SlideShare uma empresa Scribd logo

Introduction to OAuth2.0

Oracle Corporation
Oracle Corporation
Educação
1 de 18
Baixar para ler offline
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1 OAuth 2.0 Overview Oracle Asia Research and Development Center Alice Liu(lzhmails@gmail.com)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.2  OAuth 2.0 Overview  3-Legged OAuth/ 2-Legged Oauth  OAuth Workflow
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3  OAuth Terms – Client is an application accessing an API, can be a web app, app inside a user agent, or a native app – Resource Owner is a “user” who can authorize/grant access to API resources – Resource Server is the API host – Authorization Server is the authorization PDP and STS  OAuth 2.0 is relatively simple – Get the token – Use the token to access the protected resource OAuth 2.0 Overview OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4  In the traditional client-server authentication model, the client accesses a protected resource on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to protected resources, the resource owner shares its credentials with the third- party. This creates several problems and limitations.  Third-party applications are required to store the resource-owner's credentials for future use, typically a password in clear-text.  Servers are required to support password authentication, despite the security weaknesses created by passwords.  Third-party applications gain overly broad access to the resource-owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.  Resource owners cannot revoke access to an individual third-party without revoking access to all third- parties, and must do so by changing their password. OAuth 2.0 Overview OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 3-Legged OAuth 1) The resource owner connects to an OAuth Client enabled service and requests it access resources at a different site 2) The OAuth Client (requesting site) redirects the user to the OAuth Authorization Server, which authenticates the user and presents a consent page. It then sends authorization code to the OAuth client 3) The OAuth Client uses the authorization code to retrieve an OAuth Access Token from the OAuth Authorization Server 4) The OAuth Client presents the Access Token to the OAuth Resource Server 5) The Resource Server validates the token with the Authorization Server 6) The Resource Server provides the requested content to the OAuth Client OAuth Client Resource Owner/Agent/ Native App OAuth Resource Server OAuth Authorizatio n Server 2 3 6 4 1Requesting Site Resource Site
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 2-Legged OAuth  The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials  The requesting service uses its client credentials to connect to a resource server  The Resource server validates the clients credentials and provides the requested content OAuth Client OAuth Resource Server OAuth Authorizati on Server 2 3 1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 • OAuth allows resource owners to delegate resource access rights to third-parties. • No sharing of passwords with third-party apps • Authorize to certain limited resources • For a limited time • Can revoke consent given to the third-party apps • Where as sharing passwords approach with third-party apps • Trust issues • Unwanted level of access • Not able to revoke etc. OAuth 2.0 Overview OAuth 2.0 Authorization Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 OAuth Workflow Consumer (Client) Service Provider (Resource Server) User (Resource Owner) Ask for a Token with OAuth Responds with un- Authorized request token Redirects with authorized request token Requests exchange for access token Responds with requested data Ask for data with access token Ask for authorization of request token Redirect user to content Access page Log-in and grant permission
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Using OAuth 2.0 Authorization Code Flow
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 OAuth Actors/What is OAuth 2.0? Client Application Resource Owner Resource Server OAuth Server Accesses Resources Login, Gives consent Issues Tokens Accesses Resources Data Delegates Authorization (e.g. photoprinting.com) (e.g. photos from “photos.com”) Authenticates, Authorizes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 • Service Provider (Resource Server) the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a micro blogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID • User (Resource Owner) the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. However OAuth can be used with the two-legged scenarios involving clients and server, without the need of user interaction. • Consumer (Client) this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. • Protected Resources the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts etc.), activities (posting blog item, transferring funds) or any URL with a need for access restrictions. What is OAuth 2.0?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12  Access Token: Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.  Refresh Token: Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). What is OAuth 2.0?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 OAuth 2.0 Grant Types • Authorization Code – usually clients running on web server • Implicit – clients run directly in the browser like Javascript plugins • Resource Owner – User Id/password of the user • Client Credentials – client credentials • Refresh Token – to refresh/get a new access token • Assertion Framework •Client Assertion ・(Authorization) Assertion ・Support multiple formats: JWT and SAML • Extended Grants •Depends on server and deployment needs •E.g. for Oracle to support OAM tokens
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Typical 3-legged OAuth flow with Authorization Code Grant Type Background Checker Client Resource Server Enterprise OAuth Server Token-claim registry Scope registry Policy store User consent orchestration Get an “Access token” Obtain “Authorization Grant”(User consent) Use “Access Token” to access a resource
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Questions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 References & Terminology 1. OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749 2. OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf- oauth-assertions-11 3. OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf- oauth-jwt-bearer-05 4. OAuth 2.0でWebサービスの利用方法はどう変わるか http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html 5. http://lzhairs.blogspot.jp/2013/09/2-legged-oauth-3-legged-oauth.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18

Recomendados

OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 

Recomendados

OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
Victor Rentea
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Beveiliging en REST services
Beveiliging en REST servicesBeveiliging en REST services
Beveiliging en REST services
Maurice De Beijer [MVP]
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 

Mais conteúdo relacionado

Mais procurados

OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 

Mais procurados (20)

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
OAuth
OAuthOAuth
OAuth
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 

Destaque

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Justin Richer
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
 

Destaque (20)

Beveiliging en REST services
Beveiliging en REST servicesBeveiliging en REST services
Beveiliging en REST services
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
04 june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projects04 june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projects
 
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
 
Designing an API
Designing an APIDesigning an API
Designing an API
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
 
