SlideShare uma empresa Scribd logo

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

Codemotion
Codemotion

OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally. This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.

Tecnologia
1 de 44
Baixar para ler offline
OAuth 2.0 – a standard is coming of age Uwe Friedrichsen uwe.friedrichsen@codecentric.de
Uwe Friedrichsen @ufried
<session> <no-code> <motivation /> <history /> <solution /> <extensions /> <criticism /> <tips /> </no-code> <code> <authzorization /> <token /> <resource /> </code> <wrap-up /> </session>
{ „session“ : { „no-code“ : [ „motivation“, „history“, „solution“, „extensions“, „criticism“, „tips“ ], „code“ : [ „authorization“, „token“, „resource“ ], „wrap-up“ : true }
Players You Application with protected resources Another application
Assignment You Application with protected resources Another application Access your resources
Problem You Application with protected resources Another application Access your resources
Challenge You Application with protected resources Another application Access your resources Secure ?Easy to use
OAuth 1.0 • Started by Twitter in 2006 • 1st Draft Standard in 10/2007 • IETF RFC 5849 in 4/2010 • Widespread • Complex Client Security Handling • Limited Scope • Not extendable • Not „Enterprise-ready“
OAuth 2.0 • Working Group started 4/2010 • 31 Draft Versions • Eran Hammer-Laval left 7/2012 * • IETF RFC 6749 in 10/2012 * http://hueniverse.com/2012/07/ oauth-2-0-and-the-road-to-hell/
You Application with protected resources Another application Players revisited
Players revisited You Authorization Server Client Application Resource Server
Solution (Step 1) You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are
Solution (Step 2) You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token
Solution (Step 3) You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. …
A few more Details • TLS/SSL • Endpoints • Client Types • Client Identifier • Client Authentication • Redirect URI • Access Token Scope • Refresh Token • Client State
You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you areGET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz
You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. … GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
More flows & Extensions • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Refresh Token Grant • Standard & custom Extensions • Standards based on OAuth 2.0
Criticism • Too many compromises • No built-in security • Relies solely on SSL • Bearer Token • Self-encrypted token
Tips • Turn MAY into MUST • Use HMAC Tokens • Use HMAC to sign Content • No self-encrypted token • Always check the SSL Certificate
How does the code feel like? using Apache Amber 0.22
You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you areGET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Authorization Endpoint (1) @Path("/authorize") public class AuthorizationEndpoint { @Context private SecurityDataStore securityDataStore; @GET @Consumes(OAuth.ContentType.URL_ENCODED) public Response authorize(@Context HttpServletRequest request) { // Do the required validations OAuthAuthzRequest oauthRequest = wrapAndValidate(request); validateRedirectionURI(oauthRequest); // Actual authentication not defined by OAuth 2.0 // Here a forward to a login page is used String loginURI = buildLoginURI(oauthRequest); return Response.status(HttpServletResponse.SC_FOUND) .location(new URI(loginUri)).build(); } ...
Authorization Endpoint (2) ... private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) { // Implicitly validates the request locally return new OAuthAuthzRequest(req); } ...
Authorization Endpoint (3) ... private void validateRedirectionURI(OAuthAuthzRequest oauthReq) { String redirectionURISent = oauthReq.getRedirectURI(); String redirectionURIStored = securityDataStore .getRedirectUriForClient(oauthReq.getClientId()); if (!redirectionURIStored .equalsIgnoreCase(redirectionURISent)) { OAuthProblemException oAuthProblem = OAuthProblemException .error(OAuthError.CodeResponse.ACCESS_DENIED, "Invalid Redirection URI"); oAuthProblem.setRedirectUri(redirectionURISent); throw oAuthProblem; } } ...
Authorization Endpoint (4) ... private String buildLoginURI(OAuthAuthzRequest oauthRequest) { String loginURI = getBaseLoginURI(); // As an example loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“ + oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE); loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“ + oauthRequest.getClientId(); loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“ + oauthRequest.getRedirectUri; loginURI += "&" + OAuth.OAUTH_SCOPE + "=“ + oauthRequest.getScopes(); loginURI += "&" + OAuth.OAUTH_STATE + "=“ + oauthRequest.getParam(OAuth.OAUTH_STATE); return loginURI; } }
You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz
Login page handler private void getAndSendAuthorizationCode(HttpServletRequest req, HttpServletResponse resp) { // Assuming login was successful and forwarded // parameters can be found in the request String userId = (String) request.getAttribute("userId"); String clientId = (String) request.getAttribute(OAuth.OAUTH_CLIENT_ID); // Create a new authorization code and store it in the database String authzCode = securityDataStore.getAuthorizationCode(userId, clientId); // Redirect back to client String redirectUri = (String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI); redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode); redirectUri += "&" + OAuth.OAUTH_STATE + "=“ + request.getAttribute(OAuth.OAUTH_STATE); resp.sendRedirect(redirectUri); }
You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Token Endpoint (1) @Path("/token") public class TokenEndpoint { ... @POST public Response token(@Context HttpServletRequest request, @HeaderParam(AUTHORIZATION) String authorizationHeader) { // Do the required validations validateClient(authorizationHeader); OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request); validateRedirectionURI(oauthRequest); OAuthToken token = securityDataStore .exchangeAuthorizationCodeForAccessToken(oauthRequest); OAuthResponse oauthResponse = buildOAuthResponse(token); return Response.status(oAuthResponse.getResponseStatus()) .entity(oAuthResponse.getBody()).build(); } ...
Token Endpoint (2) ... private void validateClient(String authorizationHeader) { Pattern headerPattern = Pattern.compile("s+"); String[] headerParts = headerPattern.split(authorizationHeader); byte[] encoded = headerParts[1].getBytes(); String decoded = new String(Base64.decode(encoded), Charset.forName("UTF-8")); String[] clientParts = StringUtils.split(decoded, ":", 2); String clientId = clientParts[0]; String clientSecret = clientParts[1]; if (!securityDataStore.isValidClient(clientId, clientSecret)) { ... // Create and throw an OAuthProblemException } } ...
You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
Token Endpoint (3) ... private OAuthResponse buildOAuthResponse(OAuthToken token) { return OAuthASResponse .tokenResponse(HttpServletResponse.SC_OK) .setAccessToken(token.getAccessToken()) .setTokenType(TokenType.BEARER) .setExpiresIn(token.getExpiresIn()) .setRefreshToken(token.getRefreshToken()) .setScope(token.getScope()) .buildJSONMessage(); } }
You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. … GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
Resource Filter (1) public class AuthorizationFilter implements ContainerRequestFilter { @Context private SecurityDataStore securityDataStore; @Context private HttpServletRequest httpServletRequest; @Override public ContainerRequest filter(ContainerRequest request) { String accessToken = extractAccessToken(); validateAccessToken(accessToken); return request; } ...
Resource Filter (2) ... private String extractAccessToken() { OAuthAccessResourceRequest oauthRequest = new OAuthAccessResourceRequest(httpServletRequest); return oauthRequest.getAccessToken(); } ...
Resource Filter (3) ... private void validateAccessToken(String accessToken) { if (!securityDataStore.isValidAccessToken(accessToken)) { throw new AuthorizationFailedException( "Unknown or expired token!"); } } }
Summary • OAuth 2.0 is ready for use • Quite easy to use • Don‘t go for least security
Uwe Friedrichsen @ufried uwe.friedrichsen@codecentric.de http://www.slideshare.net/ufried/ http://blog.codecentric.de/author/ufr
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

