SlideShare a Scribd company logo

OpenID and OAuth

Andrea Chiodoni
Andrea Chiodoni

An technical introduction to OpenID and OAuth

Technology
1 of 34
Download to read offline
An introduction to OpenID and OAuth http://andrea-chiodoni.myopenid.com/ Lugano, 16 March 2011 martedì, 15 marzo 2011
Agenda • Why OpenID and OAuth. • What is OpenID for users, engineers and developers. • What is OAuth for users, engineers and developers. • Conclusions. martedì, 15 marzo 2011
Why OpenID and OAuth • Everyone is using more and more SaaS and social WEB. • There is a vast amount of data (and functionalities) available. • WEB based APIs are there to be used. • It’s a great time to be a developer: you can take advantage of data and functionalities available “in the cloud”. martedì, 15 marzo 2011
... great but: • too many identities! • how to deal with authorization? martedì, 15 marzo 2011
<!-- Here we begin with OpenID --> <OpenID terminology="OpenID"> <![CDATA[ martedì, 15 marzo 2011
<!--.... for users...--> martedì, 15 marzo 2011
OpenID for users • Sign-in to multiple websites with one OpenID identity, from http://openid.net: • Identities are URI: http://andrea-chiodoni.myopenid.com/ • So, how can I get an OpenID? • google.com, yahoo.com, flicker.com, .... • myopenid.com, claimid.com, clavid.com, ... • http://en.wikipedia.org/wiki/List_of_OpenID_providers • Just use it! martedì, 15 marzo 2011
<!--.... for engineers...--> martedì, 15 marzo 2011
OpenID for engineers • OpenID is an identity technology (mainly a protocol). • I’ll cover (mainly) OpenID 2.0 (December 2007). • Authentication as a Service (AaaS) enabling Single Sign-on. • Free and open: •A foundation (http://openid.net/foundation/) promotes, protects and nurtures OpenID community and technologies. • Swiss OpenID community http://www.openid.ch/en/ martedì, 15 marzo 2011
OpenID for engineers “Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.” Brad Fitzpatrick (Founder of LiveJournal weblog community and father of OpenID) martedì, 15 marzo 2011
OpenID for engineers • Decentralised. No central authority must approve or register Relying Parties or OpenID Providers. An end user can freely choose which OpenID Provider to use, and can preserve their Identifier if they switch OpenID Providers. • Attribute exchange: support for shorter registrations. • No need of JavaScript (see SAML SSO Browser/POST profile). • User-Supplied, Claimed and OP-Local Identifiers. • OpenID discovery protocol: XRI, XRDS and Yadis. martedì, 15 marzo 2011
OpenID for engineers (2) Normalization, Discovery of OP endpoint (5) Authentication (7) Verification (3) Association OpenID Relying Party Provider (4) Authentication request: HTTP 302 (6) Authentication response: HTTP 302 + Assertion (1) Initiation: HTTP POST [positive, negative] openid_identifier User-agent OpenID Authentication protocol 2.0 (http://openid.net/developers/specs/) martedì, 15 marzo 2011
OpenID for real engineers (4) Authentication request: HTTP 302 (URL decoded) http://www.myopenid.com/server?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http:// andrea.chiodoni.myopenid.com/&openid.identity=http://andrea.chiodoni.myopenid.com/ &openid.return_to=http://localhost:7070/postcards/ j_spring_openid_security_check&openid.realm=http://localhost:8080/&openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/ srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://axschema.org/contact/ email&openid.ext1.type.firstName=http://axschema.org/namePerson/ first&openid.ext1.type.lastName=http://axschema.org/namePerson/last&openid.ext1.type.email2=http:// schema.openid.net/namePerson&openid.ext1.type.fullName=http://schema.openid.net/contact/ email&openid.ext1.required=email,firstName,lastName,email2,fullName martedì, 15 marzo 2011
OpenID for real engineers (6) Authentication response: HTTP 302 + Assertion (URL decoded) http://localhost:7070/postcards/j_spring_openid_security_check?openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==} &openid.ax.count.email=0&openid.ax.count.email2=1&openid.ax.count.firstName=0&openid.ax.count.f ullName=1&openid.ax.count.lastName=0&openid.ax.mode=fetch_response&openid.ax.type.email=htt p://axschema.org/contact/email&openid.ax.type.email2=http://schema.openid.net/ namePerson&openid.ax.type.firstName=http://axschema.org/namePerson/ first&openid.ax.type.fullName=http://schema.openid.net/contact/ email&openid.ax.type.lastName=http://axschema.org/namePerson/ last&openid.ax.value.email2.1=Andrea Chiodonia.Myopenid.Com&openid.ax.value.fullName. 1=andrea.chiodoni@gmail.com&openid.claimed_id=http://chiodonia.myopenid.com/ &openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http:// specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http:// www.myopenid.com/ server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost: 7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/ Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.f ullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax .type.lastName,ax.value.email2.1,ax.value.fullName. 1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed See: http://en.wikipedia.org/wiki/Cryptographic_nonce martedì, 15 marzo 2011
<!--.... for developers...--> martedì, 15 marzo 2011
OpenID RP for developers Easy for spring developers using spring security: <input id="openid_identifier" name="openid_identifier" type="text"/> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>${spring.security.version}</version> </dependency> <http auto-config="true" ...> You may need a mapping <openid-login/> between your existing user identity and their OpenID! </http> For the rest of the Java community: http://code.google.com/p/openid4java/ martedì, 15 marzo 2011
]]> </OpenID> <!-- Here we begin with OAuth --> <OAuth terminology="OAuth"> <![CDATA[ martedì, 15 marzo 2011
<!--.... for users...--> martedì, 15 marzo 2011
