SlideShare a Scribd company logo

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and common flows

Download as PPTX, PDF
G
Good Dog Labs, Inc.

OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.

Technology
1 of 27
OAuth 2.0 Technical Overview For Common Flows info@gooddoglabs.com www.gooddoglabs.com
Internet Security - Identity & Access Management
OAuth 2.0 Is first and foremost a framework May be reviewed here : http://tools.ietf.org/html/rfc6749 Is primarily an authorization framework Which separates the role of client from the resource owner, and how resources are accessed Basically, the client obtains an access token (scope, lifespan, and access attributes) from an authorization server, after authorized from the resource owner to access protected resources on a resource server And; It is NOT Compatible with OAuth 1.0 and shares few details with OAuth 1.0; but OAuth 2.0 forms the baseline for OpenID Connect, more on this later Example use case from the IETF OAuth 2.0 Working Group; “An end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo sharing service (authorization server), which issues the printing service delegation- specific credentials (access token).”
A bit more about OAuth 2.0 Is very susceptible to attacks, reference this attack in 2013 Has quite a large attack surface due to it’s usage of URI redirects, query parameters, and loose guidance; you can see a sample vulnerability in this message Framework dropped signature and encryption in favor of bearer tokens; from version 1.0 to version 2.0, see some criticisms from Eran Hammer (previous lead author) With this said, it’s NOT ALL bad and it serves as a foundation for a new Identity Layer protocol (OpenID Connect), which allows clients to identify the end user based on authentication performed by an authorization server and share profile information in a REST based manner. OpenID Connect also augments OAuth 2.0 by providing endpoint discovery, dynamic client registration, session management, new response types, and a different way of sharing authorization response parameters. There are several IETF internet drafts today to address signatures and encryption using JSON profiles. Reference protocol underpinnings here: http://openid.net/connect/ IETF Informational RFC 6819 RFC 6819 is an informational RFC which provides additional security details and considerations for OAuth and It is highly recommended to review and understand this RFC before a mass production deployment of the framework. You may also consult with the team at Good Dog Labs, Inc. for a thorough review and assessment for your OAuth / OpenID Connect implementations.
Let’s start with roles (RRCA) Resource Owner – Someone or something which owns a resource and grants access to a resource. Think back to the photo sharing example. Owner can be an end user or company. Another example is you giving authorization to an employer to your LinkedIn profile as part of an application for employment. Resource Server – Server hosting the protected resource or API. For example, LinkedIn API’s providing profile information to clients. Client – An client component (i.e. application, desktop, device) making requests for protected resources or API interfaces. In general, a client wants to consume information but needs authorization by owner first. Authorization Server – Server issuing access token to client after successful resource owner authentication and authorization.
OAuth 2.0 High Level Protocol Flow Authorization Grant Type Agnostic
Let’s clarify some things about the flow The previous slide describes the “authorization grant agnostic” flow and is not specific to client types or authentication schemes. You will learn about the different grant types and associated flows in the coming slides. It’s preferred for the client to send an authorization request through the authorization server (known as intermediary) The client may receive an authorization grant (grant can be any of the four grant types – see next slide) or use an extension grant Client must authenticate to authorization server in order to receive an access token for the requested resource Client also must have a valid authorization grant as it’s checked by the authorization server before it sends the access token. No authorization grant, no token. This changes for implicit grants. Finally, the resource server has final say for resource access by validating the access token provided by client; and if valid, serves the resource to the client (i.e. end user, browser, device)
Access Tokens Access tokens are Credentials used to access protected resources and contain the following: Scope & Duration – Scope identifies what the client specifically wants and duration is how long the access token is valid. Scope and duration is granted by resource owner and enforced by authorization and resource servers. To retrieve or contain – Token may be used to retrieve authorization information or contain this information inherently. More Restrictive than authorization grants – Removes need for resource server to understand a variety of authentication methods. The resource server’s job is to ensure the access token is valid. Can have different formats and structures – Resource server establishes requirements for token formats. Refresh Tokens – Issued by authorization server to obtain new and fresh access tokens after access token expiration or invalidation. If supported by authorization server, it is usually issued at the same time as the access token. They are only used by authorization servers.
Now, about Client Profiles The OAuth 2.0 framework calls for three types: Web Application – Typically a confidential client running on a web/application server. Resource owner interacts with application. Client credentials and access tokens are stored on the server and used by the application. User – Agent Based Application – A public client in which client code such as java script is running within a user-agent such as a web browser running on a device used by the resource owner. Protocol credentials are easily accessible and visible to the resource owner. A security vulnerability assessment is highly recommended and security considerations MUST be taken into account. Native Application – A public native application such as an iOS or Android application running on a device used by the resource owner. The assumption unless implemented otherwise is that the client credentials are stored locally on the device and can be easily extracted If not encrypted by native application. It’s highly recommended to encrypt client metadata stored locally on device.
