SlideShare uma empresa Scribd logo

Summary of OAuth 2.0 draft 8 memo

Ryo Ito
Ryo Ito

OAuth 2.0 draft 8時点のSpec+αを並べただけの自分用メモです。

Tecnologia
1 de 21
Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
6
User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
8
Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
OLD SPEC 18
Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21

Recomendados

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 

Recomendados

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7
Ryo Ito
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 

Mais conteúdo relacionado

Mais procurados

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 

Mais procurados (20)

Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 

Semelhante a Summary of OAuth 2.0 draft 8 memo

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7
Ryo Ito
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 

Semelhante a Summary of OAuth 2.0 draft 8 memo (20)

Ritou idcon7
Ritou idcon7Ritou idcon7
Ritou idcon7
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth2
OAuth2OAuth2
OAuth2
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 

Mais de Ryo Ito

OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixi
Ryo Ito
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID Connect
Ryo Ito
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来い
Ryo Ito
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13
Ryo Ito
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNS
Ryo Ito
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_Demo
Ryo Ito
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9
Ryo Ito
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC Authentication
Ryo Ito
 

Mais de Ryo Ito (20)

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirect
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixi
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF Protection
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID Connect
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来い
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNS
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_Demo
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC Authentication
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid Memo
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Summary of OAuth 2.0 draft 8 memo

  • 1. Summary of OAuth 2.0 memo (based draft 8 Spec) 2010/06/20 =ritou 1
  • 2. Warning! ‫ ﻪ‬This document is summary of OAuth 2.0 spec at Draft 8. 2
  • 3. Overview ‫ ﻪ‬Client Type and Profile ‫ ﻪ‬Endpoint ‫ ﻪ‬Resource Access 3
  • 4. Client Type and Profile ‫ 4 ﻪ‬Client types ‫ﻩ‬ Web Servers ‫ﻩ‬ User-Agents ‫ﻩ‬ Native Applications ‫ﻩ‬ Autonomous Clients 4
  • 5. Web Server Profile ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID User-Agent AuthZ Server ‫ ﻩ‬Client Secret ‫ ﻪ‬Facebook ‫ ﻪ‬Diff with OAuth 1.0a ‫ ﻩ‬No Request Token Web Client Protected Resource Characters 5
  • 6. 6
  • 7. User-Agent Profile ‫ ﻪ‬Client on User-Agent ‫ ﻩ‬Twitter : @anywhere User-Agent AuthZ Server ‫ ﻩ‬Facebook : JavaScript- Based Authentication ‫ ﻪ‬Client Credential ‫ ﻩ‬Client ID Client in Protected Browser Resource ‫ ﻪ‬Access Token as URI Fragment Identifier Characters 7
  • 8. 8
  • 9. Native Applications ‫ ﻪ‬External User-Agent : UA Profile ‫ ﻩ‬Use custom URI scheme ‫ ﻩ‬Polling UA window ‫ ﻪ‬Embedded User-Agent ‫ ﻩ‬Check URL Redirection ‫ ﻪ‬Prompt for user credential ‫ ﻩ‬ID/PW to Access Token ‫( ﻯ‬Username and Password Flow) 9
  • 10. Autonomous Clients ‫ ﻪ‬Clients = Resource Owner ‫( ﻩ‬Client Credential Profile) ‫ ﻪ‬Exsisting Trust Relationship / Framework ‫( ﻩ‬Assertion Profile) 10
  • 11. Client credential ‫ ﻪ‬Client credential ‫ ﻩ‬client identifier ‫ ﻩ‬client secret(option) ‫ ﻪ‬AuthN schemes ‫ ﻩ‬Request parameters ‫ ﻩ‬HTTP Basic authN 11
  • 12. Endpoint ‫ ﻪ‬End-user authZ endpoint : Indirect Communication ‫ ﻩ‬Obtaining End-User Authorization ‫ ﻪ‬Token Endpoint : Direct Communication ‫ﻩ‬ Authrorized Code2Access Token ‫ﻩ‬ Resource Owner Credentials2Access Token ‫ﻩ‬ Assertion2Access Token ‫ﻩ‬ Refresh Token 12
  • 13. End-user authZ endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP GET ‫ ﻪ‬Request Params ‫ ﻩ‬type,client_id,redirect_uri,state,scope ‫ ﻩ‬Proposal to use request_url parameter ‫ ﻯ‬Request by Reference ver.1.0 for OAuth 2.0 13
  • 14. End-user authZ endpoint ‫ ﻪ‬Response format ‫ ﻩ‬type = web_server : query parameters ‫ ﻩ‬type = user_agent : URI fragment identifier ‫ ﻪ‬Response params ‫ ﻩ‬type = web_server : code,state ‫ ﻩ‬type = user_agent : access_token,expired_in,state 14
  • 15. Token endpoint ‫ ﻪ‬Request format ‫ ﻩ‬HTTP POST ‫ ﻪ‬Request params ‫ ﻩ‬Client credential + Specific params ‫ ﻩ‬grant_type, scope ‫ ﻯ‬code, redirect_uri ‫ ﻯ‬username, password ‫ ﻯ‬assertion_type, assertion ‫ ﻩ‬refresh_token 15
  • 16. Token endpoint ‫ ﻪ‬Response format ‫ ﻩ‬JSON ‫ ﻪ‬Response params ‫ ﻩ‬access_token, expires_in, refresh_token, scope 16
  • 17. Accessing a Protected Resource ‫ ﻪ‬Params ‫ ﻩ‬Access Token ‫ ﻪ‬Method ‫ ﻩ‬The Authorization Request Header Field ‫ ﻩ‬URI Query Parameter ‫ ﻩ‬Form-Encoded Body Parameter 17
  • 18. OLD SPEC 18
  • 19. Username and Password Profile ‫ ﻪ‬Like Twitter xAuth End-User AuthZ Server Client Protected Resource Characters 19
  • 20. Client Credentials Profile ‫ ﻪ‬Like OAuth Consumer Request (2-legged AuthZ Server OAuth Request) Client Protected Resource Characters 20
  • 21. Assertion Profile ‫ ﻪ‬SAML etc... AuthZ Server Client Protected Resource Characters 21