SlideShare une entreprise Scribd logo

Oauth tutorial

Télécharger en tant que PPT, PDF
乐费 胡
乐费 胡
Technologie
1  sur  41
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)
Acknowledgements • I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 12/29/12 IETF #79, OAuth Tutorial Beijing 2
The Problem: Secure Data Sharing 12/29/12 IETF #79, OAuth Tutorial Beijing 3
12/29/12 IETF #79, OAuth Tutorial Beijing 4
Example OAuth Exchange 12/29/12 IETF #79, OAuth Tutorial Beijing 5
Entities User Agent (Web Browser) Authorization Request User Resource Consumer (LinkedIn) Token request Authorization Server (Yahoo) Access Request (incl. Token) Resource Server (Yahoo) 12/29/12 IETF #79, OAuth Tutorial Beijing 6
User navigates to Resource Client 12/29/12 IETF #79, OAuth Tutorial Beijing 7
User authenticated by Authorization Server 12/29/12 IETF #79, OAuth Tutorial Beijing 8
User authorizes Resource Consumer to access Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 9
Resource Client calls the Resource Server API 12/29/12 IETF #79, OAuth Tutorial Beijing 10
Remark: Authentication • Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). • Authorization Server and Resource Server do not need to be operated by the same entity. 12/29/12 IETF #79, OAuth Tutorial Beijing 11
Remark: Authorization • Asking the user for consent prior to share information is considered privacy-friendly. • User interfaces for obtaining user content may not always be great. 12/29/12 IETF #79, OAuth Tutorial Beijing 12
Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 13
Remark: Authorization, cont.
Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 15
Remark: Prior-Registration • Many Resource Server require registration of Resource Client’s prior to usage. • Example: http://developer.cliqset.com/api 12/29/12 IETF #79, OAuth Tutorial Beijing 16
Remark, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 17
History 12/29/12 IETF #79, OAuth Tutorial Beijing 18
History • November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. • December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft • April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol. • July 2007: OAuth 1.0 (with code for major programming languages) • September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) • Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders 12/29/12 IETF #79, OAuth Tutorial Beijing 19
History, cont. • 1st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. • 2nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting • IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html • OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre • Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: – 12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html IETF #79, OAuth Tutorial Beijing 20
History, cont. • March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. • March 2010: IETF OAuth meeting in Anaheim • April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David. • May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. • July 2010: Maastricht IETF meeting • November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. • November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 12/29/12 IETF #79, OAuth Tutorial Beijing 21
Entities User Agent Authorization Request User Resource Consumer Token request Authorization Server Access Request (incl. Token) Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 22
Scope of the OAuth WG • Currently only one working group item: – http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms • We have a punch of other documents as individual items – Providing security related extensions – User interface considerations – Token formats – Token by reference – Use case descriptions – Other OAuth profiles OAuth Tutorial Beijing 12/29/12 IETF #79, 23
Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Format Token Request And Content Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server Request Security OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 24
Web Server Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 26
A little bit about OAuth security… Se curity
Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Request Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 28
“Bearer Token” Authorization Server Request Token TLS Resource Token Resource Consumer TLS Server
“Message Signing” Authorization Server Request Token,SK, TLS {SK}Bob Resource Resource Consumer Token, Server {Request}SK, {SK}Bob
Conclusion • Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed as well. • Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. • Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution. 12/29/12 IETF #79, OAuth Tutorial Beijing 31
Backup Slides 12/29/12 IETF #79, OAuth Tutorial Beijing 32
JavaScript Flow (User Agent Flow in Draft)
12/29/12 IETF #79, OAuth Tutorial Beijing 34
Native Application Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 36
Autonomous Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 38
Device Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 40
12/29/12 IETF #79, OAuth Tutorial Beijing 41

Recommandé

Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849autVishal Shah
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pkiphanleson
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
O auth
O authO auth
O authfaisalqau
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 

Recommandé

Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849autVishal Shah
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pkiphanleson
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
O auth
O authO auth
O authfaisalqau
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
Oauth
OauthOauth
Oauthehuard
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter AuthenticationVishal Shah
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsDucAnhLe56
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Microsoft TechNet - Belgium and Luxembourg
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English TranslationNat Sakimura
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变乐费 胡
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x乐费 胡
 

Contenu connexe

Similaire à Oauth tutorial

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter AuthenticationVishal Shah
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsDucAnhLe56
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Microsoft TechNet - Belgium and Luxembourg
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English TranslationNat Sakimura
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 

Similaire à Oauth tutorial (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
Oauth
OauthOauth
Oauth
 
OAuth
OAuthOAuth
OAuth
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfs
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 

Plus de 乐费 胡

神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变乐费 胡
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x乐费 胡
 
09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna乐费 胡
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x乐费 胡
 
07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x乐费 胡
 
06 html5 and cocos2d-x
06 html5 and cocos2d-x06 html5 and cocos2d-x
06 html5 and cocos2d-x乐费 胡
 
05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture乐费 胡
 
04 growing up with the open source community
04 growing up with the open source community04 growing up with the open source community
04 growing up with the open source community乐费 胡
 
03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x乐费 胡
 
02 evolution innovation and participation
02 evolution innovation and participation02 evolution innovation and participation
02 evolution innovation and participation乐费 胡
 