What about client registration? This is out of Scope for the OAuth 2.0 Framework, but the following applies: Client Type – Client types may either be confidential or public; confidential types maintain credential confidentiality by adhering to authentication requirements set by authorization server. It’s important to understand your assurance or exposure levels for credentials and apply the appropriate strength. Also refer to slide 3 and 4. Redirection URI – Redirection URI the authorization server sets in the resource owner’s user-agent in order to redirect back to the client. Other Client Properties – Client registrant may provide application name, logo, and terms and conditions. Client Identifier – Authorization server issues a unique identifier (see the Google sample in next slide) to each client that MUST not be used to authenticate the client. It’s well known and available to resource owners. Also, the size of the identifier is undefined in the RFC. This may provide some challenges when creating client identifier schemes for your implementation. OpenID Connect Dynamic Client Registration This specification defines how an OpenID Connect Relying Party (Client) can dynamically register with the End-User's OpenID Provider (Authorization Server), providing information about itself to the OpenID Provider, and
Client Authentication The OAuth 2.0 framework calls for you to decide : Confidential Clients – In this case, the authorization server and the client agree on an authentication mechanism. This has to be supported by both parties. User name and password (i.e. HTTP Basic Authentication) combination is very popular today just like any other protected resource. Public Clients – Authentication scheme’s and agreements with authorization servers are optional. Request Body (not recommended) – Optionally, a client may send authentication data in HTTP request body to authorization server. This must be supported by both the client and the authorization server. Client_id and client secret may be sent in request body to authenticate client. See Google sample meta-data in slide 14. Note: TLS and other standard security considerations must be taken into account when performing client – authorization server request/response interactions. The framework doesn’t account for unregistered clients for example. Special security testing and penetration testing MUST be performed before providing access to sensitive resource owner
Protocol Endpoints Authorization – Used to interact with resource owner and obtain an authorization grant; but not before authentication. Authentication scheme must be known to both client and authorization server. The core OAuth 2.0 framework does not specify how you would discover the authorization endpoint. OpenID Connect changes this by providing a discovery mechanism for it’s OpenID Provider. The OpenID Provider meta-data provides location of OAuth 2.0 authorization endpoint. Redirection – After resource owner interacts with authorization server, the server sends the resource owner to the client’s redirection endpoint via a user-agent redirection. The client’s endpoint is known to the server due to the pre-requisite client registration with authorization server. All public and confidential client types using the implicit grant type MUST register.
Protocol Endpoints Continued It’s good practice to register ALL clients with the authorization server before use. Multiple redirection URI’s may be registered by client The redirection URI may be dynamically provided and authorization server may support query strings. In such a case, the authorization server must compare against registered URIs. Token – Used by clients to obtain an access token. Client presents authorization grant or refresh token. For OpenID, the OpenID Provider meta-data provides location of OAuth 2.0 authorization endpoint.
Access Tokens Authorization & Token endpoints allow the client to set the scope of the access token; in turn the endpoint uses the response parameter to let the client know the scope of the access token issued. Scope – This is expressed as a space or comma delimited strings; which are defined by the authorization server. Think of the facebook example, in which scope may be limited to just your list of friends. The authorization server may choose to ignore scope requested by client. Interesting huh? Well, think about it, should the authorization server authorize the scope just because the client asked for it? Thankfully you can set policy for this on the authorization server or let the resource owner him/herself decide. If the scope differs from what client requested, then server must issue a scope response with the actual scope authorized. You must make an implementation decision to create a default scope and how you want to handle exceptions when clients make a
Google OAuth2 JSON output - Endpoints, Client Info, and Consent screen {"web":{"auth_uri":"https://accounts.google.co m/o/oauth2/auth","client_secret":"ATX1LGjJC D- acURsf","token_uri":"https://accounts.google. com/o/oauth2/token","client_email":”00000000 000@developer.gserviceaccount.com","client_ x509_cert_url":"https://www.googleapis.com/r obot/v1/metadata/x509/00000000000@develo per.gserviceaccount.com","client_id":”000000 00000.apps.googleusercontent.com","auth_pr ovider_x509_cert_url":"https://www.googleapis .com/oauth2/v1/certs"}} Google OAuth 2.0 Client Example
Now, let’s chat about authorization grant types A grant is a credential based on four possible types: Authorization Code Grant – Obtained through the intermediary between client and resource owner. Client directs resource owner to authorization server and is directed back to client with authorization code. Authorization server authenticates resource owner before directing back with grant. Client never knows about resource owner’s credentials. Primarily used for web based applications. Implicit Grant – Simplified authorization code primarily for java script clients. The client is issued an access token directly without authentication. Not Recommended if security is a major concern. Resource owner password credentials – Resource owner’s username/password can be used to obtain an access token. Recommended when there is trust between resource owner and client. Credentials are replaced by an access token by the client. Client Credentials – Can be used as authorization grant in it of itself. Common in cases where resource owner is also the client. Also may be used for a previous authorization arrangement from authorization server to client. Custom Grant – You may extend with a type of your own Authorization Grants
Authorization Code Grant Flow
Authorization Request Constructs the request URI and instructs the resource owner’s user-agent to redirect to the authorization server. The constructed URI defines: response type – required, this must be set to “code” for this grant type. The authorization server returns an authorization code for requesting an access token. client_id – required, this is the id registered with the authorization server as part of the registration process. Look at slide 15, for the Google example. redirect_uri – although optional, you may want to always include this for best practice and to not make any assumptions. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) state – highly recommended to guard against cross site request forgery Example with required parameters only: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
Authorization Response If the resource owner authenticates successfully and authorizes access and associated scope, the authorization server sends a response to client via the resource owner’s user-agent. The URI defines the following: code – required, this is the authorization code generated by server. This is a short lived code and usually expires within 10 minutes. The client must not use the code more than once. state – highly recommended to guard against cross site request forgery and required if the request contained the state parameter. Once client receives this code, it may then proceed to make an access token request from the token endpoint. Example without state: HTTP/1.1 302 Found Location: https://client.example.com/cb code=SplxlOBeZQQYbYS6WxSbIA &state=xyz For error responses, review section 4.1.2.1 of RFC 6749.
Access Token Request After getting a valid authorization grant, client makes HTTP request to token endpoint including the following in the request body: grant_type – required, this must be set to “password”, You may also use “client_credentials” if your client was issued credentials and can be identified by authorization server. username – required, this is the resource owner’s user name. Password - required, this is the resource owner’s password. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) If client type is confidential and has been issued credentials (e.g. password or public/private key pair) or there is another authentication scheme in use, authorization server must support this scheme before proceeding and request body will look different. See parameters in Google example in slide 15. Example of access token request with the resource owner’s credentials: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6Wx SbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2
Access Token Response If the access token request is valid and authorized, the server issues an access token and an optional refresh token. Once client receives this token, it may proceed to make requests for the protected resources. An example response below: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } Example without state: For error responses, review section 5.2 of RFC 6749.
Implicit Grant Flow
Authorization Request Client constructs the request URI and instructs the resource owner’s user-agent to redirect to the authorization server. URI defines: response type – required, this must be set to “token” client_id – required, this is the id registered with the authorization server as part of the registration process. redirect_uri – although optional, you may want to always include this for best practice and to not make any assumptions or have the authorization server define it for you. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) state – highly recommended to guard against cross site request forgery Example with required parameters only: GET /authorize? response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom %2Fcb HTTP/1.1 Host: server.example.com
Access Token Response If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI. An example response below: access_token – required, this is the access token issued by authorization server token_type – the type of token issued (e.g., Bearer, MAC). See RFC 6750 and OAuth-HTTP-MAC specifications. Expires_in – recommended, this is the lifetime of the token in seconds. scope – optional, only if the scope is identical to the scope provided as part of the client’s request, otherwise it is a required parameter. state – required, if it was originally in the client's request. There is no refresh token issued as this is and implicit grant type and it calls for an access token to be delivered as a response. Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 For error responses, review section 4.2.2.1 of RFC 6749.
Not Exactly, OAuth 2.0 alone will yield multiple implementation variations, refer to section 1.8 of RFC 6749 which states that the framework is “likely to produce a wide range of non-interoperable implementations”. The Web vs. Enterprise divide. Ever changing systems and access flows vs. stagnant enterprise systems favoring only one protocol (SAML). In addition, the lack of provider discovery and dynamic client registration make it difficult to scale. The Enterprise calls for extensibility and requires solutions for complex scenarios. Enter Connect .. Stay Tuned for the OpenID Connect overview Sounds good so far right?
Where does OpenID Connect Come In? Interoperability
For additional discussion, contact the team @ GoodDogLabs. info@gooddoglabs.com