OAuth for users User <<Resource Owner>> Use-case: a user wants to send postcards using the PostCards SaaS. Addresses are taken from a second service on the cloud Browser call Contacts (see REST API). <<User-agent>> /contacts /postcards <<Authorization Server>> <<Client>> <<Resource Server>> /contacts/mycontacts <<REST/JSON API>> martedì, 15 marzo 2011
OAuth for users • Issues: • Clients are required to store Resource owner creds for Resource Servers. • Clients need to support Resource servers authentication protocols. • Clients gain full access to Resource owner protected resources. • Resource owner can't revoke access. • OAuth is a security protocol that enables users to grant third- party access to their web resources without sharing their passwords, from http://oauth.net: • Passwords are not nuts: don’t give them away! martedì, 15 marzo 2011
<!--.... for engineers...--> martedì, 15 marzo 2011
OAuth for engineers • OAuth is a security authorization protocol. • OAuth 1.0 (IETF RFC5849), around since 2006. • OAuth 2.0 (IETF draft, V2-13) will obsoletes RFC5849. • OAuth 2.0 is incompatible with OAuth 1.0. • OAuth 1.0 must used by OAuth 2.0 adoption is ramping-up (Facebook, Google since 14.3.2011). • OAuth 2.0 focus on client simplicity (less cryptographic). • I’ll cover (mainly) OAuth 2.0, 3-Legged OAuth flow. martedì, 15 marzo 2011
OAuth for engineers • While OAuth can be used with other transport protocols, it is only defined (bindings) for HTTP(s) resources. • OAuth can be used on other use-cases, see grant types: • Authorization code: the one we are going treat. • Implicit grant: suited for applications residing in a user-agent. • Resource Owner password credentials: resource owner has a trust relationship with the client. • Client credentials: when the client is requesting access to the protected resources under its control. • Additional grant types (extensions) like the OAuth-SAML bridge martedì, 15 marzo 2011
OAuth for engineers <<Authorization Endpoint>> User (2.1) Obtaining <<Resource Owner>> Authorization (2.2) Authentication (2.3) Grant access Browser <<User-agent>> <<Authorization Server>> <<Token Endpoint>> (2.5) Obtaining (2.4) <<Redirection URI>> Authorization (1) Authentication /contacts (2.6) Protected Resources (3) Accessing /postcards <<Resource Server>> <<Client>> <<API>> OAuth protocol 2.0: Authorization Code Flow (http://oauth.net/2/) martedì, 15 marzo 2011
OAuth for real engineers (2) Obtaining Authorization: Authorization Code (URL decoded) (2.1) Authorization Request: client redirects to authorization endpoint HTTP/1.1 302 Found Location: http://localhost:8080/contacts/oauth/user/authorize?client_id=postcards&redirect_uri=http:// localhost:7070/postcards/contacts&response_type=code (2.2) Authorization Response: authorization server issues an authorization code and redirects back to the redirection URI HTTP/1.1 302 Found Location: http://localhost:7070/postcards/contacts?code=lrbwoF OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
OAuth for real engineers (2.5) Access Token Request: client POST to token endpoint POST /contacts/oauth/authorize HTTP/1.1 Accept: application/json, application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&redirect_uri=http://localhost:7070/postcards/ contacts&code=lrbwoF&client_id=postcards (2.6) Access Token Response (Issuing an Access Token): HTTP response to (5.1) HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "access_token": "4f919d60-5751-4860-8f3a-253c5700b9c1", "expires_in": 43199, "refresh_token": "611ef1d8-d7ed-4a02-9fcb-4dd36468d00c", "token_type": "undefined" } OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
OAuth for real engineers (3) Accessing Protected Resources GET /contacts/mycontacts HTTP/1.1 Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1 Accept: application/json ... even with curl... curl -i -H Accept:application/json -H "Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1" http://localhost:8080/contacts/mycontacts ... and without a valid OAuth token! curl -i -H Accept:application/json http://localhost:8080/contacts/mycontacts HTTP/1.1 302 Found WWW-Authenticate: OAuth2 OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
<!--.... for developers...--> martedì, 15 marzo 2011
OAuth for developers Easy for spring developers using spring security and OAuth extension: On the both client and resource server: <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth</artifactId> <version>${spring.security.oauth.version}</version> </dependency> For the rest of the Java community: http://code.google.com/p/oauth/ martedì, 15 marzo 2011
OAuth for developers On the client: Modify your spring security context: <oauth:client /> <oauth:resource id="contacts" type="authorization_code" clientId="postcards" accessTokenUri="http://localhost:8080/contacts/oauth/authorize" userAuthorizationUri="http://localhost:8080/contacts/oauth/user/authorize" /> Use the OAuth REST template: org.springframework.security.oauth2.consumer.OAuth2RestTemplate martedì, 15 marzo 2011
OAuth for developers ... and the resource server: Modify your spring security context: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean> <oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider> <oauth:client-details-service id="clientDetails"> <oauth:client clientId="postcards" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service> Provide an approval page, see accessConfirmation.jsp martedì, 15 marzo 2011
]]> </OAuth> martedì, 15 marzo 2011
Conclusions • “Free” identities, make data portable! • Today OpenID is the most successful way to AaaS, maybe not free of issues (http://www.infoq.com/news/2011/01/OpenID). OpenID 3.0 should fix most of those issues. • Initiatives around DataPortability (http://en.wikipedia.org/wiki/ DataPortability): • OData, http://www.odata.org/ (Microsoft) • GData, http://code.google.com/intl/it-IT/apis/gdata/ (Google) • You may be interested in http://www.springsource.org/spring- social/ martedì, 15 marzo 2011
Thanks! http://andrea-chiodoni.myopenid.com/ martedì, 15 marzo 2011

