SlideShare une entreprise Scribd logo

Oauth tutorial

Télécharger en tant que PPT, PDF
乐费 胡
乐费 胡
Technologie
1  sur  41
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)
Acknowledgements • I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 12/29/12 IETF #79, OAuth Tutorial Beijing 2
The Problem: Secure Data Sharing 12/29/12 IETF #79, OAuth Tutorial Beijing 3
12/29/12 IETF #79, OAuth Tutorial Beijing 4
Example OAuth Exchange 12/29/12 IETF #79, OAuth Tutorial Beijing 5
Entities User Agent (Web Browser) Authorization Request User Resource Consumer (LinkedIn) Token request Authorization Server (Yahoo) Access Request (incl. Token) Resource Server (Yahoo) 12/29/12 IETF #79, OAuth Tutorial Beijing 6
User navigates to Resource Client 12/29/12 IETF #79, OAuth Tutorial Beijing 7
User authenticated by Authorization Server 12/29/12 IETF #79, OAuth Tutorial Beijing 8
User authorizes Resource Consumer to access Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 9
Resource Client calls the Resource Server API 12/29/12 IETF #79, OAuth Tutorial Beijing 10
Remark: Authentication • Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). • Authorization Server and Resource Server do not need to be operated by the same entity. 12/29/12 IETF #79, OAuth Tutorial Beijing 11
Remark: Authorization • Asking the user for consent prior to share information is considered privacy-friendly. • User interfaces for obtaining user content may not always be great. 12/29/12 IETF #79, OAuth Tutorial Beijing 12
Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 13
Remark: Authorization, cont.
Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 15
Remark: Prior-Registration • Many Resource Server require registration of Resource Client’s prior to usage. • Example: http://developer.cliqset.com/api 12/29/12 IETF #79, OAuth Tutorial Beijing 16
Remark, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 17
History 12/29/12 IETF #79, OAuth Tutorial Beijing 18
History • November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. • December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft • April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol. • July 2007: OAuth 1.0 (with code for major programming languages) • September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) • Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders 12/29/12 IETF #79, OAuth Tutorial Beijing 19
History, cont. • 1st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. • 2nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting • IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html • OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre • Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: – 12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html IETF #79, OAuth Tutorial Beijing 20
History, cont. • March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. • March 2010: IETF OAuth meeting in Anaheim • April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David. • May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. • July 2010: Maastricht IETF meeting • November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. • November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 12/29/12 IETF #79, OAuth Tutorial Beijing 21
Entities User Agent Authorization Request User Resource Consumer Token request Authorization Server Access Request (incl. Token) Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 22
Scope of the OAuth WG • Currently only one working group item: – http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms • We have a punch of other documents as individual items – Providing security related extensions – User interface considerations – Token formats – Token by reference – Use case descriptions – Other OAuth profiles OAuth Tutorial Beijing 12/29/12 IETF #79, 23
Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Format Token Request And Content Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server Request Security OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 24
Web Server Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 26
A little bit about OAuth security… Se curity
Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Request Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 28
“Bearer Token” Authorization Server Request Token TLS Resource Token Resource Consumer TLS Server
“Message Signing” Authorization Server Request Token,SK, TLS {SK}Bob Resource Resource Consumer Token, Server {Request}SK, {SK}Bob
Conclusion • Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed as well. • Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. • Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution. 12/29/12 IETF #79, OAuth Tutorial Beijing 31
Backup Slides 12/29/12 IETF #79, OAuth Tutorial Beijing 32
JavaScript Flow (User Agent Flow in Draft)
12/29/12 IETF #79, OAuth Tutorial Beijing 34
Native Application Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 36
Autonomous Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 38
Device Flow
12/29/12 IETF #79, OAuth Tutorial Beijing 40
12/29/12 IETF #79, OAuth Tutorial Beijing 41

Recommandé

Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849autVishal Shah
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pkiphanleson
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
O auth
O authO auth
O authfaisalqau
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 