Recommended

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 

Recommended

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
Min Li
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
 

More Related Content

What's hot

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

What's hot (20)

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 

Similar to OAuth 2.0 - The fundamentals, the good , the bad, technical primer and common flows

Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
Vishal Shah
 

Similar to OAuth 2.0 - The fundamentals, the good , the bad, technical primer and common flows (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0Lecture #25 : Oauth 2.0
Lecture #25 : Oauth 2.0
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
O auth 2
O auth 2O auth 2
O auth 2
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and common flows

  • 1. OAuth 2.0 Technical Overview For Common Flows info@gooddoglabs.com www.gooddoglabs.com
  • 2. Internet Security - Identity & Access Management
  • 3. OAuth 2.0 Is first and foremost a framework May be reviewed here : http://tools.ietf.org/html/rfc6749 Is primarily an authorization framework Which separates the role of client from the resource owner, and how resources are accessed Basically, the client obtains an access token (scope, lifespan, and access attributes) from an authorization server, after authorized from the resource owner to access protected resources on a resource server And; It is NOT Compatible with OAuth 1.0 and shares few details with OAuth 1.0; but OAuth 2.0 forms the baseline for OpenID Connect, more on this later Example use case from the IETF OAuth 2.0 Working Group; “An end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo sharing service (authorization server), which issues the printing service delegation- specific credentials (access token).”
  • 4. A bit more about OAuth 2.0 Is very susceptible to attacks, reference this attack in 2013 Has quite a large attack surface due to it’s usage of URI redirects, query parameters, and loose guidance; you can see a sample vulnerability in this message Framework dropped signature and encryption in favor of bearer tokens; from version 1.0 to version 2.0, see some criticisms from Eran Hammer (previous lead author) With this said, it’s NOT ALL bad and it serves as a foundation for a new Identity Layer protocol (OpenID Connect), which allows clients to identify the end user based on authentication performed by an authorization server and share profile information in a REST based manner. OpenID Connect also augments OAuth 2.0 by providing endpoint discovery, dynamic client registration, session management, new response types, and a different way of sharing authorization response parameters. There are several IETF internet drafts today to address signatures and encryption using JSON profiles. Reference protocol underpinnings here: http://openid.net/connect/ IETF Informational RFC 6819 RFC 6819 is an informational RFC which provides additional security details and considerations for OAuth and It is highly recommended to review and understand this RFC before a mass production deployment of the framework. You may also consult with the team at Good Dog Labs, Inc. for a thorough review and assessment for your OAuth / OpenID Connect implementations.
  • 5. Let’s start with roles (RRCA) Resource Owner – Someone or something which owns a resource and grants access to a resource. Think back to the photo sharing example. Owner can be an end user or company. Another example is you giving authorization to an employer to your LinkedIn profile as part of an application for employment. Resource Server – Server hosting the protected resource or API. For example, LinkedIn API’s providing profile information to clients. Client – An client component (i.e. application, desktop, device) making requests for protected resources or API interfaces. In general, a client wants to consume information but needs authorization by owner first. Authorization Server – Server issuing access token to client after successful resource owner authentication and authorization.
  • 6. OAuth 2.0 High Level Protocol Flow Authorization Grant Type Agnostic
  • 7. Let’s clarify some things about the flow The previous slide describes the “authorization grant agnostic” flow and is not specific to client types or authentication schemes. You will learn about the different grant types and associated flows in the coming slides. It’s preferred for the client to send an authorization request through the authorization server (known as intermediary) The client may receive an authorization grant (grant can be any of the four grant types – see next slide) or use an extension grant Client must authenticate to authorization server in order to receive an access token for the requested resource Client also must have a valid authorization grant as it’s checked by the authorization server before it sends the access token. No authorization grant, no token. This changes for implicit grants. Finally, the resource server has final say for resource access by validating the access token provided by client; and if valid, serves the resource to the client (i.e. end user, browser, device)
