oauth 2.0 updates #technight

Report

Post on 08-May-2015

8.048 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

TRANSCRIPT

OAuth 2.0 Updates

OpenID TechNight #7

@nov

OpenID Foundation Japan Translation & Education WG

Translated OpenID 2.0, OAuth 1.0 & 2.0 specs

Web Developer @ iKnow!

OAuth.jp

Ruby Libraries

rack-oauth2, fb_graph, paypal-express etc.

OpenID TechNight #7

OAuth in 5 min

OpenID TechNight #7

Current Trend

Mobile Game Social

OpenID TechNight #7

API Integration

Access Control for APIs

OpenID TechNight #7

API Integration

Basic Auth

OpenID TechNight #7

OpenID TechNight #7

I’m using same passwordon 10+ services.

OpenID TechNight #7

OAuth

No password sharing

Limited access lifetime

Expire a,er N weeks

Limited access scope

Status Update : OK

Read Inbox : NG

OpenID TechNight #7

OAuth Everywhere

Mobile SocialGame

OpenID TechNight #7

B2B is slow though..

OpenID TechNight #7

Rough History

OpenID TechNight #7

2007.12 OAuth 1.0

OpenID TechNight #7

Twitter API

OpenID TechNight #7

2010.04 OAuth 2.0(dra, 0)

OpenID TechNight #7

Facebook Graph API

OpenID TechNight #7

2010.07 dra, 10

OpenID TechNight #7

mixi Graph API

OpenID TechNight #7

OpenID TechNight #7

2011.07 dra, 20

OpenID TechNight #7

Review by 8/12

OpenID TechNight #7

Latest Spechttp://j.mp/oauth2_20

http://j.mp/oauth2-18
http://j.mp/oauth2-18

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Core Spec

Token Type Spec

OpenID TechNight #7

Core Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

OpenID TechNight #7

Response Type

Code

Secure

2 HTTP request

Require Approval

Get Access Token

Token

Efficient

1 HTTP request

Both at once

+ extensions

Core

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Code

Code

Access Token

Core

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Core

OpenID TechNight #7

Client Type

Confidential

Has client secret

Eg.) Web app

Public

No client secret

Eg.) Mobile/JS app

Core

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

code=...&client_id=...&client_secret=...&redirect_uri=https://...

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

code=...&client_id=...&client_secret=...&redirect_uri=https://...

Public clients CANNOT do Client Authentication

“client_secret” is NOT REQUIRED for public clients

Rely on “redirect_uri” verification instead

Public clients MUST pre-register “redirect_uri”

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

client_id=...&response_type=token&redirect_uri=https://...

Core

Access Token

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

ApproveAll clients MUST pre-register “redirect_uri”

client_id=...&response_type=token&redirect_uri=https://...

Core

Access Token

OpenID TechNight #7

Notes

For Servers

Do you support public clients? Do you need iPhone/Android apps support?

Require full redirect URI registration

Narrower scopes / shorter lifetime for public clients

For Clients

Don’t include client secret in your mobile app

Core

OpenID TechNight #7

Security Considerations

Don’t issue “client_secret” to public clients

“redirect_uri” verification is important especially for public clients

Consider security policy per client type

Use “state” param against CSRF / code injection attack

etc.

Core

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Access Token

Code

CodeCode

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Access Token

Code

CodeCode

Allow attacker to loginwith attacker’s Twitter account

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Code

Code

State

State

State

Store “state”in Cookie etc.

State

“state”verification

failed!!

OpenID TechNight #7

Token Type Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

OpenID TechNight #7

Token Type Spec

Bearer

No signature

No token secret

Mainstream

MAC

Signature

Token secret

Similar to OAuth 1.0

Token

+ extensions

OpenID TechNight #7

Bearer Token

Access Token Response

Token

OpenID TechNight #7

API Access (Bearer)Token

OpenID TechNight #7

MAC Token

Access Token Response

Token

OpenID TechNight #7

API Access (MAC)Token

OpenID TechNight #7

Notes

For Servers

Access Token Response

Set “token_type” as “bearer”

Resource Request

Support both “OAuth” and “Bearer” auth header

Support both “oauth_token” and “access_token” query/body params

Token

OpenID TechNight #7

Notes

For Clients

Move from “OAuth” to “Bearer”

Move from “oauth_token” to “access_token”

Only for Facebook API developers

Access token response will be JSON

Token

OpenID TechNight #7

Review by 8/12

OpenID TechNight #7

github.com/nov

http://github.com/nov
http://github.com/nov

top related

the oauth 2.0 authorization protocol - cleesh.com · the...
Documents
oauth 2.0 updates #technight in osaka
Technology
the essential oauth primer: understanding oauth for securing...
Technology
daniel fett @tlodderstedt reinforced - 4th oauth security...
Documents
oauth 2 - sesar...
Documents
twitter4r oauth
Technology
[ms-xoauth]: oauth 2.0 authorization protocol...
Documents
oauth hacks a gentle introduction to oauth 2 and apache oltu
Internet
identity...
Documents
ppt del technight
Documents
implementing oauth
Technology
oauth for teragrid gateways -...
Documents
oauth tutorial
Documents
authorization with oauth
Documents
h. tschofenig oauth 2.0 security: oauth open redirector ·...
Documents
idp, saml, oauth
Technology
openid connect - nat sakimura at openid technight #7
Technology
[ms-oauth2ex]: oauth 2.0 authentication protocol …...oauth...
Documents
oracle oauth serviceoauth 2.0 authorization server and also...
Documents
oauth passport
Documents