OAuth 2.0 Path to Heaven from Hell ?
description
Transcript of OAuth 2.0 Path to Heaven from Hell ?
![Page 1: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/1.jpg)
OAuth 2.0
Path to Heaven from Hell ?
Prabath Siriwardena | Johann Nallathamby
![Page 2: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/2.jpg)
Pre OAuth Era
![Page 3: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/3.jpg)
Pre OAuth Era
![Page 4: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/4.jpg)
Pre OAuth Era
![Page 5: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/5.jpg)
Pre OAuth Era
![Page 6: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/6.jpg)
Third-party applications are required to store the resource owner's credentials for future
use, typically a password in clear-text.
Need a better approach ?
![Page 7: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/7.jpg)
Servers are required to support password authentication, despite the security weaknesses created by passwords.
Need a better approach ?
![Page 8: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/8.jpg)
Third-party applications gain overly broad access to the resource owner's protected
resources, leaving resource owners without any ability to restrict duration or access to a
limited subset of resources.
Need a better approach ?
![Page 9: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/9.jpg)
Resource owners cannot revoke access to an individual third-party without revoking access
to all third-parties, and must do so by changing their password.
Need a better approach ?
![Page 10: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/10.jpg)
Compromise of any third-party application results in compromise of the end-user's
password and all of the data protected by that password.
Need a better approach ?
![Page 11: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/11.jpg)
Delegation
![Page 12: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/12.jpg)
Pre OAuth Era
![Page 13: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/13.jpg)
OAuth Evolution
![Page 14: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/14.jpg)
OAuth 1.0a
![Page 15: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/15.jpg)
OAuth 1.0a : Three Legged
![Page 16: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/16.jpg)
OAuth 1.0a : Two Legged
![Page 17: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/17.jpg)
• Complexity in validating and generating signatures.
• No clear separation between Resource Server and Authorization Server.
• Browser based re-redirections.
OAuth 1.0a : What’s wrong ?
![Page 18: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/18.jpg)
OAuth 2.0 : Resource Owner
• An entity capable of granting access to a protected resource.
• When the resource owner is a person, it is referred to as an end-user.
![Page 19: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/19.jpg)
OAuth 2.0 : Resource Server
• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
![Page 20: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/20.jpg)
OAuth 2.0 : Client
• An application making protected resource requests on behalf of the resource owner and with its authorization
![Page 21: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/21.jpg)
OAuth 2.0 : Authorization Server
• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
![Page 22: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/22.jpg)
OAuth 2.0
![Page 23: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/23.jpg)
OAuth 2.0 : Authorization Grant Types
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
![Page 24: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/24.jpg)
OAuth 2.0 : Authorization Code
OAuth Handshake
Scope
![Page 25: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/25.jpg)
OAuth 2.0
OAuth Handshake
Scope
Scope is defined by the Authorization Server.
Scope indicates what resource client wants access and which actions he wants to perform
on that.
The value of the scope parameter is expressed as a list of space-delimited, case sensitive
strings.
The strings are defined by the authorization server.
![Page 26: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/26.jpg)
OAuth 2.0 : Authorization Code
Confidential Client Type
Web Application
OAuth Handshake
![Page 27: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/27.jpg)
OAuth 2.0 : Authorization Code
Client Authenticates to AuthZ Server
BasicAuth
client_id / client_secret
OAuth Handshake
![Page 28: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/28.jpg)
OAuth 2.0 : Authorization Code
Authorization Grant Request
OAuth Handshake
• response_type : REQUIRED. Value MUST be set to "code".• client_id : REQUIRED. The client identifier.• redirect_uri : OPTIONAL. Where to be redirected by the
Authorization Server.• scope : OPTIONAL. The scope of the access request.• state : RECOMMENDED. An opaque value used by the client to
maintain state between the request and callback.
![Page 29: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/29.jpg)
OAuth 2.0 : Authorization Code
Authorization Grant Response
OAuth Handshake
• code: REQUIRED. The authorization code generated by the authorization server
• state : REQUIRED if the "state" parameter was present in the client authorization request.
![Page 30: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/30.jpg)
OAuth 2.0 : Authorization Code
Access Token Request
OAuth Handshake
• grant_type : REQUIRED. Value MUST be set to "authorization_code".
• code : REQUIRED. The authorization code received from the Authorization Server.
• redirect_uri : REQUIRED, if the "redirect_uri" parameter was included in the authorization
![Page 31: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/31.jpg)
OAuth 2.0 : Authorization Code
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.
• token_type : REQUIRED. The type of the token. Value is case insensitive.
• expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 32: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/32.jpg)
OAuth 2.0 : Implicit
OAuth Handshake
Scope
![Page 33: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/33.jpg)
OAuth 2.0 : Implicit
Public Client Type
User Agent based Application
OAuth Handshake
![Page 34: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/34.jpg)
OAuth 2.0 : ImplicitAnonymous Clients
OAuth Handshake
![Page 35: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/35.jpg)
OAuth Handshake
Authorization Grant Request
• response_type : REQUIRED. Value MUST be set to ”token".• client_id : REQUIRED. The client identifier.• redirect_uri : OPTIONAL. Where to be redirected by the
Authorization Server.• scope : OPTIONAL. The scope of the access request.• state : RECOMMENDED. An opaque value used by the client to
maintain state between the request and callback.
OAuth 2.0 : Implicit
![Page 36: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/36.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.
• token_type : REQUIRED. The type of the token. Value is case insensitive.
• expires_in : RECOMMENDED. The lifetime in seconds of the access token
• scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED.
• state : REQUIRED if the "state" parameter was present in the client authorization request
OAuth 2.0 : Implicit
![Page 37: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/37.jpg)
OAuth 2.0 : Client Credential
OAuth Handshake
Scope
![Page 38: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/38.jpg)
OAuth 2.0 : Client Credential
Confidential Client Type
OAuth Handshake
![Page 39: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/39.jpg)
OAuth 2.0 : Client Credential
BasicAuth
OAuth Handshake
![Page 40: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/40.jpg)
OAuth Handshake
Authorization Grant Request
Since the client authentication is used as the authorization grant, no additional authorization request is needed.
OAuth 2.0 : Client Credential
![Page 41: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/41.jpg)
OAuth Handshake
Access Token Request
OAuth 2.0 : Client Credential
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".• scope: OPTIONAL. The scope of the access request.
Note : The client needs to pass BasicAuth headers or authenticate to the Authorization Server in other means.
![Page 42: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/42.jpg)
Access Token Response
OAuth Handshake
OAuth 2.0 : Client Credential
• access_token : REQUIRED. The access token issued by the authorization server.
• token_type : REQUIRED. The type of the token. Value is case insensitive.
• expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 43: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/43.jpg)
OAuth 2.0 : Resource Owner Password Credentials
OAuth Handshake
Scope
![Page 44: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/44.jpg)
OAuth 2.0 : Resource Owner Password Credentials
Confidential Client Type
OAuth Handshake
![Page 45: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/45.jpg)
OAuth 2.0 : Resource Owner Password Credentials
BasicAuth
OAuth Handshake
![Page 46: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/46.jpg)
OAuth Handshake
Authorization Grant Request
The method through which the client obtains the resource owner
credentials is beyond the scope of this specification. The client
MUST discard the credentials once an access token has been obtained
OAuth 2.0 : Resource Owner Password Credentials
![Page 47: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/47.jpg)
OAuth Handshake
Access Token Request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".• username : REQUIRED. The resource owner username, encoded as
UTF-8.• password : REQUIRED. The resource owner password, encoded as
UTF-8.• scope: OPTIONAL. The scope of the access request.
OAuth 2.0 : Resource Owner Password Credentials
![Page 48: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/48.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.
• token_type : REQUIRED. The type of the token. Value is case insensitive.
• expires_in : RECOMMENDED. The lifetime in seconds of the access token
OAuth 2.0 : Resource Owner Password Credentials
![Page 49: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/49.jpg)
OAuth 2.0
Runtime
![Page 50: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/50.jpg)
OAuth 2.0
Runtime
Bearer MAC
![Page 51: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/51.jpg)
OAuth 2.0
Runtime
Bearer MAC
Any party in possession of a bearer token (a "bearer") can use it to get access to the
associated resources (without demonstrating possession of a cryptographic key).
Bearer
![Page 52: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/52.jpg)
Request with Bearer
GET /resource/1 HTTP/1.1Host: example.comAuthorization: Bearer “access_token_value”
OAuth 2.0
Runtime
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20
![Page 53: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/53.jpg)
OAuth 2.0
Runtime
Bearer MAC
HTTP MAC access authentication schemeMAC
![Page 54: OAuth 2.0 Path to Heaven from Hell ?](https://reader035.fdocuments.us/reader035/viewer/2022062315/568162ac550346895dd32e0d/html5/thumbnails/54.jpg)
Request with MAC
GET /resource/1 HTTP/1.1Host: example.com Authorization: MAC id="h480djs93hd8", ts="1336363200”, nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
OAuth 2.0
Runtime
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01