springoauth
DESCRIPTION
Spring OauthTRANSCRIPT
Introduction to Spring OAuth
Volvo IT
1. Why Study about OAuth?
2. Introduction
3. Terminology
4. Specification Structure
5. Protocol Workflow
6. Overview
7. Advantages & Disadvantages
Go Through
Spring OAuth2
Volvo ITSpring OAuth3
Why Study about Oauth?
Volvo ITSpring OAuth4
Do you care about these sites?
Volvo ITSpring OAuth5
Volvo ITSpring OAuth6
Security
Volvo ITSpring OAuth7
OAuth in a Nut Shell
Volvo ITSpring OAuth8
Practical Example
Volvo ITSpring OAuth9
Without OAuth
Volvo ITSpring OAuth10
Without OAuth
Volvo ITSpring OAuth11
Without OAuth
Volvo ITSpring OAuth12
With OAuth
Volvo ITSpring OAuth13
With OAuth
Volvo ITSpring OAuth14
With OAuth
Volvo ITSpring OAuth15
With OAuth
Volvo IT
What are the limitations with passwords?
Trust – user not trusting
More access than required
No support for granular permissions
Phishing – helping phishing activities
Lower Reliability to API interfaces
Unable to revoke access once provided
Spring OAuth16
Why OAuth is required?
Volvo IT
In the traditional client-server authentication model, OAuth introduces the resource owner.
OAuth is an open authorization protocol which enables applications to access each others data.
the client acts on its behalf resource owner requests access to resources hosted by the server.
OAuth has built-in support for desktop applications, mobile devices, set-top boxes, and of course websites.
Spring OAuth17
Introduction
Volvo IT
The OAuth authorization process also uses a set of temporary credentials which are used to identify the authorization request.
Spring OAuth18
Cont…
Volvo IT
consumer (client), service provider (server), and user (resource owner).
The client application is the application requesting access to the resources stored on the resource server.
The server is the server hosting the resources
The resource owner is the person or application that owns the data that is to be shared.
Spring OAuth19
Terminology
Volvo IT
A protected resource is stored on the server which requires authentication in order to access it. It owned or controlled by the resource owner.
Anyone requesting access to a protected resource must be authorized to do so by the resource owner. Ex: photos, documents, contacts.
2-Legged, 3-Legged, n-Legged Oauth. The number of legs used to describe an OAuth request typically refers to the number of parties involved.
In the simple OAuth flow: a client, a server, and a resource owner, the flow is described as 3-legged.
Spring OAuth20
Cont..
Volvo IT
OAuth uses three kinds of credentials:
1. Client credentials(consumer key and secret).
2. Temporary credentials(request token and secret).
3. Token credentials(access token and secret).
The client credentials are used to authenticate the client. This allows the server to collect information about the clients using its services.
The OAuth authorization process also uses a set of temporary credentials which are used to identify the authorization request. In order to accommodate different kind of clients
Token credentials are used in place of the resource owner’s username and password. The client uses the token credentials to access the protected resource without having to know the resource owner’s password.
Spring OAuth21
Credentials and Tokens
Volvo IT
The OAuth specification consists of two parts:
1. a redirection-based browser process for end-users to authorize client access to their resources. User authenticate directly with server to provision tokens to the client.
2. a method for making authenticated HTTP requests using two sets of credentials, one identifying the client making the request, and the other identifying the resource owner on whose behalf the request is being made.
Spring OAuth22
Specification Structure
Volvo IT
The outline of the OAuth 1.0 protocol specification:
1. Introduction: The terminology sub-section defines the terms used and their relation to the HTTP specification.
2. Redirection-Based Authorization: It is the process in which the user is redirected to the server to provide access by Obtaining Temporary Credentials, Requesting Resource Owner Authorization, and Obtaining Token Credentials.
3. Authenticated Requests: This section describes how the client makes authenticated HTTP requests, how the server verifies them, and the various steps and cryptographic options available.
4. Security Considerations: It provides a comprehensive list of issues which can greatly impact the security properties of any given implementation.
Spring OAuth23
Cont…
Volvo IT
Using OAuth terminology, Jane who is resource owner has uploaded 2 photos(protected resources) to Faji the server.
Jane wants to print those 2 photos and send it to her friend. Jane visits beppa.com (photo printing service) and order prints. Jane selects the photos source and clicks Continue.
Spring OAuth24
Protocol Workflow
After clicking continue
Volvo IT
When Beppa receives the temporary credentials, it redirects Jane to the Faji OAuth User Authorization URL and requested to sign into the site. OAuth requires that servers first authenticate the resource owner, and then ask them to grant access to the client.
OAuth allows Jane to keep her username and password private and not share them with Beppa or any other site. After successfully logging into Faji, Jane is asked to grant access to Beppa, the client.
Spring OAuth25
Cont…
After clicking approve
Volvo IT
Beppa successfully fetched Jane’s photo without asking for her username and password. They are presented her to pick and place her order.
Spring OAuth26
Cont…
Volvo ITSpring OAuth27
Overview
Volvo IT
It’s incredibly time saving in the long run.
OAuth allows you to use one account to comment on several different sites.
It hides private information(bank details) from those you do business with online.
All OAuth data transfers must take place on SSL (Secure Sockets Layer) to ensure the most trusted cryptography.
it’s an open standard for authorization. So expense is less.
Traffic is less and more popular.
Spring OAuth28
Advantages
Volvo IT
If you use Facebook to comment on a different site, they can see you profile details.(Lack of anonymity)
The number of other sites that support OAuth as clients is still very limited. (Lack of market saturation)
There is chances of misusing the data.
If the central account becomes hacked, or you simply choose to close the account, the serious repercussions are felt across several sites.
Spring OAuth29
Disadvantages
Volvo ITSpring OAuth30