oauth 2.0 updates #technight

51
OAuth 2.0 Updates

Upload: nov-matake

Post on 08-May-2015

8.047 views

Category:

Technology


1 download

DESCRIPTION

Presentation about OAuth 2.0 latest spec updates (draft 20) at OpenID TechNight #7 in Tokyo

TRANSCRIPT

Page 1: OAuth 2.0 Updates #technight

OAuth 2.0 Updates

Page 2: OAuth 2.0 Updates #technight

OpenID TechNight #7

@nov

OpenID Foundation Japan Translation & Education WG

Translated OpenID 2.0, OAuth 1.0 & 2.0 specs

Web Developer @ iKnow!

OAuth.jp

Ruby Libraries

rack-oauth2, fb_graph, paypal-express etc.

Page 3: OAuth 2.0 Updates #technight

OpenID TechNight #7

OAuth in 5 min

Page 4: OAuth 2.0 Updates #technight

OpenID TechNight #7

Current Trend

Mobile Game Social

Page 5: OAuth 2.0 Updates #technight

OpenID TechNight #7

API Integration

Access Control for APIs

Page 6: OAuth 2.0 Updates #technight

OpenID TechNight #7

API Integration

Basic Auth

Page 7: OAuth 2.0 Updates #technight

OpenID TechNight #7

Page 8: OAuth 2.0 Updates #technight

OpenID TechNight #7

I’m using same passwordon 10+ services.

Page 9: OAuth 2.0 Updates #technight

OpenID TechNight #7

OAuth

No password sharing

Limited access lifetime

Expire a,er N weeks

Limited access scope

Status Update : OK

Read Inbox : NG

Page 10: OAuth 2.0 Updates #technight

OpenID TechNight #7

OAuth Everywhere

Mobile SocialGame

Page 11: OAuth 2.0 Updates #technight

OpenID TechNight #7

B2B is slow though..

Page 12: OAuth 2.0 Updates #technight

OpenID TechNight #7

Rough History

Page 13: OAuth 2.0 Updates #technight

OpenID TechNight #7

2007.12 OAuth 1.0

Page 14: OAuth 2.0 Updates #technight

OpenID TechNight #7

Twitter API

Page 15: OAuth 2.0 Updates #technight

OpenID TechNight #7

2010.04 OAuth 2.0(dra, 0)

Page 16: OAuth 2.0 Updates #technight

OpenID TechNight #7

Facebook Graph API

Page 17: OAuth 2.0 Updates #technight

OpenID TechNight #7

2010.07 dra, 10

Page 18: OAuth 2.0 Updates #technight

OpenID TechNight #7

mixi Graph API

Page 19: OAuth 2.0 Updates #technight

OpenID TechNight #7

Page 20: OAuth 2.0 Updates #technight

OpenID TechNight #7

2011.07 dra, 20

Page 21: OAuth 2.0 Updates #technight

OpenID TechNight #7

Review by 8/12

Page 22: OAuth 2.0 Updates #technight

OpenID TechNight #7

Latest Spechttp://j.mp/oauth2_20

Page 23: OAuth 2.0 Updates #technight

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 24: OAuth 2.0 Updates #technight

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 25: OAuth 2.0 Updates #technight

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 26: OAuth 2.0 Updates #technight

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Core Spec

Token Type Spec

Page 27: OAuth 2.0 Updates #technight

OpenID TechNight #7

Core Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 28: OAuth 2.0 Updates #technight

OpenID TechNight #7

Response Type

Code

Secure

2 HTTP request

Require Approval

Get Access Token

Token

Efficient

1 HTTP request

Both at once

+ extensions

Core

Page 29: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Code

Code

Access Token

Core

Page 30: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Core

Page 31: OAuth 2.0 Updates #technight

OpenID TechNight #7

Client Type

Confidential

Has client secret

Eg.) Web app

Public

No client secret

Eg.) Mobile/JS app

Core

Page 32: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

Page 33: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

code=...&client_id=...&client_secret=...&redirect_uri=https://...

Page 34: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=code&redirect_uri=https://...

Core

Code

Code

code=...&client_id=...&client_secret=...&redirect_uri=https://...

Public clients CANNOT do Client Authentication

“client_secret” is NOT REQUIRED for public clients

Rely on “redirect_uri” verification instead

Public clients MUST pre-register “redirect_uri”

Page 35: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

client_id=...&response_type=token&redirect_uri=https://...

Core

Access Token

Page 36: OAuth 2.0 Updates #technight

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

ApproveAll clients MUST pre-register “redirect_uri”

client_id=...&response_type=token&redirect_uri=https://...

Core

Access Token

Page 37: OAuth 2.0 Updates #technight

OpenID TechNight #7

Notes

For Servers

Do you support public clients? Do you need iPhone/Android apps support?

Require full redirect URI registration

Narrower scopes / shorter lifetime for public clients

For Clients

Don’t include client secret in your mobile app

Core

Page 38: OAuth 2.0 Updates #technight

OpenID TechNight #7

Security Considerations

Don’t issue “client_secret” to public clients

“redirect_uri” verification is important especially for public clients

Consider security policy per client type

Use “state” param against CSRF / code injection attack

etc.

Core

Page 39: OAuth 2.0 Updates #technight

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Access Token

Code

CodeCode

Page 40: OAuth 2.0 Updates #technight

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Access Token

Code

CodeCode

Allow attacker to loginwith attacker’s Twitter account

Page 41: OAuth 2.0 Updates #technight

OpenID TechNight #7

Attacker Client Authorization Server

Initiate

Require Approval

Approve

Code

Code

Code

State

State

State

Store “state”in Cookie etc.

State

“state”verification

failed!!

Page 42: OAuth 2.0 Updates #technight

OpenID TechNight #7

Token Type Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 43: OAuth 2.0 Updates #technight

OpenID TechNight #7

Token Type Spec

Bearer

No signature

No token secret

Mainstream

MAC

Signature

Token secret

Similar to OAuth 1.0

Token

+ extensions

Page 44: OAuth 2.0 Updates #technight

OpenID TechNight #7

Bearer Token

Access Token Response

Token

Page 45: OAuth 2.0 Updates #technight

OpenID TechNight #7

API Access (Bearer)Token

Page 46: OAuth 2.0 Updates #technight

OpenID TechNight #7

MAC Token

Access Token Response

Token

Page 47: OAuth 2.0 Updates #technight

OpenID TechNight #7

API Access (MAC)Token

Page 48: OAuth 2.0 Updates #technight

OpenID TechNight #7

Notes

For Servers

Access Token Response

Set “token_type” as “bearer”

Resource Request

Support both “OAuth” and “Bearer” auth header

Support both “oauth_token” and “access_token” query/body params

Token

Page 49: OAuth 2.0 Updates #technight

OpenID TechNight #7

Notes

For Clients

Move from “OAuth” to “Bearer”

Move from “oauth_token” to “access_token”

Only for Facebook API developers

Access token response will be JSON

Token

Page 50: OAuth 2.0 Updates #technight

OpenID TechNight #7

Review by 8/12

Page 51: OAuth 2.0 Updates #technight

OpenID TechNight #7

github.com/nov