48. OAuth 1.0A Issues
• Client implementation pain (crypto)
• Single profile (web app and rich app)
• Tight coupling between authorization and
resource
- Scale in large deployments
- Enterprise cloud use case
49. Use Cases
• User Delegation
- Web App
- Rich App (PC, phone, device)
• Authorization Delegation
- Cloud Computing
65. Key WRAP Capabilities
• Claims oriented model
• Separation of AS and PR
• Delegated Access for users
• Delegated Authorization for PR
• Single PR entry point
• scope parameter
• REQUIRES HTTPS
73. Access Token
• Opaque to client
- Out of scope for OAuth 2.0
• Likely contains:
- Authorization / scope(s) / permission(s) /
role(s) / identifier(s)
- Expiration
- AS Signature
74. Refresh Token
• Opaque to client - out of scope for OAuth 2.0
• Issued and consumed by AS
• Contains information needed to issue a new
Access Token
88. OAuth Future
• Standard Token
• Public Key
• Discovery
- Authorization Server
- Scope
• Dynamic Client Registration
89. Summary
• OAuth 2.0 standard real-soon-now
• simpler to implement
• claims based architecture
• user and access delegation
• sort of an identity service