  • 8. Access Tokens Access tokens are Credentials used to access protected resources and contain the following: Scope & Duration – Scope identifies what the client specifically wants and duration is how long the access token is valid. Scope and duration is granted by resource owner and enforced by authorization and resource servers. To retrieve or contain – Token may be used to retrieve authorization information or contain this information inherently. More Restrictive than authorization grants – Removes need for resource server to understand a variety of authentication methods. The resource server’s job is to ensure the access token is valid. Can have different formats and structures – Resource server establishes requirements for token formats. Refresh Tokens – Issued by authorization server to obtain new and fresh access tokens after access token expiration or invalidation. If supported by authorization server, it is usually issued at the same time as the access token. They are only used by authorization servers.
  • 9. Now, about Client Profiles The OAuth 2.0 framework calls for three types: Web Application – Typically a confidential client running on a web/application server. Resource owner interacts with application. Client credentials and access tokens are stored on the server and used by the application. User – Agent Based Application – A public client in which client code such as java script is running within a user-agent such as a web browser running on a device used by the resource owner. Protocol credentials are easily accessible and visible to the resource owner. A security vulnerability assessment is highly recommended and security considerations MUST be taken into account. Native Application – A public native application such as an iOS or Android application running on a device used by the resource owner. The assumption unless implemented otherwise is that the client credentials are stored locally on the device and can be easily extracted If not encrypted by native application. It’s highly recommended to encrypt client metadata stored locally on device.
  • 10. What about client registration? This is out of Scope for the OAuth 2.0 Framework, but the following applies: Client Type – Client types may either be confidential or public; confidential types maintain credential confidentiality by adhering to authentication requirements set by authorization server. It’s important to understand your assurance or exposure levels for credentials and apply the appropriate strength. Also refer to slide 3 and 4. Redirection URI – Redirection URI the authorization server sets in the resource owner’s user-agent in order to redirect back to the client. Other Client Properties – Client registrant may provide application name, logo, and terms and conditions. Client Identifier – Authorization server issues a unique identifier (see the Google sample in next slide) to each client that MUST not be used to authenticate the client. It’s well known and available to resource owners. Also, the size of the identifier is undefined in the RFC. This may provide some challenges when creating client identifier schemes for your implementation. OpenID Connect Dynamic Client Registration This specification defines how an OpenID Connect Relying Party (Client) can dynamically register with the End-User's OpenID Provider (Authorization Server), providing information about itself to the OpenID Provider, and
  • 11. Client Authentication The OAuth 2.0 framework calls for you to decide : Confidential Clients – In this case, the authorization server and the client agree on an authentication mechanism. This has to be supported by both parties. User name and password (i.e. HTTP Basic Authentication) combination is very popular today just like any other protected resource. Public Clients – Authentication scheme’s and agreements with authorization servers are optional. Request Body (not recommended) – Optionally, a client may send authentication data in HTTP request body to authorization server. This must be supported by both the client and the authorization server. Client_id and client secret may be sent in request body to authenticate client. See Google sample meta-data in slide 14. Note: TLS and other standard security considerations must be taken into account when performing client – authorization server request/response interactions. The framework doesn’t account for unregistered clients for example. Special security testing and penetration testing MUST be performed before providing access to sensitive resource owner