Recommended

Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
Steve Ivy
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Interface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTInterface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 

Recommended

Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
Steve Ivy
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Interface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTInterface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
Kellan
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
Muktadiur Rahman
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
Max Manders
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
Eugene Siow
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
ForgeRock
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
kulor
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 

More Related Content

What's hot

Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
Kellan
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

What's hot (20)

OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 

Viewers also liked

1.e.coli grupos patógenos
1.e.coli grupos patógenos1.e.coli grupos patógenos
1.e.coli grupos patógenos
Leon Him
 

Viewers also liked (20)

PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.
 
Single Sign on e OpenID
Single Sign on e OpenIDSingle Sign on e OpenID
Single Sign on e OpenID
 
Api security
Api security Api security
Api security
 
Oauth
OauthOauth
Oauth
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing your API Portfolio with API Management
Securing your API Portfolio with API ManagementSecuring your API Portfolio with API Management
Securing your API Portfolio with API Management
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Informatica (Redes Wi Fi)
Informatica (Redes Wi Fi)Informatica (Redes Wi Fi)
Informatica (Redes Wi Fi)
 
Blogging for Business & WordPress
Blogging for Business & WordPressBlogging for Business & WordPress
Blogging for Business & WordPress
 
Imagen de hombres y mujeres en las revistas masculinas bajo la corriente del ...
Imagen de hombres y mujeres en las revistas masculinas bajo la corriente del ...Imagen de hombres y mujeres en las revistas masculinas bajo la corriente del ...
Imagen de hombres y mujeres en las revistas masculinas bajo la corriente del ...
 
Brand manual di Stefania Bonura per esame corso Graphic Design
Brand manual di Stefania Bonura per esame corso Graphic Design Brand manual di Stefania Bonura per esame corso Graphic Design
Brand manual di Stefania Bonura per esame corso Graphic Design
 
Rebif
RebifRebif
Rebif
 
1.e.coli grupos patógenos
1.e.coli grupos patógenos1.e.coli grupos patógenos
1.e.coli grupos patógenos
 
Alice SoM Kampagnenanalyse
Alice SoM KampagnenanalyseAlice SoM Kampagnenanalyse
Alice SoM Kampagnenanalyse
 
Ed21marco08
Ed21marco08Ed21marco08
Ed21marco08
 
Metodo ii verano
Metodo ii veranoMetodo ii verano
Metodo ii verano
 

Similar to OpenID and OAuth

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
WSO2
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
sureshattanayake
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
Mehdi Medjaoui
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
Nao Haida
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 

Similar to OpenID and OAuth (20)

Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platform
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
 
2010 - Fédération des identités et OpenID
2010 - Fédération des identités et OpenID2010 - Fédération des identités et OpenID
2010 - Fédération des identités et OpenID
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Openid+Opensocial
Openid+OpensocialOpenid+Opensocial
Openid+Opensocial
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