Principles and patterns for test driven development
Principles and patterns for test driven developmentPrinciples and patterns for test driven development
Principles and patterns for test driven development
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 

Semelhante a Introduction to OAuth2.0

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
eSAT Journals
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
Vishal Shah
 

Semelhante a Introduction to OAuth2.0 (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth2
OAuth2OAuth2
OAuth2
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth
OAuthOAuth
OAuth
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
OAuth
OAuthOAuth
OAuth
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Twitter Authentication
Twitter AuthenticationTwitter Authentication
Twitter Authentication
 
Rfc5849aut
Rfc5849autRfc5849aut
Rfc5849aut
 
OAuth
OAuthOAuth
OAuth
 
O auth 2
O auth 2O auth 2
O auth 2
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Último (20)

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 

Introduction to OAuth2.0

  • 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1 OAuth 2.0 Overview Oracle Asia Research and Development Center Alice Liu(lzhmails@gmail.com)
  • 2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.2  OAuth 2.0 Overview  3-Legged OAuth/ 2-Legged Oauth  OAuth Workflow
  • 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3  OAuth Terms – Client is an application accessing an API, can be a web app, app inside a user agent, or a native app – Resource Owner is a “user” who can authorize/grant access to API resources – Resource Server is the API host – Authorization Server is the authorization PDP and STS  OAuth 2.0 is relatively simple – Get the token – Use the token to access the protected resource OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4  In the traditional client-server authentication model, the client accesses a protected resource on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to protected resources, the resource owner shares its credentials with the third- party. This creates several problems and limitations.  Third-party applications are required to store the resource-owner's credentials for future use, typically a password in clear-text.  Servers are required to support password authentication, despite the security weaknesses created by passwords.  Third-party applications gain overly broad access to the resource-owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.  Resource owners cannot revoke access to an individual third-party without revoking access to all third- parties, and must do so by changing their password. OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 3-Legged OAuth 1) The resource owner connects to an OAuth Client enabled service and requests it access resources at a different site 2) The OAuth Client (requesting site) redirects the user to the OAuth Authorization Server, which authenticates the user and presents a consent page. It then sends authorization code to the OAuth client 3) The OAuth Client uses the authorization code to retrieve an OAuth Access Token from the OAuth Authorization Server 4) The OAuth Client presents the Access Token to the OAuth Resource Server 5) The Resource Server validates the token with the Authorization Server 6) The Resource Server provides the requested content to the OAuth Client OAuth Client Resource Owner/Agent/ Native App OAuth Resource Server OAuth Authorizatio n Server 2 3 6 4 1Requesting Site Resource Site
  • 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 2-Legged OAuth  The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials  The requesting service uses its client credentials to connect to a resource server  The Resource server validates the clients credentials and provides the requested content OAuth Client OAuth Resource Server OAuth Authorizati on Server 2 3 1
  • 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 • OAuth allows resource owners to delegate resource access rights to third-parties. • No sharing of passwords with third-party apps • Authorize to certain limited resources • For a limited time • Can revoke consent given to the third-party apps • Where as sharing passwords approach with third-party apps • Trust issues • Unwanted level of access • Not able to revoke etc. OAuth 2.0 Overview OAuth 2.0 Authorization Server
  • 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 OAuth Workflow Consumer (Client) Service Provider (Resource Server) User (Resource Owner) Ask for a Token with OAuth Responds with un- Authorized request token Redirects with authorized request token Requests exchange for access token Responds with requested data Ask for data with access token Ask for authorization of request token Redirect user to content Access page Log-in and grant permission
  • 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Using OAuth 2.0 Authorization Code Flow
  • 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 OAuth Actors/What is OAuth 2.0? Client Application Resource Owner Resource Server OAuth Server Accesses Resources Login, Gives consent Issues Tokens Accesses Resources Data Delegates Authorization (e.g. photoprinting.com) (e.g. photos from “photos.com”) Authenticates, Authorizes
  • 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 • Service Provider (Resource Server) the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a micro blogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID • User (Resource Owner) the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. However OAuth can be used with the two-legged scenarios involving clients and server, without the need of user interaction. • Consumer (Client) this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. • Protected Resources the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts etc.), activities (posting blog item, transferring funds) or any URL with a need for access restrictions. What is OAuth 2.0?
  • 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12  Access Token: Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.  Refresh Token: Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). What is OAuth 2.0?
  • 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 OAuth 2.0 Grant Types • Authorization Code – usually clients running on web server • Implicit – clients run directly in the browser like Javascript plugins • Resource Owner – User Id/password of the user • Client Credentials – client credentials • Refresh Token – to refresh/get a new access token • Assertion Framework •Client Assertion ・(Authorization) Assertion ・Support multiple formats: JWT and SAML • Extended Grants •Depends on server and deployment needs •E.g. for Oracle to support OAM tokens
  • 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Typical 3-legged OAuth flow with Authorization Code Grant Type Background Checker Client Resource Server Enterprise OAuth Server Token-claim registry Scope registry Policy store User consent orchestration Get an “Access token” Obtain “Authorization Grant”(User consent) Use “Access Token” to access a resource
  • 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Questions
  • 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 References & Terminology 1. OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749 2. OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf- oauth-assertions-11 3. OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf- oauth-jwt-bearer-05 4. OAuth 2.0でWebサービスの利用方法はどう変わるか http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html 5. http://lzhairs.blogspot.jp/2013/09/2-legged-oauth-3-legged-oauth.html
  • 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
  • 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18