01 cocos2d past, present and future
01 cocos2d past, present and future01 cocos2d past, present and future
01 cocos2d past, present and future乐费 胡
 
11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu乐费 胡
 
Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3乐费 胡
 
[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)乐费 胡
 

Plus de 乐费 胡 (14)

神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x
 
09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x
 
07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x
 
06 html5 and cocos2d-x
06 html5 and cocos2d-x06 html5 and cocos2d-x
06 html5 and cocos2d-x
 
05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture
 
04 growing up with the open source community
04 growing up with the open source community04 growing up with the open source community
04 growing up with the open source community
 
03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x
 
02 evolution innovation and participation
02 evolution innovation and participation02 evolution innovation and participation
02 evolution innovation and participation
 
01 cocos2d past, present and future
01 cocos2d past, present and future01 cocos2d past, present and future
01 cocos2d past, present and future
 
11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu
 
Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3
 
[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Oauth tutorial

  • 1. Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)
  • 2. Acknowledgements • I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 12/29/12 IETF #79, OAuth Tutorial Beijing 2
  • 3. The Problem: Secure Data Sharing 12/29/12 IETF #79, OAuth Tutorial Beijing 3
  • 4. 12/29/12 IETF #79, OAuth Tutorial Beijing 4
  • 5. Example OAuth Exchange 12/29/12 IETF #79, OAuth Tutorial Beijing 5
  • 6. Entities User Agent (Web Browser) Authorization Request User Resource Consumer (LinkedIn) Token request Authorization Server (Yahoo) Access Request (incl. Token) Resource Server (Yahoo) 12/29/12 IETF #79, OAuth Tutorial Beijing 6
  • 7. User navigates to Resource Client 12/29/12 IETF #79, OAuth Tutorial Beijing 7
  • 8. User authenticated by Authorization Server 12/29/12 IETF #79, OAuth Tutorial Beijing 8
  • 9. User authorizes Resource Consumer to access Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 9
  • 10. Resource Client calls the Resource Server API 12/29/12 IETF #79, OAuth Tutorial Beijing 10
  • 11. Remark: Authentication • Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). • Authorization Server and Resource Server do not need to be operated by the same entity. 12/29/12 IETF #79, OAuth Tutorial Beijing 11
  • 12. Remark: Authorization • Asking the user for consent prior to share information is considered privacy-friendly. • User interfaces for obtaining user content may not always be great. 12/29/12 IETF #79, OAuth Tutorial Beijing 12
  • 13. Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 13
  • 15. Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 15
  • 16. Remark: Prior-Registration • Many Resource Server require registration of Resource Client’s prior to usage. • Example: http://developer.cliqset.com/api 12/29/12 IETF #79, OAuth Tutorial Beijing 16
  • 17. Remark, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 17
  • 18. History 12/29/12 IETF #79, OAuth Tutorial Beijing 18
  • 19. History • November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. • December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft • April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol. • July 2007: OAuth 1.0 (with code for major programming languages) • September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) • Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders 12/29/12 IETF #79, OAuth Tutorial Beijing 19
  • 20. History, cont. • 1st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. • 2nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting • IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html • OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre • Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: – 12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html IETF #79, OAuth Tutorial Beijing 20
  • 21. History, cont. • March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. • March 2010: IETF OAuth meeting in Anaheim • April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David. • May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. • July 2010: Maastricht IETF meeting • November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. • November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 12/29/12 IETF #79, OAuth Tutorial Beijing 21
  • 22. Entities User Agent Authorization Request User Resource Consumer Token request Authorization Server Access Request (incl. Token) Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 22
  • 23. Scope of the OAuth WG • Currently only one working group item: – http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms • We have a punch of other documents as individual items – Providing security related extensions – User interface considerations – Token formats – Token by reference – Use case descriptions – Other OAuth profiles OAuth Tutorial Beijing 12/29/12 IETF #79, 23
  • 24. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Format Token Request And Content Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server Request Security OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 24
  • 26. 12/29/12 IETF #79, OAuth Tutorial Beijing 26
  • 27. A little bit about OAuth security… Se curity
  • 28. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Request Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 28
  • 29. “Bearer Token” Authorization Server Request Token TLS Resource Token Resource Consumer TLS Server
  • 30. “Message Signing” Authorization Server Request Token,SK, TLS {SK}Bob Resource Resource Consumer Token, Server {Request}SK, {SK}Bob
  • 31. Conclusion • Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed as well. • Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. • Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution. 12/29/12 IETF #79, OAuth Tutorial Beijing 31
  • 32. Backup Slides 12/29/12 IETF #79, OAuth Tutorial Beijing 32
  • 33. JavaScript Flow (User Agent Flow in Draft)
  • 34. 12/29/12 IETF #79, OAuth Tutorial Beijing 34
  • 36. 12/29/12 IETF #79, OAuth Tutorial Beijing 36
  • 38. 12/29/12 IETF #79, OAuth Tutorial Beijing 38
  • 40. 12/29/12 IETF #79, OAuth Tutorial Beijing 40
  • 41. 12/29/12 IETF #79, OAuth Tutorial Beijing 41