT FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
IMPLICIT FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token
 request HTTP/1.1 Host: client.com GET https://authserver.com/authorize?
 response_type= token&
 scope= booksapi manage&
 client_id= s6BhdRkqt3& state= xyz&
 redirect_uri= https://developers.google.com/…
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) access token HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 access_token= SplxlOBeZQQYbYS6WxSbIA& token_type= bearer
 state= xyz
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) access token HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 access_token= SplxlOBeZQQYbYS6WxSbIA& token_type= bearer
 state= xyz No refresh token
IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token
 check GET https://resource.com/profile HTTP/1.1 Host: client.com Authorization: Bearer SplxlOBeZQQYbYS6WxSbIA Content-Type: application/json;charset=UTF-8
JSON WEBTOKEN (JWT)
JSON WEBTOKEN (JWT) JSON WebToken (JWT) is an open standard (RFC 7519) that defines a compact and 
 self-contained way for securely transmitting information 
 between parties as a JSON object. 
 
 This information can be verified 
 and trusted because it is digitally signed. 
 
 JWTs can be signed using a secret 
 (with the HMAC algorithm) or 
 a public/private key pair using RSA. Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token
 check
JSON WEBTOKEN (JWT) HEADER:ALGORITHM & TOKEN TYPE { "alg": "HS256", "typ": "JWT" } PAYLOAD:DATA { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } SIGNATURE HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9.eyJzdWIiOiIxMjM0NTY3ODkwIi wibmFtZSI6IkpvaG4gRG9lIiwiaWF0Ij oxNTE2MjM5MDIyfQ.keH6T3x1z7 mmhKL1T3r9sQdAxxdzB6siemGMr _6ZOwU
REAL EXAMPLES https://developers.google.com/oauthplayground Icons comes from: https://www.flaticon.com/authors/smashicons is licensed by CC 3.0 BY

Recommended

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 

Recommended

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base CampOliver Pfaff
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 PresentaionBhargav Surimenu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 

More Related Content

What's hot

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 

What's hot (20)

OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 

Similar to OAuth2

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Securing APIs
Securing APIsSecuring APIs
Securing APIsWSO2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 

Similar to OAuth2 (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Api security
Api security Api security
Api security
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
O auth 2
O auth 2O auth 2
O auth 2
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

