browser support for the open authoriza4on oauth protocol
play

Browser Support for the Open Authoriza4on (OAuth) Protocol - PowerPoint PPT Presentation

Oct 05, 2023 •334 likes •434 views

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

  1. Browser ¡Support ¡for ¡the ¡Open ¡ Authoriza4on ¡(OAuth) ¡Protocol ¡ hGp://www.w3.org/2011/iden4ty-­‑ws/papers/idbrowser2011_submission_32.pdf ¡ ¡ Hannes ¡Tschofenig, ¡Barry ¡Leiba, ¡ Blaine ¡Cook, ¡Rob ¡Van ¡Eijk ¡

  2. Agenda ¡ • Authen4ca4on ¡Mechanisms ¡ • JavaScript ¡Crypto ¡Library ¡Support ¡ • Authoriza4on ¡Interface ¡ • Moving ¡Crypto ¡Into ¡the ¡Browser ¡

  3. Authen4ca4on ¡Mechanisms ¡ • Many ¡iden4ty ¡management ¡protocols ¡treat ¡the ¡ authen4ca4on ¡exchange ¡out ¡of ¡scope ¡ – So ¡does ¡OAuth ¡ • Problems: ¡ ¡ – Authen4ca4on ¡creden4als ¡being ¡used ¡are ¡of ¡poor ¡quality ¡(low ¡ entropy ¡secrets) ¡ – Enrollment ¡of ¡strong ¡creden4als ¡not ¡implemented ¡in ¡browsers ¡ (e.g. ¡enrollment ¡of ¡OTP ¡mechanisms) ¡ ¡ – Authen4ca4on ¡mechanisms ¡being ¡used ¡on ¡the ¡Web ¡today ¡are ¡ preGy ¡weak. ¡ – There ¡is ¡no ¡authen4ca4on ¡framework ¡that ¡allows ¡for ¡easily ¡ exchangeable ¡authen4ca4on ¡methods. ¡ ¡ – Other ¡problem ¡(but ¡not ¡related ¡to ¡lack ¡of ¡standardiza4on): ¡weak ¡ iden4ty ¡proofing ¡ • Examples ¡to ¡look ¡at: ¡GSS-­‑API, ¡SASL, ¡EAP, ¡PSKC ¡ ¡ ¡ What ¡mechanisms ¡should ¡browser ¡support? ¡ ¡

  4. Authoriza4on ¡Interface ¡

  5. Authoriza4on ¡Interface, ¡cont. ¡

  6. Authoriza4on ¡Interface, ¡cont. ¡ What ¡guidance ¡can ¡we ¡provide ¡to ¡developers ¡for ¡a ¡ consistent ¡permission ¡dialog ¡experience? ¡ ¡ What ¡is ¡the ¡role ¡of ¡the ¡browser ¡in ¡this ¡exchange? ¡

  7. JavaScript ¡Crypto ¡Library ¡Support ¡ • JavaScript ¡is ¡an ¡essen4al ¡language ¡for ¡the ¡Web ¡ eco-­‑system. ¡Increasingly ¡popular ¡also ¡on ¡the ¡ server-­‑side. ¡ ¡ • Problem: ¡No ¡standardized ¡APIs ¡for ¡access ¡to ¡ cryptographic ¡func4ons ¡and ¡key ¡storage. ¡ • One ¡consequence: ¡Cryptographic ¡material ¡cannot ¡ be ¡kept ¡confiden4al ¡with ¡JavaScript-­‑based ¡ clients. ¡ ¡ • Example: ¡ hGps://developer.mozilla.org/en/JavaScript_crypto ¡ ¡ Would ¡it ¡be ¡useful ¡to ¡standardize ¡a ¡ JavaScript ¡crypto ¡API? ¡ ¡

  8. Moving ¡Crypto ¡Into ¡the ¡Browser ¡ • OAuth ¡protocol ¡design ¡is ¡impacted ¡by ¡the ¡capabili4es ¡ offered ¡by ¡browsers. ¡ • The ¡security ¡considera4ons ¡capture ¡this ¡quite ¡well: ¡ hGp://datatracker.ie_.org/doc/dra`-­‑ie_-­‑oauth-­‑v2/ ¡ hGp://tools.ie_.org/html/dra`-­‑lodderstedt-­‑oauth-­‑security ¡ • For ¡example, ¡ hGp://datatracker.ie_.org/doc/dra`-­‑ie_-­‑oauth-­‑v2-­‑ hGp-­‑mac/ ¡suggests ¡a ¡MAC ¡based ¡authen4ca4on ¡ mechanism ¡that ¡can ¡also ¡be ¡used ¡to ¡implement ¡a ¡more ¡ secure ¡cookie/HTTP ¡state ¡management ¡mechanism. ¡ ¡ What ¡func@onality ¡can ¡we ¡put ¡into ¡ the ¡browser ¡plaAorm? ¡ ¡

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides in the browser look way better): https://switowski.github.io/functional-css-talk/ 1 1 Maintainable CSS with visual regression testing and

850 views • 37 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
CORE VALUES accuzip.com/support/gotoassist Web browser. An interactive support tool that allows

CORE VALUES accuzip.com/support/gotoassist Web browser. An interactive support tool that allows

WELCOME! email response time. which in turn has built us a loyal customer 21-year history of doing the right thing, software solutions into the future. We have a can trust us with their multi-medium mailing open and transparent so that our

228 views • 4 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Protocol on SEA Chapter A6: Policies and legislation Resource Manual to Support Application of

Protocol on SEA Chapter A6: Policies and legislation Resource Manual to Support Application of

Protocol on SEA Chapter A6: Policies and legislation Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 26-Apr-07 A6.1 Contents of the Chapter Introduction Protocol on SEA Legal

409 views • 19 slides
Protocol on SEA Chapter A1: A brief introduction to SEA Resource Manual to Support Application

Protocol on SEA Chapter A1: A brief introduction to SEA Resource Manual to Support Application

Protocol on SEA Chapter A1: A brief introduction to SEA Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 17-Apr-07 A1.1 Contents of the Chapter What is SEA? Protocol on SEA

637 views • 15 slides
The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City, Ottawa, Paris @clementoudot ISO 9001:2004 / ISO 14001:2008 contact@savoirfairelinux.com GET /summary { part1:Some words on OAuth

796 views • 48 slides
Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON

Welcome Wifi CODE Upton1947!Ms USE SLIDO TO ASK QUESTIONS OF THE PANEL 1. OPEN BROWSER ON SMARTPHONE, TABLET OR LAPTOP 2. GO TO www.slido.com 3. ENTER CODE #Q358 TWEET ABOUT THE EVENT #WokinghamCHASC Introduction David Cahill (BHFT Wokingham

472 views • 29 slides
A low latency GPU engine based reset mechanism for a more robust UI experience Carlos Santa 1

A low latency GPU engine based reset mechanism for a more robust UI experience Carlos Santa 1

A low latency GPU engine based reset mechanism for a more robust UI experience Carlos Santa 1 Agenda: Problem Statement - Whats the limitation in the GPU driver - Proposed Solution: What is Timeout Detection and Recovery (TDR) - How

151 views • 13 slides
1. Part 1: General Topics a. Flexibility of APM-210 b. Contemplating a Deans Final Policy c.

1. Part 1: General Topics a. Flexibility of APM-210 b. Contemplating a Deans Final Policy c.

Fall Chairs Forum VPAP Remarks October 29, 2020 Agenda 1. Part 1: General Topics a. Flexibility of APM-210 b. Contemplating a Deans Final Policy c. Improving Transparency with STC Counting 2. Part 2: Updates a. Accountability for

495 views • 17 slides
OSDE TECHNICAL ASSISTANCE AND PROFESSIONAL DEVELOPMENT OVERVIEW 2014-2015 OVERVIEW

OSDE TECHNICAL ASSISTANCE AND PROFESSIONAL DEVELOPMENT OVERVIEW 2014-2015 OVERVIEW

10/2/2014 OSDE TECHNICAL ASSISTANCE AND PROFESSIONAL DEVELOPMENT OVERVIEW 2014-2015 OVERVIEW Technical Assistance (TA) and Professional Development (PD) are an important part of the Oklahoma General Supervision System (for more details

281 views • 13 slides
Approximate Judgement Aggregation (for the case of the doctrinal paradox) Ilan Nehama Center for

Approximate Judgement Aggregation (for the case of the doctrinal paradox) Ilan Nehama Center for

Approximate Judgement Aggregation (for the case of the doctrinal paradox) Ilan Nehama Center for the Study of Rationality The Selim and Rachel Benin School of Computer Science and Engineering The Hebrew University of Jerusalem, Israel Third

734 views • 59 slides
Ryan White HIV/AIDS Program Part F Pre-Applica<on Technical Assistance Webinar HRSA-18-045

Ryan White HIV/AIDS Program Part F Pre-Applica<on Technical Assistance Webinar HRSA-18-045

3/15/18 Ryan White HIV/AIDS Program Part F Pre-Applica<on Technical Assistance Webinar HRSA-18-045 Integra<ng the Na<onal HIV Curriculum e-Learning PlaIorm into Health Care Provider Professional Educa<on March 7, 2018 Sherrillyn

399 views • 21 slides
Mechanism Design without Money Dimitris Fotakis S CHOOL OF E LECTRICAL AND C OMPUTER E NGINEERING

Mechanism Design without Money Dimitris Fotakis S CHOOL OF E LECTRICAL AND C OMPUTER E NGINEERING

Mechanism Design without Money Dimitris Fotakis S CHOOL OF E LECTRICAL AND C OMPUTER E NGINEERING N ATIONAL T ECHNICAL U NIVERSITY OF A THENS , G REECE Viewpoint shaped through joint work with Christos Tzamos Dimitris Fotakis Mechanism Design

1.21k views • 91 slides
GLOBAL GOVERNANCE OF OUTER SPACE ACTIVITIES LOOKING AHEAD TOWARDS SPACE2030 NIKLAS

GLOBAL GOVERNANCE OF OUTER SPACE ACTIVITIES LOOKING AHEAD TOWARDS SPACE2030 NIKLAS

UN/South Africa BSTI Symposium Stellenbosch, South Africa, 11-15 December 2017 GLOBAL GOVERNANCE OF OUTER SPACE ACTIVITIES LOOKING AHEAD TOWARDS SPACE2030 NIKLAS HEDMAN United Nations Office for Outer Space Affairs United Nations

441 views • 14 slides
Ag Agile Software De Development in in To Todays

Ag Agile Software De Development in in To Todays

Ag Agile Software De Development in in To Todays Industry CompSci 408 - Fall 2014 Professors: Robert Duvall, Ajay Patel, Salman Azhar (rcd@cs, ajay.patel,

451 views • 33 slides

More recommend