Post on 08-May-2015
description
OAuth 2.0 Updates
OpenID TechNight #7
@nov
OpenID Foundation Japan Translation & Education WG
Translated OpenID 2.0, OAuth 1.0 & 2.0 specs
Web Developer @ iKnow!
OAuth.jp
Ruby Libraries
rack-oauth2, fb_graph, paypal-express etc.
OpenID TechNight #7
OAuth in 5 min
OpenID TechNight #7
Current Trend
Mobile Game Social
OpenID TechNight #7
API Integration
Access Control for APIs
OpenID TechNight #7
API Integration
Basic Auth
OpenID TechNight #7
OpenID TechNight #7
I’m using same passwordon 10+ services.
OpenID TechNight #7
OAuth
No password sharing
Limited access lifetime
Expire a,er N weeks
Limited access scope
Status Update : OK
Read Inbox : NG
OpenID TechNight #7
OAuth Everywhere
Mobile SocialGame
OpenID TechNight #7
B2B is slow though..
OpenID TechNight #7
Rough History
OpenID TechNight #7
2007.12 OAuth 1.0
OpenID TechNight #7
Twitter API
OpenID TechNight #7
2010.04 OAuth 2.0(dra, 0)
OpenID TechNight #7
Facebook Graph API
OpenID TechNight #7
2010.07 dra, 10
OpenID TechNight #7
mixi Graph API
OpenID TechNight #7
OpenID TechNight #7
2011.07 dra, 20
OpenID TechNight #7
Review by 8/12
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
Core Spec
Token Type Spec
OpenID TechNight #7
Core Spec
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
Response Type
Code
Secure
2 HTTP request
Require Approval
Get Access Token
Token
Efficient
1 HTTP request
Both at once
+ extensions
Core
OpenID TechNight #7
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
Core
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Core
OpenID TechNight #7
Client Type
Confidential
Has client secret
Eg.) Web app
Public
No client secret
Eg.) Mobile/JS app
Core
OpenID TechNight #7
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
client_id=...&response_type=code&redirect_uri=https://...
Core
Code
Code
OpenID TechNight #7
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
client_id=...&response_type=code&redirect_uri=https://...
Core
Code
Code
code=...&client_id=...&client_secret=...&redirect_uri=https://...
OpenID TechNight #7
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
client_id=...&response_type=code&redirect_uri=https://...
Core
Code
Code
code=...&client_id=...&client_secret=...&redirect_uri=https://...
Public clients CANNOT do Client Authentication
“client_secret” is NOT REQUIRED for public clients
Rely on “redirect_uri” verification instead
Public clients MUST pre-register “redirect_uri”
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
Approve
client_id=...&response_type=token&redirect_uri=https://...
Core
Access Token
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
ApproveAll clients MUST pre-register “redirect_uri”
client_id=...&response_type=token&redirect_uri=https://...
Core
Access Token
OpenID TechNight #7
Notes
For Servers
Do you support public clients? Do you need iPhone/Android apps support?
Require full redirect URI registration
Narrower scopes / shorter lifetime for public clients
For Clients
Don’t include client secret in your mobile app
Core
OpenID TechNight #7
Security Considerations
Don’t issue “client_secret” to public clients
“redirect_uri” verification is important especially for public clients
Consider security policy per client type
Use “state” param against CSRF / code injection attack
etc.
Core
OpenID TechNight #7
Attacker Client Authorization Server
Initiate
Require Approval
Approve
Code
Access Token
Code
CodeCode
OpenID TechNight #7
Attacker Client Authorization Server
Initiate
Require Approval
Approve
Code
Access Token
Code
CodeCode
Allow attacker to loginwith attacker’s Twitter account
OpenID TechNight #7
Attacker Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Code
State
State
State
Store “state”in Cookie etc.
State
“state”verification
failed!!
OpenID TechNight #7
Token Type Spec
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
Token Type Spec
Bearer
No signature
No token secret
Mainstream
MAC
Signature
Token secret
Similar to OAuth 1.0
Token
+ extensions
OpenID TechNight #7
Bearer Token
Access Token Response
Token
OpenID TechNight #7
API Access (Bearer)Token
OpenID TechNight #7
MAC Token
Access Token Response
Token
OpenID TechNight #7
API Access (MAC)Token
OpenID TechNight #7
Notes
For Servers
Access Token Response
Set “token_type” as “bearer”
Resource Request
Support both “OAuth” and “Bearer” auth header
Support both “oauth_token” and “access_token” query/body params
Token
OpenID TechNight #7
Notes
For Clients
Move from “OAuth” to “Bearer”
Move from “oauth_token” to “access_token”
Only for Facebook API developers
Access token response will be JSON
Token
OpenID TechNight #7
Review by 8/12