Recommandé

Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849autVishal Shah
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pkiphanleson
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
O auth
O authO auth
O authfaisalqau
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
Oauth
OauthOauth
Oauthehuard
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter AuthenticationVishal Shah
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsDucAnhLe56
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Microsoft TechNet - Belgium and Luxembourg
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English TranslationNat Sakimura
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变乐费 胡
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x乐费 胡
 

Contenu connexe

Similaire à Oauth tutorial

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter AuthenticationVishal Shah
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsDucAnhLe56
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Microsoft TechNet - Belgium and Luxembourg
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English TranslationNat Sakimura
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 

Similaire à Oauth tutorial (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
Oauth
OauthOauth
Oauth
 
OAuth
OAuthOAuth
OAuth
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfs
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
 
Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2Take the spaghetti out of windows azure – an insight for it pro techies part 2
Take the spaghetti out of windows azure – an insight for it pro techies part 2
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 

Plus de 乐费 胡

神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变乐费 胡
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x乐费 胡
 
09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna乐费 胡
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x乐费 胡
 
07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x乐费 胡
 
06 html5 and cocos2d-x
06 html5 and cocos2d-x06 html5 and cocos2d-x
06 html5 and cocos2d-x乐费 胡
 
05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture乐费 胡
 
04 growing up with the open source community
04 growing up with the open source community04 growing up with the open source community
04 growing up with the open source community乐费 胡
 
03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x乐费 胡
 
02 evolution innovation and participation
02 evolution innovation and participation02 evolution innovation and participation
02 evolution innovation and participation乐费 胡
 
01 cocos2d past, present and future
01 cocos2d past, present and future01 cocos2d past, present and future
01 cocos2d past, present and future乐费 胡
 
11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu乐费 胡
 
Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3乐费 胡
 
[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)乐费 胡
 

Plus de 乐费 胡 (14)

神仙道移动Ui演变
神仙道移动Ui演变神仙道移动Ui演变
神仙道移动Ui演变
 
10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x10 multi-platform game development using cocos2d-x
10 multi-platform game development using cocos2d-x
 
09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna09 creating windows phone game with cocos2d-xna
09 creating windows phone game with cocos2d-xna
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x
 
07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x07 funny sango td and cocos2d-x
07 funny sango td and cocos2d-x
 
06 html5 and cocos2d-x
06 html5 and cocos2d-x06 html5 and cocos2d-x
06 html5 and cocos2d-x
 
05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture05 optimization of cocos2d-x games on x86 architecture
05 optimization of cocos2d-x games on x86 architecture
 
04 growing up with the open source community
04 growing up with the open source community04 growing up with the open source community
04 growing up with the open source community
 
03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x03 crazy castle meets cocos2d-x
03 crazy castle meets cocos2d-x
 
02 evolution innovation and participation
02 evolution innovation and participation02 evolution innovation and participation
02 evolution innovation and participation
 
01 cocos2d past, present and future
01 cocos2d past, present and future01 cocos2d past, present and future
01 cocos2d past, present and future
 
11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu11 share experience on porting 3 kingdoms td legned of shu
11 share experience on porting 3 kingdoms td legned of shu
 
Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3Web并发模型粗浅探讨v3
Web并发模型粗浅探讨v3
 
[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)[.产品设计与用户体验(马化腾)
[.产品设计与用户体验(马化腾)
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Oauth tutorial