  • 12. Protocol Endpoints Authorization – Used to interact with resource owner and obtain an authorization grant; but not before authentication. Authentication scheme must be known to both client and authorization server. The core OAuth 2.0 framework does not specify how you would discover the authorization endpoint. OpenID Connect changes this by providing a discovery mechanism for it’s OpenID Provider. The OpenID Provider meta-data provides location of OAuth 2.0 authorization endpoint. Redirection – After resource owner interacts with authorization server, the server sends the resource owner to the client’s redirection endpoint via a user-agent redirection. The client’s endpoint is known to the server due to the pre-requisite client registration with authorization server. All public and confidential client types using the implicit grant type MUST register.
  • 13. Protocol Endpoints Continued It’s good practice to register ALL clients with the authorization server before use. Multiple redirection URI’s may be registered by client The redirection URI may be dynamically provided and authorization server may support query strings. In such a case, the authorization server must compare against registered URIs. Token – Used by clients to obtain an access token. Client presents authorization grant or refresh token. For OpenID, the OpenID Provider meta-data provides location of OAuth 2.0 authorization endpoint.
  • 14. Access Tokens Authorization & Token endpoints allow the client to set the scope of the access token; in turn the endpoint uses the response parameter to let the client know the scope of the access token issued. Scope – This is expressed as a space or comma delimited strings; which are defined by the authorization server. Think of the facebook example, in which scope may be limited to just your list of friends. The authorization server may choose to ignore scope requested by client. Interesting huh? Well, think about it, should the authorization server authorize the scope just because the client asked for it? Thankfully you can set policy for this on the authorization server or let the resource owner him/herself decide. If the scope differs from what client requested, then server must issue a scope response with the actual scope authorized. You must make an implementation decision to create a default scope and how you want to handle exceptions when clients make a
  • 15. Google OAuth2 JSON output - Endpoints, Client Info, and Consent screen {"web":{"auth_uri":"https://accounts.google.co m/o/oauth2/auth","client_secret":"ATX1LGjJC D- acURsf","token_uri":"https://accounts.google. com/o/oauth2/token","client_email":”00000000 000@developer.gserviceaccount.com","client_ x509_cert_url":"https://www.googleapis.com/r obot/v1/metadata/x509/00000000000@develo per.gserviceaccount.com","client_id":”000000 00000.apps.googleusercontent.com","auth_pr ovider_x509_cert_url":"https://www.googleapis .com/oauth2/v1/certs"}} Google OAuth 2.0 Client Example
  • 16. Now, let’s chat about authorization grant types A grant is a credential based on four possible types: Authorization Code Grant – Obtained through the intermediary between client and resource owner. Client directs resource owner to authorization server and is directed back to client with authorization code. Authorization server authenticates resource owner before directing back with grant. Client never knows about resource owner’s credentials. Primarily used for web based applications. Implicit Grant – Simplified authorization code primarily for java script clients. The client is issued an access token directly without authentication. Not Recommended if security is a major concern. Resource owner password credentials – Resource owner’s username/password can be used to obtain an access token. Recommended when there is trust between resource owner and client. Credentials are replaced by an access token by the client. Client Credentials – Can be used as authorization grant in it of itself. Common in cases where resource owner is also the client. Also may be used for a previous authorization arrangement from authorization server to client. Custom Grant – You may extend with a type of your own Authorization Grants
  • 18. Authorization Request Constructs the request URI and instructs the resource owner’s user-agent to redirect to the authorization server. The constructed URI defines: response type – required, this must be set to “code” for this grant type. The authorization server returns an authorization code for requesting an access token. client_id – required, this is the id registered with the authorization server as part of the registration process. Look at slide 15, for the Google example. redirect_uri – although optional, you may want to always include this for best practice and to not make any assumptions. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) state – highly recommended to guard against cross site request forgery Example with required parameters only: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
