Download - OAuth 2.0 Integration Patterns with XACML
![Page 1: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/1.jpg)
Prabath Siriwardena Senior Architect & Chair, Integration MC
![Page 2: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/2.jpg)
![Page 3: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/3.jpg)
![Page 4: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/4.jpg)
![Page 5: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/5.jpg)
![Page 6: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/6.jpg)
Third-‐party applications are required to store the resource owner's credentials for future use, typically a password in clear-‐
text.
![Page 7: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/7.jpg)
Servers are required to support password authentication, despite the security weaknesses created by passwords.
![Page 8: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/8.jpg)
Third-‐party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited
subset of resources.
![Page 9: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/9.jpg)
Resource owners cannot revoke access to an individual third-‐party without revoking access to all third-‐parties, and must do
so by changing their password.
![Page 10: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/10.jpg)
Compromise of any third-‐party application results in compromise of the end-‐user's password and all of the data
protected by that password.
![Page 11: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/11.jpg)
![Page 12: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/12.jpg)
![Page 13: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/13.jpg)
![Page 14: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/14.jpg)
![Page 15: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/15.jpg)
![Page 16: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/16.jpg)
![Page 17: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/17.jpg)
• Complexity in validating and generating signatures. • No clear separation between Resource Server and
Authorization Server. • Browser based re-‐redirections.
![Page 18: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/18.jpg)
• An entity capable of granting access to a protected resource.
• When the resource owner is a person, it is referred to as an end-‐user.
![Page 19: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/19.jpg)
• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
![Page 20: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/20.jpg)
• An application making protected resource requests on behalf of the resource owner and with its authorization
![Page 21: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/21.jpg)
• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
![Page 22: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/22.jpg)
![Page 23: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/23.jpg)
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
![Page 24: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/24.jpg)
OAuth Handshake
Scope
![Page 25: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/25.jpg)
Confidential Client Type
Web Application
OAuth Handshake
![Page 26: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/26.jpg)
Client Authenticates to AuthZ Server
BasicAuth client_id / client_secret
OAuth Handshake
![Page 27: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/27.jpg)
OAuth Handshake
Scope
![Page 28: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/28.jpg)
Public Client Type
User Agent based Application
OAuth Handshake
![Page 29: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/29.jpg)
Anonymous Clients
OAuth Handshake
![Page 30: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/30.jpg)
OAuth Handshake
Scope
![Page 31: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/31.jpg)
Confidential Client Type
OAuth Handshake
![Page 32: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/32.jpg)
BasicAuth
OAuth Handshake
![Page 33: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/33.jpg)
OAuth Handshake
Scope
![Page 34: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/34.jpg)
Confidential Client Type
OAuth Handshake
![Page 35: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/35.jpg)
BasicAuth
OAuth Handshake
![Page 36: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/36.jpg)
Runtime
![Page 37: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/37.jpg)
Runtime
Bearer MAC
![Page 38: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/38.jpg)
Runtime
Bearer MAC
Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
Bearer
![Page 39: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/39.jpg)
Runtime
Bearer MAC
HTTP MAC access authentication scheme
MAC
![Page 40: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/40.jpg)
Feed Clean
Take out
Medication
![Page 41: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/41.jpg)
Feed Clean
Take out
Medication
![Page 42: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/42.jpg)
¡ The de-‐facto standard for authorization ¡ PAP / PDP / PEP / PIP ¡ XML based policies
![Page 43: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/43.jpg)
![Page 44: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/44.jpg)
Policy Enforcement
Point
![Page 45: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/45.jpg)
![Page 46: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/46.jpg)
![Page 47: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/47.jpg)
OAuth XACML
Client Subject
Resource Owner Subject
Scope Action + Resource
![Page 48: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/48.jpg)
Client
Resource Owner
Resource
Scope
Action
![Page 49: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/49.jpg)
Only the resource owner will be able to access any resource during weekend and after 9 PM weekdays
Authorization Rules
![Page 50: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/50.jpg)
Client : Foo
Day : Monday Time : 4 PM
Resource : Bar
Scope = “Scooby”+”medication”
![Page 51: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/51.jpg)
Client : Foo
Day : Monday Time : 4 PM
Resource : Bar
Scope = “Scooby”+”medication”
![Page 52: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/52.jpg)
Client : Foo
Day : Monday Time : 10 PM
Resource : Bar
Scope = “Scooby”+”medication”
![Page 53: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/53.jpg)
Resource Owner : Foo
Day : Monday Time : 10 PM
Resource : Bar
Scope = “Scooby”+”medication”
![Page 54: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/54.jpg)
Only the resource owner will be able to perform Feed, Take Out action on Dog resource
Authorization Rules
![Page 55: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/55.jpg)
Client : Foo
Day : Monday Time : 4 PM
Resource : Bar
Scope = “Scooby”+”feed”
![Page 56: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/56.jpg)
Client : Foo
Day : Monday Time : 4 PM
Resource : Bar
Scope = “Scooby”+”feed”
![Page 57: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/57.jpg)
Resource Owner : Foo
Day : Monday Time : 10 PM
Resource : Bar
Scope = “Scooby”+”feed”
![Page 58: OAuth 2.0 Integration Patterns with XACML](https://reader034.vdocuments.us/reader034/viewer/2022052411/55756faad8b42a2e248b5034/html5/thumbnails/58.jpg)