Recomendados

iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~5 6
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
 

Recomendados

iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~5 6
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Somkiat Khitwongwattana
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.Carlos Catanejo
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita GalkinFwdays
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:Petros Demetrakopoulos
 
Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011Romain Fonnier
 
Develop multi-screen applications with Flex
Develop multi-screen applications with Flex Develop multi-screen applications with Flex
Develop multi-screen applications with Flex Codemotion
 
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro ManfrediCara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro ManfrediCodemotion
 
Native Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de KeijzerNative Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de KeijzerCodemotion
 

Mais conteúdo relacionado

Mais procurados

PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Somkiat Khitwongwattana
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita GalkinFwdays
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 

Mais procurados (18)

PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memo
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
OAuth2
OAuth2OAuth2
OAuth2
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE apps
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 

Destaque

Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011Romain Fonnier
 
Develop multi-screen applications with Flex
Develop multi-screen applications with Flex Develop multi-screen applications with Flex
Develop multi-screen applications with Flex Codemotion
 
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro ManfrediCara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro ManfrediCodemotion
 
Native Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de KeijzerNative Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de KeijzerCodemotion
 
The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili Codemotion
 
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016 Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016 Codemotion
 
Getting started with go - Florin Patan - Codemotion Milan 2016
Getting started with go - Florin Patan - Codemotion Milan 2016Getting started with go - Florin Patan - Codemotion Milan 2016
Getting started with go - Florin Patan - Codemotion Milan 2016Codemotion
 
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...Codemotion
 

Destaque (8)

Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011Guide du code barre 2D - AFMM 2011
Guide du code barre 2D - AFMM 2011
 
Develop multi-screen applications with Flex
Develop multi-screen applications with Flex Develop multi-screen applications with Flex
Develop multi-screen applications with Flex
 
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro ManfrediCara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
Cara cloud, ha chiamato l’utente, rivuole la sicurezza by Alessandro Manfredi
 
Native Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de KeijzerNative Javascript apps with PhoneGap by Martin de Keijzer
Native Javascript apps with PhoneGap by Martin de Keijzer
 
The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili The magic world of APT 0.6 - Pompili
The magic world of APT 0.6 - Pompili
 
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016 Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
Milano Chatbots Meetup - Vittorio Banfi - Bot Design - Codemotion Milan 2016
 
Getting started with go - Florin Patan - Codemotion Milan 2016
Getting started with go - Florin Patan - Codemotion Milan 2016Getting started with go - Florin Patan - Codemotion Milan 2016
Getting started with go - Florin Patan - Codemotion Milan 2016
 
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...
Master the chaos: from raw data to analytics - Andrea Pompili, Riccardo Rossi...
 

Semelhante a OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Ami Assayag
 

Semelhante a OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen (20)

OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 

Mais de Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 

Mais de Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Último

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

  • 1. OAuth 2.0 – a standard is coming of age Uwe Friedrichsen uwe.friedrichsen@codecentric.de
  • 3. <session> <no-code> <motivation /> <history /> <solution /> <extensions /> <criticism /> <tips /> </no-code> <code> <authzorization /> <token /> <resource /> </code> <wrap-up /> </session>
  • 4. { „session“ : { „no-code“ : [ „motivation“, „history“, „solution“, „extensions“, „criticism“, „tips“ ], „code“ : [ „authorization“, „token“, „resource“ ], „wrap-up“ : true }
  • 9. OAuth 1.0 • Started by Twitter in 2006 • 1st Draft Standard in 10/2007 • IETF RFC 5849 in 4/2010 • Widespread • Complex Client Security Handling • Limited Scope • Not extendable • Not „Enterprise-ready“
  • 10. OAuth 2.0 • Working Group started 4/2010 • 31 Draft Versions • Eran Hammer-Laval left 7/2012 * • IETF RFC 6749 in 10/2012 * http://hueniverse.com/2012/07/ oauth-2-0-and-the-road-to-hell/
  • 13. Solution (Step 1) You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are
  • 14. Solution (Step 2) You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token
  • 15. Solution (Step 3) You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. …
  • 16. A few more Details • TLS/SSL • Endpoints • Client Types • Client Identifier • Client Authentication • Redirect URI • Access Token Scope • Refresh Token • Client State
  • 17. You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you areGET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 18. You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz
  • 19. You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • 20. You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
  • 21. You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. … GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
  • 22. More flows & Extensions • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Refresh Token Grant • Standard & custom Extensions • Standards based on OAuth 2.0
  • 23. Criticism • Too many compromises • No built-in security • Relies solely on SSL • Bearer Token • Self-encrypted token
  • 24. Tips • Turn MAY into MUST • Use HMAC Tokens • Use HMAC to sign Content • No self-encrypted token • Always check the SSL Certificate
  • 25. How does the code feel like? using Apache Amber 0.22
  • 26. You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you areGET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2E example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 27. Authorization Endpoint (1) @Path("/authorize") public class AuthorizationEndpoint { @Context private SecurityDataStore securityDataStore; @GET @Consumes(OAuth.ContentType.URL_ENCODED) public Response authorize(@Context HttpServletRequest request) { // Do the required validations OAuthAuthzRequest oauthRequest = wrapAndValidate(request); validateRedirectionURI(oauthRequest); // Actual authentication not defined by OAuth 2.0 // Here a forward to a login page is used String loginURI = buildLoginURI(oauthRequest); return Response.status(HttpServletResponse.SC_FOUND) .location(new URI(loginUri)).build(); } ...
  • 28. Authorization Endpoint (2) ... private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) { // Implicitly validates the request locally return new OAuthAuthzRequest(req); } ...