OpenID and OAuth

  • 1. An introduction to OpenID and OAuth http://andrea-chiodoni.myopenid.com/ Lugano, 16 March 2011 martedì, 15 marzo 2011
  • 2. Agenda • Why OpenID and OAuth. • What is OpenID for users, engineers and developers. • What is OAuth for users, engineers and developers. • Conclusions. martedì, 15 marzo 2011
  • 3. Why OpenID and OAuth • Everyone is using more and more SaaS and social WEB. • There is a vast amount of data (and functionalities) available. • WEB based APIs are there to be used. • It’s a great time to be a developer: you can take advantage of data and functionalities available “in the cloud”. martedì, 15 marzo 2011
  • 4. ... great but: • too many identities! • how to deal with authorization? martedì, 15 marzo 2011
  • 5. <!-- Here we begin with OpenID --> <OpenID terminology="OpenID"> <![CDATA[ martedì, 15 marzo 2011
  • 7. OpenID for users • Sign-in to multiple websites with one OpenID identity, from http://openid.net: • Identities are URI: http://andrea-chiodoni.myopenid.com/ • So, how can I get an OpenID? • google.com, yahoo.com, flicker.com, .... • myopenid.com, claimid.com, clavid.com, ... • http://en.wikipedia.org/wiki/List_of_OpenID_providers • Just use it! martedì, 15 marzo 2011
  • 9. OpenID for engineers • OpenID is an identity technology (mainly a protocol). • I’ll cover (mainly) OpenID 2.0 (December 2007). • Authentication as a Service (AaaS) enabling Single Sign-on. • Free and open: •A foundation (http://openid.net/foundation/) promotes, protects and nurtures OpenID community and technologies. • Swiss OpenID community http://www.openid.ch/en/ martedì, 15 marzo 2011
  • 10. OpenID for engineers “Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.” Brad Fitzpatrick (Founder of LiveJournal weblog community and father of OpenID) martedì, 15 marzo 2011
  • 11. OpenID for engineers • Decentralised. No central authority must approve or register Relying Parties or OpenID Providers. An end user can freely choose which OpenID Provider to use, and can preserve their Identifier if they switch OpenID Providers. • Attribute exchange: support for shorter registrations. • No need of JavaScript (see SAML SSO Browser/POST profile). • User-Supplied, Claimed and OP-Local Identifiers. • OpenID discovery protocol: XRI, XRDS and Yadis. martedì, 15 marzo 2011
  • 12. OpenID for engineers (2) Normalization, Discovery of OP endpoint (5) Authentication (7) Verification (3) Association OpenID Relying Party Provider (4) Authentication request: HTTP 302 (6) Authentication response: HTTP 302 + Assertion (1) Initiation: HTTP POST [positive, negative] openid_identifier User-agent OpenID Authentication protocol 2.0 (http://openid.net/developers/specs/) martedì, 15 marzo 2011
  • 13. OpenID for real engineers (4) Authentication request: HTTP 302 (URL decoded) http://www.myopenid.com/server?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http:// andrea.chiodoni.myopenid.com/&openid.identity=http://andrea.chiodoni.myopenid.com/ &openid.return_to=http://localhost:7070/postcards/ j_spring_openid_security_check&openid.realm=http://localhost:8080/&openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/ srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://axschema.org/contact/ email&openid.ext1.type.firstName=http://axschema.org/namePerson/ first&openid.ext1.type.lastName=http://axschema.org/namePerson/last&openid.ext1.type.email2=http:// schema.openid.net/namePerson&openid.ext1.type.fullName=http://schema.openid.net/contact/ email&openid.ext1.required=email,firstName,lastName,email2,fullName martedì, 15 marzo 2011
  • 14. OpenID for real engineers (6) Authentication response: HTTP 302 + Assertion (URL decoded) http://localhost:7070/postcards/j_spring_openid_security_check?openid.assoc_handle={HMAC- SHA256}{4d63572b}{A2ZnQQ==} &openid.ax.count.email=0&openid.ax.count.email2=1&openid.ax.count.firstName=0&openid.ax.count.f ullName=1&openid.ax.count.lastName=0&openid.ax.mode=fetch_response&openid.ax.type.email=htt p://axschema.org/contact/email&openid.ax.type.email2=http://schema.openid.net/ namePerson&openid.ax.type.firstName=http://axschema.org/namePerson/ first&openid.ax.type.fullName=http://schema.openid.net/contact/ email&openid.ax.type.lastName=http://axschema.org/namePerson/ last&openid.ax.value.email2.1=Andrea Chiodonia.Myopenid.Com&openid.ax.value.fullName. 1=andrea.chiodoni@gmail.com&openid.claimed_id=http://chiodonia.myopenid.com/ &openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http:// specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http:// www.myopenid.com/ server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost: 7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/ Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.f ullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax .type.lastName,ax.value.email2.1,ax.value.fullName. 1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed See: http://en.wikipedia.org/wiki/Cryptographic_nonce martedì, 15 marzo 2011
  • 16. OpenID RP for developers Easy for spring developers using spring security: <input id="openid_identifier" name="openid_identifier" type="text"/> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>${spring.security.version}</version> </dependency> <http auto-config="true" ...> You may need a mapping <openid-login/> between your existing user identity and their OpenID! </http> For the rest of the Java community: http://code.google.com/p/openid4java/ martedì, 15 marzo 2011
  • 17. ]]> </OpenID> <!-- Here we begin with OAuth --> <OAuth terminology="OAuth"> <![CDATA[ martedì, 15 marzo 2011
  • 19. OAuth for users User <<Resource Owner>> Use-case: a user wants to send postcards using the PostCards SaaS. Addresses are taken from a second service on the cloud Browser call Contacts (see REST API). <<User-agent>> /contacts /postcards <<Authorization Server>> <<Client>> <<Resource Server>> /contacts/mycontacts <<REST/JSON API>> martedì, 15 marzo 2011
