23. OAuth 1.0A Issues
• Client implementation pain (crypto)
• Single profile (web app and rich app)
• Tight coupling between AS & PR
- Enterprise use cases
- Scale in large deployments
24. OAuth WRAP Authors
• Allen Tom,Yahoo!
• Brian Eaton, Google
• Yaron Goland, Microsoft
• Editor: Dick Hardt
25. Name History
• Simple OAuth
• Simple Auth
• WRAP
(Web Resource Authorization Protocol)
• OAuth WRAP
33. Current State of OAuth 2.0
RFC6749 OAuth Core
Authorization Code
Implicit
Password
Client Credentials
RFC6750 Bearer Tokens
Tokens in HTTP Header
Tokens in POST Form Body
Tokens in GET Query String
RFC7636
+PKCE
RFC8252
PKCE for mobile
Browser App BCP
PKCE for SPAs
PKCE for
confidential
clients
Security BCP
34. OAuth 2.0/2.1 Issues
• Front channel security - PKCE
• Constrained request - PAR
• Multiple endpoints
• Authenticating dynamic / public clients
• Shared secrets
• Not designed for AuthN - OpenID Connect
53. OAuth 2.0 Issues
• Front channel security - PKCE
• Constrained request - PAR
•Multiple endpoints
• Authenticating dynamic / public clients
• Shared secrets
• Not designed for AuthN - OpenID Connect
54. GNAP URIs
• Grant Server URI - GS identifier*
• Dynamic URIs
- Interaction URIs
- Grant URIs*
- Authorization URIs*
• RESTful
* XAuth Draft Proposal
55. OAuth 2.0 Issues
• Front channel security - PKCE
• Constrained request - PAR
• Multiple endpoints
•Authenticating dynamic / public clients
•Shared secrets
• Not designed for AuthN - OpenID Connect
56. GNAP Client AuthN
• Asymmetric Crypto is default
- Each registered client instance can have it's own key
• Dynamic Clients
- Trust On First Use (TOFU)
57. OAuth 2.0 Issues
• Front channel security - PKCE
• Constrained request - PAR
• Multiple endpoints
• Authenticating dynamic / public clients
• Shared secrets
•Not designed for AuthN - OpenID Connect