  • 29. Authorization Endpoint (3) ... private void validateRedirectionURI(OAuthAuthzRequest oauthReq) { String redirectionURISent = oauthReq.getRedirectURI(); String redirectionURIStored = securityDataStore .getRedirectUriForClient(oauthReq.getClientId()); if (!redirectionURIStored .equalsIgnoreCase(redirectionURISent)) { OAuthProblemException oAuthProblem = OAuthProblemException .error(OAuthError.CodeResponse.ACCESS_DENIED, "Invalid Redirection URI"); oAuthProblem.setRedirectUri(redirectionURISent); throw oAuthProblem; } } ...
  • 30. Authorization Endpoint (4) ... private String buildLoginURI(OAuthAuthzRequest oauthRequest) { String loginURI = getBaseLoginURI(); // As an example loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“ + oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE); loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“ + oauthRequest.getClientId(); loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“ + oauthRequest.getRedirectUri; loginURI += "&" + OAuth.OAUTH_SCOPE + "=“ + oauthRequest.getScopes(); loginURI += "&" + OAuth.OAUTH_STATE + "=“ + oauthRequest.getParam(OAuth.OAUTH_STATE); return loginURI; } }
  • 31. You Authorization Server Client Application Resource Server 1. I want an authorization code 4. Here is an authorization code for client XYZ 3. User: „Yes, it‘s okay“ 2.Client XYZ wants an authorization code 5. Here you are HTTP/1.1 302 Found Location:  https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz
  • 32. Login page handler private void getAndSendAuthorizationCode(HttpServletRequest req, HttpServletResponse resp) { // Assuming login was successful and forwarded // parameters can be found in the request String userId = (String) request.getAttribute("userId"); String clientId = (String) request.getAttribute(OAuth.OAUTH_CLIENT_ID); // Create a new authorization code and store it in the database String authzCode = securityDataStore.getAuthorizationCode(userId, clientId); // Redirect back to client String redirectUri = (String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI); redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode); redirectUri += "&" + OAuth.OAUTH_STATE + "=“ + request.getAttribute(OAuth.OAUTH_STATE); resp.sendRedirect(redirectUri); }
  • 33. You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=SplxlOBeZQQYbYS6WxSbIA& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • 34. Token Endpoint (1) @Path("/token") public class TokenEndpoint { ... @POST public Response token(@Context HttpServletRequest request, @HeaderParam(AUTHORIZATION) String authorizationHeader) { // Do the required validations validateClient(authorizationHeader); OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request); validateRedirectionURI(oauthRequest); OAuthToken token = securityDataStore .exchangeAuthorizationCodeForAccessToken(oauthRequest); OAuthResponse oauthResponse = buildOAuthResponse(token); return Response.status(oAuthResponse.getResponseStatus()) .entity(oAuthResponse.getBody()).build(); } ...
  • 35. Token Endpoint (2) ... private void validateClient(String authorizationHeader) { Pattern headerPattern = Pattern.compile("s+"); String[] headerParts = headerPattern.split(authorizationHeader); byte[] encoded = headerParts[1].getBytes(); String decoded = new String(Base64.decode(encoded), Charset.forName("UTF-8")); String[] clientParts = StringUtils.split(decoded, ":", 2); String clientId = clientParts[0]; String clientSecret = clientParts[1]; if (!securityDataStore.isValidClient(clientId, clientSecret)) { ... // Create and throw an OAuthProblemException } } ...
  • 36. You Authorization Server Client Application Resource Server 7. Here you are 6. I want to trade my authorization code for an access token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
  • 37. Token Endpoint (3) ... private OAuthResponse buildOAuthResponse(OAuthToken token) { return OAuthASResponse .tokenResponse(HttpServletResponse.SC_OK) .setAccessToken(token.getAccessToken()) .setTokenType(TokenType.BEARER) .setExpiresIn(token.getExpiresIn()) .setRefreshToken(token.getRefreshToken()) .setScope(token.getScope()) .buildJSONMessage(); } }
  • 38. You Authorization Server Client Application Resource Server Give me some resources. Here is my access token, btw. … GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
  • 39. Resource Filter (1) public class AuthorizationFilter implements ContainerRequestFilter { @Context private SecurityDataStore securityDataStore; @Context private HttpServletRequest httpServletRequest; @Override public ContainerRequest filter(ContainerRequest request) { String accessToken = extractAccessToken(); validateAccessToken(accessToken); return request; } ...
  • 40. Resource Filter (2) ... private String extractAccessToken() { OAuthAccessResourceRequest oauthRequest = new OAuthAccessResourceRequest(httpServletRequest); return oauthRequest.getAccessToken(); } ...
  • 41. Resource Filter (3) ... private void validateAccessToken(String accessToken) { if (!securityDataStore.isValidAccessToken(accessToken)) { throw new AuthorizationFailedException( "Unknown or expired token!"); } } }
  • 42. Summary • OAuth 2.0 is ready for use • Quite easy to use • Don‘t go for least security