  • 1. Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)
  • 2. Acknowledgements • I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 12/29/12 IETF #79, OAuth Tutorial Beijing 2
  • 3. The Problem: Secure Data Sharing 12/29/12 IETF #79, OAuth Tutorial Beijing 3
  • 4. 12/29/12 IETF #79, OAuth Tutorial Beijing 4
  • 5. Example OAuth Exchange 12/29/12 IETF #79, OAuth Tutorial Beijing 5
  • 6. Entities User Agent (Web Browser) Authorization Request User Resource Consumer (LinkedIn) Token request Authorization Server (Yahoo) Access Request (incl. Token) Resource Server (Yahoo) 12/29/12 IETF #79, OAuth Tutorial Beijing 6
  • 7. User navigates to Resource Client 12/29/12 IETF #79, OAuth Tutorial Beijing 7
  • 8. User authenticated by Authorization Server 12/29/12 IETF #79, OAuth Tutorial Beijing 8
  • 9. User authorizes Resource Consumer to access Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 9
  • 10. Resource Client calls the Resource Server API 12/29/12 IETF #79, OAuth Tutorial Beijing 10
  • 11. Remark: Authentication • Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). • Authorization Server and Resource Server do not need to be operated by the same entity. 12/29/12 IETF #79, OAuth Tutorial Beijing 11
  • 12. Remark: Authorization • Asking the user for consent prior to share information is considered privacy-friendly. • User interfaces for obtaining user content may not always be great. 12/29/12 IETF #79, OAuth Tutorial Beijing 12
  • 13. Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 13
  • 15. Remark: Authorization, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 15
  • 16. Remark: Prior-Registration • Many Resource Server require registration of Resource Client’s prior to usage. • Example: http://developer.cliqset.com/api 12/29/12 IETF #79, OAuth Tutorial Beijing 16
  • 17. Remark, cont. 12/29/12 IETF #79, OAuth Tutorial Beijing 17
  • 18. History 12/29/12 IETF #79, OAuth Tutorial Beijing 18
  • 19. History • November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. • December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft • April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol. • July 2007: OAuth 1.0 (with code for major programming languages) • September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) • Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders 12/29/12 IETF #79, OAuth Tutorial Beijing 19
  • 20. History, cont. • 1st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. • 2nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting • IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html • OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre • Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: – 12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html IETF #79, OAuth Tutorial Beijing 20
  • 21. History, cont. • March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. • March 2010: IETF OAuth meeting in Anaheim • April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David. • May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. • July 2010: Maastricht IETF meeting • November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. • November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 12/29/12 IETF #79, OAuth Tutorial Beijing 21
  • 22. Entities User Agent Authorization Request User Resource Consumer Token request Authorization Server Access Request (incl. Token) Resource Server 12/29/12 IETF #79, OAuth Tutorial Beijing 22
  • 23. Scope of the OAuth WG • Currently only one working group item: – http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms • We have a punch of other documents as individual items – Providing security related extensions – User interface considerations – Token formats – Token by reference – Use case descriptions – Other OAuth profiles OAuth Tutorial Beijing 12/29/12 IETF #79, 23
  • 24. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Format Token Request And Content Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server Request Security OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 24
  • 26. 12/29/12 IETF #79, OAuth Tutorial Beijing 26
  • 27. A little bit about OAuth security… Se curity
  • 28. Work Areas User Interface User Agent Authentication Authorization Request User Resource Consumer Token Request Authorization Server Authz Server Data Exchange Interaction Access Request (incl. Token) Resource Server OAuth Profiles 12/29/12 IETF #79, OAuth Tutorial Beijing 28
  • 29. “Bearer Token” Authorization Server Request Token TLS Resource Token Resource Consumer TLS Server
  • 30. “Message Signing” Authorization Server Request Token,SK, TLS {SK}Bob Resource Resource Consumer Token, Server {Request}SK, {SK}Bob
  • 31. Conclusion • Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed as well. • Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. • Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution. 12/29/12 IETF #79, OAuth Tutorial Beijing 31
  • 32. Backup Slides 12/29/12 IETF #79, OAuth Tutorial Beijing 32
  • 33. JavaScript Flow (User Agent Flow in Draft)
  • 34. 12/29/12 IETF #79, OAuth Tutorial Beijing 34
  • 36. 12/29/12 IETF #79, OAuth Tutorial Beijing 36
  • 38. 12/29/12 IETF #79, OAuth Tutorial Beijing 38
  • 40. 12/29/12 IETF #79, OAuth Tutorial Beijing 40
  • 41. 12/29/12 IETF #79, OAuth Tutorial Beijing 41