INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
•
1 j'aime•345 vues
INTERFACE by apidays TxAuth: the future of OAuth? Dick Hardt, Creator of OAuth
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
Similaire à INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt (20)
Plus de apidays
Plus de apidays (20)
Dernier
Dernier (20)
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
- 1. TxAuth The Future of OAuth? Dick Hardt - Interface API Days - June 30, 2020
- 3. ? ? ? ??
- 4. @DickHardt
- 5. Dick Hardt Creator of OAuth
- 6. Dick Hardt Creator of OAuth
- 7. Identity 2.0
- 8. Foundation
- 13. SignIn.Org
- 18. OAuth History
- 20. OAuth 1.0
- 21. Session Fixation
- 22. OAuth 1.0a
- 23. OAuth 1.0A Issues • Client implementation pain (crypto) • Single profile (web app and rich app) • Tight coupling between AS & PR - Enterprise use cases - Scale in large deployments
- 24. OAuth WRAP Authors • Allen Tom,Yahoo! • Brian Eaton, Google • Yaron Goland, Microsoft • Editor: Dick Hardt
- 25. Name History • Simple OAuth • Simple Auth • WRAP (Web Resource Authorization Protocol) • OAuth WRAP
- 26. OAuth WRAP Overview Dick Hardt IETF 77, March 22, 2010 26
- 27. OAuth 2.0
- 28. Draft name Dated Status dra$-ie(-oauth-amr-values 2017-03-13 RFC 8176 dra$-ie(-oauth-asser9ons 2014-10-21 RFC 7521 dra$-ie(-oauth-device-flow 2019-03-11 RFC 8628 dra$-ie(-oauth-discovery 2018-03-04 RFC 8414 dra$-ie(-oauth-dyn-reg-management 2015-05-05 RFC 7592 dra$-ie(-oauth-dyn-reg 2015-05-28 RFC 7591 dra$-ie(-oauth-introspec9on 2015-07-04 RFC 7662 dra$-ie(-oauth-json-web-token 2014-12-10 RFC 7519 dra$-ie(-oauth-jwt-bcp 2019-10-13 RFC 8725 dra$-ie(-oauth-jwt-bearer 2014-11-12 RFC 7523 dra$-ie(-oauth-mtls 2019-08-23 RFC 8705 dra$-ie(-oauth-na9ve-apps 2017-06-09 RFC 8252 dra$-ie(-oauth-proof-of-possession 2015-12-19 RFC 7800 dra$-ie(-oauth-resource-indicators 2019-09-11 RFC 8707 dra$-ie(-oauth-revoca9on 2013-07-13 RFC 7009 dra$-ie(-oauth-saml2-bearer 2014-11-12 RFC 7522 dra$-ie(-oauth-spop 2015-07-10 RFC 7636 dra$-ie(-oauth-token-exchange 2019-07-21 RFC 8693 dra$-ie(-oauth-urn-sub-ns 2012-07-16 RFC 6755 dra$-ie(-oauth-v2-bearer 2012-08-01 RFC 6750 dra$-ie(-oauth-v2-threatmodel 2012-10-06 RFC 6819 dra$-ie(-oauth-v2 2012-08-01 RFC 6749
- 31. OAuth 2.1
- 32. Aaron Parecki
- 33. Current State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
- 34. OAuth 2.0/2.1 Issues • Front channel security - PKCE • Constrained request - PAR • Multiple endpoints • Authenticating dynamic / public clients • Shared secrets • Not designed for AuthN - OpenID Connect
- 35. GNAP Drafts •XYZ - Justin Richer •XAuth - Dick Hardt
- 36. AS RS User Web Server Flow (OAuth 2.0) Client
- 37. AS RS User Web Server Flow (OAuth 2.0) Client (1) Request
- 38. AS RS User Web Server Flow (OAuth 2.0) Client (2) Code (1) Request
- 39. AS RS User Web Server Flow (OAuth 2.0) Client (3) Code AT & RT (2) Code (1) Request
- 40. AS RS User Web Server Flow (OAuth 2.0) Client (3) Code Access Token (4) Access Token (2) Code (1) Request
- 41. AS RS User Web Server Flow (GNAP) Client
- 42. AS RS User Web Server Flow (GNAP) Client (1) Request Interaction
- 43. { "client": { ... }, "user": { ... }, "interaction": { ... }, "authorization": { ... }, "claims": { ... } } Grant Request
- 44. AS RS User Web Server Flow (GNAP) Client (1) Request (2) Interaction
- 45. AS RS User Web Server Flow (GNAP) Client (1) Request (3) (2) Interaction
- 46. AS RS User Web Server Flow (GNAP) Client (1) Request (4) AT & Claims (3) (2) Interaction
- 47. AS RS User Web Server Flow (GNAP) Client (1) Request (4) AT & Claims (5) Access Token (3) (2) Interaction
- 48. OAuth 2.0 Issues • Front channel security - PKCE • Constrained request - PAR • Multiple endpoints • Authenticating dynamic / public clients • Shared secrets • Not designed for AuthN - OpenID Connect
- 49. OAuth 2.0 Issues •Front channel security - PKCE •Constrained request - PAR • Multiple endpoints • Authenticating dynamic / public clients • Shared secrets • Not designed for AuthN - OpenID Connect
- 50. AS RS User Web Server Flow (GNAP) Client (1) Request Interaction
- 51. { "client": { ... }, "user": { ... }, "interaction": { ... }, "authorization": { ... }, "claims": { ... } } Grant Request
- 52. AS RS User Web Server Flow (GNAP) Client (3) (2)
- 53. OAuth 2.0 Issues • Front channel security - PKCE • Constrained request - PAR •Multiple endpoints • Authenticating dynamic / public clients • Shared secrets • Not designed for AuthN - OpenID Connect
- 54. GNAP URIs • Grant Server URI - GS identifier* • Dynamic URIs - Interaction URIs - Grant URIs* - Authorization URIs* • RESTful * XAuth Draft Proposal
- 55. OAuth 2.0 Issues • Front channel security - PKCE • Constrained request - PAR • Multiple endpoints •Authenticating dynamic / public clients •Shared secrets • Not designed for AuthN - OpenID Connect
- 56. GNAP Client AuthN • Asymmetric Crypto is default - Each registered client instance can have it's own key • Dynamic Clients - Trust On First Use (TOFU)
- 57. OAuth 2.0 Issues • Front channel security - PKCE • Constrained request - PAR • Multiple endpoints • Authenticating dynamic / public clients • Shared secrets •Not designed for AuthN - OpenID Connect
- 58. { "client": { ... }, "user": { ... }, "interaction": { ... }, "authorization": { ... }, "claims": { ... } } GNAP Request
- 59. • extension points for: - new claim schemas - new authorization schemas - new interaction modes GNAP New Features (1/2)
- 60. GNAP New Features (2/2) • authorizations • Reciprocal Grant • GS Initiated Grant • User Exists • Multiple Interactions
- 62. ? ? ? ??