SlideShare a Scribd company logo

O Auth 2.0 The Path to Heaven from Hell

WSO2
WSO2

The document discusses security issues with the traditional method of third-party applications accessing user resources using resource owner passwords. Specifically, it notes that passwords must be stored insecurely, access cannot be restricted or revoked for individual third parties, and compromise of a third party results in compromise of the user's password and all protected data. The document introduces OAuth as a solution to address these issues using mechanisms such as access tokens and authorization codes to control third party access.

Technology
1 of 55
Download to read offline
Prabath Siriwardena | Johann Nallathamby
Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
•  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
•  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
•  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
•  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
•  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
Scope   OAuth  Handshake  
Scope   Scope  is  defined  by  the  Authorization  Server.     Scope  indicates  what  resource  client  wants  access  and  which   actions  he  wants  to  perform  on  that.     The  value  of  the  scope  parameter  is  expressed  as  a  list  of   space-­‐delimited,  case  sensitive  strings.         The  strings  are  defined  by  the  authorization  server.     OAuth  Handshake  
Confidential  Client  Type     Web  Application   OAuth  Handshake  
BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  "code".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
Authorization  Grant  Response   •   code:  REQUIRED.  The  authorization  code  generated  by  the  authorization  server   •   state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request.   OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  "authorization_code".   •  code  :  REQUIRED.    The  authorization  code  received  from  the  Authorization  Server.   •  redirect_uri  :  REQUIRED,  if  the  "redirect_uri"  parameter  was  included  in  the   authorization     OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Scope   OAuth  Handshake  
Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
Anonymous  Clients   OAuth  Handshake  
Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  ”token".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   •  scope  :    OPTIONAL,  if  identical  to  the  scope  requested  by  the  client,  otherwise   REQUIRED.   •  state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Authorization  Grant  Request   Since  the  client  authentication  is  used  as  the  authorization  grant,  no  additional   authorization  request  is  needed.     OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   Note  :  The  client  needs  to  pass  BasicAuth  headers  or  authenticate  to  the  Authorization   Server  in  other  means.     OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Authorization  Grant  Request   The  method  through  which  the  client  obtains  the  resource  owner        credentials  is  beyond  the  scope  of  this  specification.    The  client        MUST  discard  the  credentials  once  an  access  token  has  been  obtained   OAuth  Handshake  
Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  username  :  REQUIRED.    The  resource  owner  username,  encoded  as  UTF-­‐8.   •  password  :  REQUIRED.    The  resource  owner  password,  encoded  as  UTF-­‐8.   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   OAuth  Handshake  
Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
Runtime  
Bearer   MAC   Runtime  
Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                                                                                        ts="1336363200”,                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime  
O Auth 2.0 The Path to Heaven from Hell

Recommended

OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 

Recommended

OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)
Globus
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Globus
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
CA API Management
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
sureshattanayake
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
WSO2
 

More Related Content

What's hot

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 

What's hot (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)Building the Services Ecosystem (GlobusWorld Tour - STFC)
Building the Services Ecosystem (GlobusWorld Tour - STFC)
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
 
OAuth2
OAuth2OAuth2
OAuth2
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 

Viewers also liked

Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
sureshattanayake
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
WSO2
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
WSO2
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server
WSO2
 
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity ServerWSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
WSO2
 

Viewers also liked (10)

Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Single sign on using WSO2 identity server
Single sign on using WSO2 identity serverSingle sign on using WSO2 identity server
Single sign on using WSO2 identity server
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server
 
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity ServerWSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
WSO2Con US 2013 - Identity Management Best Practices with WSO2 Identity Server
 
Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1Implementación de autenticación federada con WSO2 Identity Server 5.1
Implementación de autenticación federada con WSO2 Identity Server 5.1
 
WSO2 Identity Server
WSO2 Identity ServerWSO2 Identity Server
WSO2 Identity Server
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 

Similar to O Auth 2.0 The Path to Heaven from Hell

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

Similar to O Auth 2.0 The Path to Heaven from Hell (20)

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .net
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
O auth
O authO auth
O auth
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 

More from WSO2

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
WSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
WSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
WSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
WSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
WSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
WSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 

More from WSO2 (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

O Auth 2.0 The Path to Heaven from Hell

  • 1. Prabath Siriwardena | Johann Nallathamby
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  • 7. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  • 8. Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  • 9. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  • 10. Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. •  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
  • 18. •  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
  • 19. •  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
  • 20. •  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
  • 21. •  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
  • 22.
  • 23. Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
  • 25. Scope   Scope  is  defined  by  the  Authorization  Server.     Scope  indicates  what  resource  client  wants  access  and  which   actions  he  wants  to  perform  on  that.     The  value  of  the  scope  parameter  is  expressed  as  a  list  of   space-­‐delimited,  case  sensitive  strings.         The  strings  are  defined  by  the  authorization  server.     OAuth  Handshake  
  • 26. Confidential  Client  Type     Web  Application   OAuth  Handshake  
  • 27. BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
  • 28. Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  "code".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
  • 29. Authorization  Grant  Response   •   code:  REQUIRED.  The  authorization  code  generated  by  the  authorization  server   •   state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request.   OAuth  Handshake  
  • 30. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  "authorization_code".   •  code  :  REQUIRED.    The  authorization  code  received  from  the  Authorization  Server.   •  redirect_uri  :  REQUIRED,  if  the  "redirect_uri"  parameter  was  included  in  the   authorization     OAuth  Handshake  
  • 31. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 33. Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
  • 35. Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  ”token".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.   OAuth  Handshake  
  • 36. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   •  scope  :    OPTIONAL,  if  identical  to  the  scope  requested  by  the  client,  otherwise   REQUIRED.   •  state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request   OAuth  Handshake  
  • 38. Confidential  Client  Type     OAuth  Handshake  
  • 39. BasicAuth   OAuth  Handshake  
  • 40. Authorization  Grant  Request   Since  the  client  authentication  is  used  as  the  authorization  grant,  no  additional   authorization  request  is  needed.     OAuth  Handshake  
  • 41. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   Note  :  The  client  needs  to  pass  BasicAuth  headers  or  authenticate  to  the  Authorization   Server  in  other  means.     OAuth  Handshake  
  • 42. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 44. Confidential  Client  Type     OAuth  Handshake  
  • 46. Authorization  Grant  Request   The  method  through  which  the  client  obtains  the  resource  owner        credentials  is  beyond  the  scope  of  this  specification.    The  client        MUST  discard  the  credentials  once  an  access  token  has  been  obtained   OAuth  Handshake  
  • 47. Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  username  :  REQUIRED.    The  resource  owner  username,  encoded  as  UTF-­‐8.   •  password  :  REQUIRED.    The  resource  owner  password,  encoded  as  UTF-­‐8.   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   OAuth  Handshake  
  • 48. Access  Token  Response   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   OAuth  Handshake  
  • 50. Bearer   MAC   Runtime  
  • 51. Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  • 52. Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
  • 53. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  • 54. Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                                                                                        ts="1336363200”,                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime