More Related Content Similar to OAuth2 on Ericsson Labs (20) More from Ericsson Labs (20) OAuth2 on Ericsson Labs1. OAuth2
Framework
A labs.ericsson.com API
http://labs.ericsson.com/apis/oauth2-framework/
2. OAuth2 Framework
› The OAuth2 framework provides OAuth 2.0 library and
code samples
– in order to create a client web application, an OAuth protected
web resource or even a full fledged Authorization Server.
› It is an implementation of the latest IETF web
authorization draft. (Soon to be RFC)
› The framework is implemented in Java on top of
Restlet.org HTTP framework.
– It can execute on all platforms that Restlet is available on and it is
validated using Java SE, EE and Android.
– Donated to Restlet.org as an open source project with very
generous open source license for reuse.
© Ericsson AB 2010 | Page 2
3. WHY OAuth2?
› The Oauth2 framework enables security on the web where
information can easily and securely be exchanged.
– At the same time we want you to spend less time re-creating
something that actually does not add value to your service concept.
› It is also a platform with extension that can make it even
easier for the developer to experiment with using
– an Authorization Server API
– an OAuth discovery API
– a hosted service where the interoperability can be tested and in this
way make the service more robust and secure.
© Ericsson AB 2010 | Page 3
4. Main Features
› Support for following authorization flows
– Web service, user agent, autonomous, user/password
– Support for unlimited token and time expire tokens
– Flexible user data model with a provided in memory BE
– OpenID for authentication
– Access to all the source code with open source
– Automated Unit tests
– Soon Available from Restlet Maven repository
© Ericsson AB 2010 | Page 4
5. OAuth2 Overview
Protected
Scope Resource
ClientID
ClientSecret
Authorization Resource
CallbackURI
Server Server
Code
Webclient
(service provider) OauthToken
Authenticate
Authorize
Browser
© Ericsson AB 2010 | Page 5
6. Protected resource
› Example of a protected resource use of API
public class ProtectApplication extends Application {
@Override
public synchronized Restlet createInboundRoot() {
Router router = new Router(getContext());
RemoteAuthorizer auth = new RemoteAuthorizer(
"http://localhost:8080/oauth/validate",
"http://localhost:8080/oauth/authorize");
auth.setNext(ProtectedResource.class);
//Defines only one route
router.attach("/me", auth);
return router;
}
}
© Ericsson AB 2010 | Page 6
7. Web Client
› Example of an oauth web client use of API
public class ProxyApplication extends Application {
@Override
public synchronized Restlet createInboundRoot() {
Router router = new Router(getContext());
OAuthParameters params = new OAuthParameters(
"1234567890",
"secret1",
"http://localhost:8080/oauth/",
"foo bar");
OAuthProxy local = new OAuthProxy(params,getContext());
local.setNext(MeResourceClient.class);
router.attach("/local",local);
return router;
}
}
© Ericsson AB 2010 | Page 7