  • 20. OAuth for users • Issues: • Clients are required to store Resource owner creds for Resource Servers. • Clients need to support Resource servers authentication protocols. • Clients gain full access to Resource owner protected resources. • Resource owner can't revoke access. • OAuth is a security protocol that enables users to grant third- party access to their web resources without sharing their passwords, from http://oauth.net: • Passwords are not nuts: don’t give them away! martedì, 15 marzo 2011
  • 22. OAuth for engineers • OAuth is a security authorization protocol. • OAuth 1.0 (IETF RFC5849), around since 2006. • OAuth 2.0 (IETF draft, V2-13) will obsoletes RFC5849. • OAuth 2.0 is incompatible with OAuth 1.0. • OAuth 1.0 must used by OAuth 2.0 adoption is ramping-up (Facebook, Google since 14.3.2011). • OAuth 2.0 focus on client simplicity (less cryptographic). • I’ll cover (mainly) OAuth 2.0, 3-Legged OAuth flow. martedì, 15 marzo 2011
  • 23. OAuth for engineers • While OAuth can be used with other transport protocols, it is only defined (bindings) for HTTP(s) resources. • OAuth can be used on other use-cases, see grant types: • Authorization code: the one we are going treat. • Implicit grant: suited for applications residing in a user-agent. • Resource Owner password credentials: resource owner has a trust relationship with the client. • Client credentials: when the client is requesting access to the protected resources under its control. • Additional grant types (extensions) like the OAuth-SAML bridge martedì, 15 marzo 2011
  • 24. OAuth for engineers <<Authorization Endpoint>> User (2.1) Obtaining <<Resource Owner>> Authorization (2.2) Authentication (2.3) Grant access Browser <<User-agent>> <<Authorization Server>> <<Token Endpoint>> (2.5) Obtaining (2.4) <<Redirection URI>> Authorization (1) Authentication /contacts (2.6) Protected Resources (3) Accessing /postcards <<Resource Server>> <<Client>> <<API>> OAuth protocol 2.0: Authorization Code Flow (http://oauth.net/2/) martedì, 15 marzo 2011
  • 25. OAuth for real engineers (2) Obtaining Authorization: Authorization Code (URL decoded) (2.1) Authorization Request: client redirects to authorization endpoint HTTP/1.1 302 Found Location: http://localhost:8080/contacts/oauth/user/authorize?client_id=postcards&redirect_uri=http:// localhost:7070/postcards/contacts&response_type=code (2.2) Authorization Response: authorization server issues an authorization code and redirects back to the redirection URI HTTP/1.1 302 Found Location: http://localhost:7070/postcards/contacts?code=lrbwoF OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
  • 26. OAuth for real engineers (2.5) Access Token Request: client POST to token endpoint POST /contacts/oauth/authorize HTTP/1.1 Accept: application/json, application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&redirect_uri=http://localhost:7070/postcards/ contacts&code=lrbwoF&client_id=postcards (2.6) Access Token Response (Issuing an Access Token): HTTP response to (5.1) HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "access_token": "4f919d60-5751-4860-8f3a-253c5700b9c1", "expires_in": 43199, "refresh_token": "611ef1d8-d7ed-4a02-9fcb-4dd36468d00c", "token_type": "undefined" } OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
  • 27. OAuth for real engineers (3) Accessing Protected Resources GET /contacts/mycontacts HTTP/1.1 Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1 Accept: application/json ... even with curl... curl -i -H Accept:application/json -H "Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1" http://localhost:8080/contacts/mycontacts ... and without a valid OAuth token! curl -i -H Accept:application/json http://localhost:8080/contacts/mycontacts HTTP/1.1 302 Found WWW-Authenticate: OAuth2 OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849) martedì, 15 marzo 2011
  • 29. OAuth for developers Easy for spring developers using spring security and OAuth extension: On the both client and resource server: <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth</artifactId> <version>${spring.security.oauth.version}</version> </dependency> For the rest of the Java community: http://code.google.com/p/oauth/ martedì, 15 marzo 2011
  • 30. OAuth for developers On the client: Modify your spring security context: <oauth:client /> <oauth:resource id="contacts" type="authorization_code" clientId="postcards" accessTokenUri="http://localhost:8080/contacts/oauth/authorize" userAuthorizationUri="http://localhost:8080/contacts/oauth/user/authorize" /> Use the OAuth REST template: org.springframework.security.oauth2.consumer.OAuth2RestTemplate martedì, 15 marzo 2011
  • 31. OAuth for developers ... and the resource server: Modify your spring security context: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean> <oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider> <oauth:client-details-service id="clientDetails"> <oauth:client clientId="postcards" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service> Provide an approval page, see accessConfirmation.jsp martedì, 15 marzo 2011
  • 32. ]]> </OAuth> martedì, 15 marzo 2011
  • 33. Conclusions • “Free” identities, make data portable! • Today OpenID is the most successful way to AaaS, maybe not free of issues (http://www.infoq.com/news/2011/01/OpenID). OpenID 3.0 should fix most of those issues. • Initiatives around DataPortability (http://en.wikipedia.org/wiki/ DataPortability): • OData, http://www.odata.org/ (Microsoft) • GData, http://code.google.com/intl/it-IT/apis/gdata/ (Google) • You may be interested in http://www.springsource.org/spring- social/ martedì, 15 marzo 2011
  • 34. Thanks! http://andrea-chiodoni.myopenid.com/ martedì, 15 marzo 2011