OAuth2

  • 1. OAUTH 2.0 Standard overview, 
 implementation, 
 JWT Maciek Leśniak
  • 2. WHAT IS OAUTH 2 OAuth 2.0 is the industry-standard framework for authorization. Enables a third-party application to obtain limited access to an HTTP service 
 (either on behalf of resource owner, 
 or by allowing the third-party application to obtain access on its own). Transport Layer Security (TLS) 
 must be used to any request. https://oauth.net/2/
  • 3. WHAT IS OAUTH 2 OAuth 2.0 is the industry-standard framework for authorization. Enables a third-party application to obtain limited access to an HTTP service 
 (either on behalf of resource owner, 
 or by allowing the third-party application to obtain access on its own). Transport Layer Security (TLS) 
 must be used to any request. All other trademarks cited herein are the property of their respective owners.
  • 4. THE ROLES • Resource Owner 
 generally human, yourself • Resource Server 
 any server that has data with we want to get access to eg. Google profile data with personal information • Client 
 application that requests access to a resource server (backend, frontend, mobile application) • Authorization Server 
 server where access policy is defined nad based on that policy, it issues access tokens to clients Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 5. CLIENTTYPES Web application that runs
 entirely on the server User agent - based application Native applications Confidential Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), 
 or capable of secure client authentication using other means. Public Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
  • 6. TOKENS Refresh Token • issuing a refresh token is optional at the discretion of the authorisation server; 
 this token is issued with the access token 
 but it is not sent in each request • requests for new token (mainly when old token has expired and we must renew an access token); 
 the scope of the new token could change • valid only in combination with client authentication • for security reasons, it is not always possible to obtain this token • unlike access tokens, refresh tokens are intended for use only with authorisation servers and are never sent to resource servers Access Token • allows the client to access the data from resource server • this token is sent by the client as a parameter or as a header in the request to the resource server. • has a limited lifetime, which is defined by 
 the authorisation server settings • must be kept confidential as soon as possible (for example by storing that kind of token in cookie with HttpOnly and Secure flag)
  • 7. SCOPES • the scope is a parameter used to 
 limit the rights of the access token • this is the authorization server that defines the list of the available scopes (case sensitive) • the client must then send the scopes he wants to use while authorization process and AuthServer may override them https://YOUR_AUTH0_DOMAIN/authorize? scope=read%20profile& response_type=id_token& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& nonce=YOUR_CRYPTOGRAPHIC_NONCE state=YOUR_OPAQUE_VALUE
  • 8. authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
  • 9. authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
  • 10. authorization code resource owner password credentials implicit client credentials AUTHORIZATION GRANT An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) 
 used by the client to obtain an access token. device operating system, privileged applications confidential clients only public clients, browser applications confidential clients only
  • 12. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 13. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) code
 request HTTP/1.1 Host: client.com GET https://authserver.com/authorize?
 response_type= code&
 scope= booksapi manage&
 client_id= s6BhdRkqt3& state= xyz&
 redirect_uri= https://developers.google.com/…
  • 14. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 15. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 16. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 17. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) code HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 code= SplxlOBeZQQYbYS6WxSbIA&
 state= xyz
  • 18. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token
 request POST /token HTTP/1.1 Host: client.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type= authorization_code&
 code= SplxlOBeZQQYbYS6WxSbIA& redirect_uri= https://developers.google.com/…
  • 19. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token token
 check HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "2YotnFZCsicMWpAA", “token_type": "bearer", "expires_in": 3600, "refresh_token": "tGzv3G5Qx2TlKWIA" } GET https://resource.com/profile HTTP/1.1 Host: client.com Authorization: Bearer 2YotnFZCsicMWpAA Content-Type: application/json;charset=UTF-8
  • 20. AUTHORIZATION CODE FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) refresh
 token POST /token HTTP/1.1 Host: client.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type= refresh_token&
 refresh_token= tGzv3JOkF0XG5Qx2TlKWIA
  • 22. IMPLICIT FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 23. IMPLICIT FLOW Resource Owner (real user: me, you) Client (OAuth Playground) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token
 request HTTP/1.1 Host: client.com GET https://authserver.com/authorize?
 response_type= token&
 scope= booksapi manage&
 client_id= s6BhdRkqt3& state= xyz&
 redirect_uri= https://developers.google.com/…
  • 24. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 25. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 26. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic)
  • 27. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) access token HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 access_token= SplxlOBeZQQYbYS6WxSbIA& token_type= bearer
 state= xyz
  • 28. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) access token HTTP/1.1 302 Found Location: https://developers.google.com/…/?
 access_token= SplxlOBeZQQYbYS6WxSbIA& token_type= bearer
 state= xyz No refresh token
  • 29. IMPLICIT FLOW Resource Owner (real user: me, you) Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token
 check GET https://resource.com/profile HTTP/1.1 Host: client.com Authorization: Bearer SplxlOBeZQQYbYS6WxSbIA Content-Type: application/json;charset=UTF-8
  • 31. JSON WEBTOKEN (JWT) JSON WebToken (JWT) is an open standard (RFC 7519) that defines a compact and 
 self-contained way for securely transmitting information 
 between parties as a JSON object. 
 
 This information can be verified 
 and trusted because it is digitally signed. 
 
 JWTs can be signed using a secret 
 (with the HMAC algorithm) or 
 a public/private key pair using RSA. Client (any application) Authorization 
 Server (real user: me, you) Resource
 Server (server that serves 
 some data / logic) token token
 check
  • 32. JSON WEBTOKEN (JWT) HEADER:ALGORITHM & TOKEN TYPE { "alg": "HS256", "typ": "JWT" } PAYLOAD:DATA { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } SIGNATURE HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9.eyJzdWIiOiIxMjM0NTY3ODkwIi wibmFtZSI6IkpvaG4gRG9lIiwiaWF0Ij oxNTE2MjM5MDIyfQ.keH6T3x1z7 mmhKL1T3r9sQdAxxdzB6siemGMr _6ZOwU
  • 33. REAL EXAMPLES https://developers.google.com/oauthplayground Icons comes from: https://www.flaticon.com/authors/smashicons is licensed by CC 3.0 BY