Presentation I gave at Glue Con on what became OAuth 2.0

1. What’s the deal with
OAuth/WRAP?
Dick Hardt
@dickhardt

4. Identity 2.0

5. >1200 slides

6. :(

7. G: technical

8. OAuth 2.0

10. Agenda
•OAuth History
•OAuth 2.0
•OAuth Future
•Q&A

11. OAuth History

12. Web 2.0

13. programmable web

14. web API

15. protected resource

16. access control

17. password anti-pattern

18. user delegation

19. scoped access

24. proprietary

25. Blaine Cook

28. password anti-pattern

29. standardize

34. Chris Messina

35. David Recordon

37. OAuth 1.0

38. OAuth 1.0

39. security issue

40. OAuth 1.0A

41. Eran Hammer-Lehav

48. OAuth 1.0A Issues
• Client implementation pain (crypto)
• Single profile (web app and rich app)
• Tight coupling between authorization and
resource
- Scale in large deployments
- Enterprise cloud use case

49. Use Cases
• User Delegation
- Web App
- Rich App (PC, phone, device)
• Authorization Delegation
- Cloud Computing

51. cloud use case

52. AS
(Authorization
Server)
PR
(Protected
Resource)
Client
Cloud Use Case

57. AS
(Authorization
Server)
PR
(Protected
Resource)
Client
Cloud Use Case

58. PR
(Protected
Resource)
AS
(Authorization
Server)
Client
Trust

59. PR
(Protected
Resource)
AS
(Authorization
Server)
Client

60. claims based
architecture

61. AS
(Authorization
Server)
PR
(Protected
Resource)
Client
Cloud Use Case
claim
claim

62. WRAP Name History
• Simple OAuth
• Simple Auth
• WRAP
(Web Resource Authorization Protocol)
• OAuth WRAP

64. Authors
• Allen Tom,Yahoo!
• Brian Eaton, Google
• Yaron Goland, Microsoft
• Editor: Dick Hardt

65. Key WRAP Capabilities
• Claims oriented model
• Separation of AS and PR
• Delegated Access for users
• Delegated Authorization for PR
• Single PR entry point
• scope parameter
• REQUIRES HTTPS

67. user-agent flow
(JavaScript client)

68. OAuth WRAP
+
optional signatures
+
user-agent flow
=
OAuth 2.0

71. OAuth 2.0

72. Terminology
• Client
(Web App, Rich App, Mobile App, Device...)
• Protected Resource
• Authorization Server
• User
• Access Token (short lived bearer token)
• Refresh Token (long lived bearer token)

73. Access Token
• Opaque to client
- Out of scope for OAuth 2.0
• Likely contains:
- Authorization / scope(s) / permission(s) /
role(s) / identifier(s)
- Expiration
- AS Signature

74. Refresh Token
• Opaque to client - out of scope for OAuth 2.0
• Issued and consumed by AS
• Contains information needed to issue a new
Access Token

75. AS
PR
Client
Accessing a PR
(A) Credentials
(B) Access Token
(C) Access Token

76. AS
PR
Client
Obtaining Refresh Token
(B) Access Token,
Refresh Token

77. AS
PR
Client
Expired Access Token
Access Token
401

78. AS
PR
Client
Refreshing an Access Token
(A)Refresh Token
(B) Access Token
(C) Access Token

79. OAuth Flows
• Web server flow
• User-agent flow
• Device flow
• Username and Password flow
• Client Credentials flow
• Assertion flow

80. AS
PR
User
Web Server Flow
Client
(A) Credentials
(B) AT & RT
(C) Access Token
code

81. User-Agent Flow
• RIA loads resource
• resource redirects browser to PR
• PR redirects browser to resource
• resource magically gets access token, stores
in cookie

82. AS
PR
User
Device Flow
Client
(A) Credentials
(E) AT & RT
(F) Access Token
(B) code
(D) code
(C) code

83. AS
PR
Username and Password Flow
(A) password
(B) AT & RT
(C) Access Token
Client

84. AS
PR
Client
Client Credential Flow
(A) Credentials
(B) Access Token
(C) Access Token

85. AS
PR
Assertion Flow
(A) Assertion eg. SAML
(B) Access Token
(C) Access Token
Client

86. optional signatures
• token secret obtained with access token
• request string
[timestamp],[nonce],
hmac-sha256,GET,example.com:80,
http://example.com/resource
• hmac-sha256 signature using token secret
• IN FLUX!

87. identity service

88. OAuth Future
• Standard Token
• Public Key
• Discovery
- Authorization Server
- Scope
• Dynamic Client Registration

89. Summary
• OAuth 2.0 standard real-soon-now
• simpler to implement
• claims based architecture
• user and access delegation
• sort of an identity service

90. Q&A