  • 19. Authorization Response If the resource owner authenticates successfully and authorizes access and associated scope, the authorization server sends a response to client via the resource owner’s user-agent. The URI defines the following: code – required, this is the authorization code generated by server. This is a short lived code and usually expires within 10 minutes. The client must not use the code more than once. state – highly recommended to guard against cross site request forgery and required if the request contained the state parameter. Once client receives this code, it may then proceed to make an access token request from the token endpoint. Example without state: HTTP/1.1 302 Found Location: https://client.example.com/cb code=SplxlOBeZQQYbYS6WxSbIA &state=xyz For error responses, review section 4.1.2.1 of RFC 6749.
  • 20. Access Token Request After getting a valid authorization grant, client makes HTTP request to token endpoint including the following in the request body: grant_type – required, this must be set to “password”, You may also use “client_credentials” if your client was issued credentials and can be identified by authorization server. username – required, this is the resource owner’s user name. Password - required, this is the resource owner’s password. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) If client type is confidential and has been issued credentials (e.g. password or public/private key pair) or there is another authentication scheme in use, authorization server must support this scheme before proceeding and request body will look different. See parameters in Google example in slide 15. Example of access token request with the resource owner’s credentials: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6Wx SbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2
  • 21. Access Token Response If the access token request is valid and authorized, the server issues an access token and an optional refresh token. Once client receives this token, it may proceed to make requests for the protected resources. An example response below: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } Example without state: For error responses, review section 5.2 of RFC 6749.
  • 23. Authorization Request Client constructs the request URI and instructs the resource owner’s user-agent to redirect to the authorization server. URI defines: response type – required, this must be set to “token” client_id – required, this is the id registered with the authorization server as part of the registration process. redirect_uri – although optional, you may want to always include this for best practice and to not make any assumptions or have the authorization server define it for you. scope – although optional, it is a good idea to restrict scope to just the items you are requesting authorization for (i.e. user’s profile attributes on LinkedIn) state – highly recommended to guard against cross site request forgery Example with required parameters only: GET /authorize? response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom %2Fcb HTTP/1.1 Host: server.example.com
  • 24. Access Token Response If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI. An example response below: access_token – required, this is the access token issued by authorization server token_type – the type of token issued (e.g., Bearer, MAC). See RFC 6750 and OAuth-HTTP-MAC specifications. Expires_in – recommended, this is the lifetime of the token in seconds. scope – optional, only if the scope is identical to the scope provided as part of the client’s request, otherwise it is a required parameter. state – required, if it was originally in the client's request. There is no refresh token issued as this is and implicit grant type and it calls for an access token to be delivered as a response. Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 For error responses, review section 4.2.2.1 of RFC 6749.
  • 25. Not Exactly, OAuth 2.0 alone will yield multiple implementation variations, refer to section 1.8 of RFC 6749 which states that the framework is “likely to produce a wide range of non-interoperable implementations”. The Web vs. Enterprise divide. Ever changing systems and access flows vs. stagnant enterprise systems favoring only one protocol (SAML). In addition, the lack of provider discovery and dynamic client registration make it difficult to scale. The Enterprise calls for extensibility and requires solutions for complex scenarios. Enter Connect .. Stay Tuned for the OpenID Connect overview Sounds good so far right?
  • 26. Where does OpenID Connect Come In? Interoperability
  • 27. For additional discussion, contact the team @ GoodDogLabs. info@gooddoglabs.com