1 / 55

OAuth 2.0 Path to Heaven from Hell ?

OAuth 2.0 Path to Heaven from Hell ?. Prabath Siriwardena | Johann Nallathamby. Pre OAuth Era. Pre OAuth Era. Pre OAuth Era. Pre OAuth Era. Need a better approach ?.

melba
Download Presentation

OAuth 2.0 Path to Heaven from Hell ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OAuth 2.0Path to Heaven from Hell ? Prabath Siriwardena | Johann Nallathamby

  2. Pre OAuth Era

  3. Pre OAuth Era

  4. Pre OAuth Era

  5. Pre OAuth Era

  6. Need a better approach ? Third-party applications are required to store the resource owner's credentials for future use, typically a password in clear-text.

  7. Need a better approach ? Servers are required to support password authentication, despite the security weaknesses created by passwords.

  8. Need a better approach ? Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.

  9. Need a better approach ? Resource owners cannot revoke access to an individual third-party without revoking access to all third-parties, and must do so by changing their password.

  10. Need a better approach ? Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.

  11. Delegation

  12. Pre OAuth Era

  13. OAuth Evolution

  14. OAuth 1.0a

  15. OAuth 1.0a : Three Legged

  16. OAuth 1.0a : Two Legged

  17. OAuth 1.0a : What’s wrong ? • Complexity in validating and generating signatures. • No clear separation between Resource Server and Authorization Server. • Browser based re-redirections.

  18. OAuth 2.0 : Resource Owner • An entity capable of granting access to a protected resource. • When the resource owner is a person, it is referred to as an end-user.

  19. OAuth 2.0 : Resource Server • The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

  20. OAuth 2.0 : Client • An application making protected resource requests on behalf of the resource owner and with its authorization

  21. OAuth 2.0 : Authorization Server • The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization

  22. OAuth 2.0

  23. OAuth 2.0 : Authorization Grant Types Client Credentials Resource Owner Password Credentials Authorization Code Implicit

  24. OAuth 2.0 : Authorization Code Scope OAuth Handshake

  25. OAuth 2.0 Scope Scope is defined by the Authorization Server. Scope indicates what resource client wants access and which actions he wants to perform on that. The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings. The strings are defined by the authorization server. OAuth Handshake

  26. OAuth 2.0 : Authorization Code Confidential Client Type Web Application OAuth Handshake

  27. OAuth 2.0 : Authorization Code client_id / client_secret BasicAuth Client Authenticates to AuthZ Server OAuth Handshake

  28. OAuth 2.0 : Authorization Code Authorization Grant Request • response_type : REQUIRED. Value MUST be set to "code". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. OAuth Handshake

  29. OAuth 2.0 : Authorization Code Authorization Grant Response • code: REQUIRED. The authorization code generated by the authorization server • state : REQUIRED if the "state" parameter was present in the client authorization request. OAuth Handshake

  30. OAuth 2.0 : Authorization Code Access Token Request • grant_type : REQUIRED. Value MUST be set to "authorization_code". • code : REQUIRED. The authorization code received from the Authorization Server. • redirect_uri : REQUIRED, if the "redirect_uri" parameter was included in the authorization OAuth Handshake

  31. OAuth 2.0 : Authorization Code Access Token Response • access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token OAuth Handshake

  32. OAuth 2.0 : Implicit Scope OAuth Handshake

  33. OAuth 2.0 : Implicit Public Client Type User Agent based Application OAuth Handshake

  34. OAuth 2.0 : Implicit Anonymous Clients OAuth Handshake

  35. OAuth 2.0 : Implicit Authorization Grant Request • response_type : REQUIRED. Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. OAuth Handshake

  36. OAuth 2.0 : Implicit Access Token Response • access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request OAuth Handshake

  37. OAuth 2.0 : Client Credential Scope OAuth Handshake

  38. OAuth 2.0 : Client Credential Confidential Client Type OAuth Handshake

  39. OAuth 2.0 : Client Credential BasicAuth OAuth Handshake

  40. OAuth 2.0 : Client Credential Authorization Grant Request Since the client authentication is used as the authorization grant, no additional authorization request is needed. OAuth Handshake

  41. OAuth 2.0 : Client Credential Access Token Request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. • Note : The client needs to pass BasicAuth headers or authenticate to the Authorization Server in other means. OAuth Handshake

  42. OAuth 2.0 : Client Credential Access Token Response • access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token OAuth Handshake

  43. OAuth 2.0 : Resource Owner Password Credentials Scope OAuth Handshake

  44. OAuth 2.0 : Resource Owner Password Credentials Confidential Client Type OAuth Handshake

  45. OAuth 2.0 : Resource Owner Password Credentials BasicAuth OAuth Handshake

  46. OAuth 2.0 : Resource Owner Password Credentials Authorization Grant Request The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained OAuth Handshake

  47. OAuth 2.0 : Resource Owner Password Credentials Access Token Request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • username : REQUIRED. The resource owner username, encoded as UTF-8. • password : REQUIRED. The resource owner password, encoded as UTF-8. • scope: OPTIONAL. The scope of the access request. OAuth Handshake

  48. OAuth 2.0 : Resource Owner Password Credentials Access Token Response • access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token OAuth Handshake

  49. OAuth 2.0 Runtime

  50. OAuth 2.0 Bearer MAC Runtime

More Related