oauth 2 0
play

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple - PowerPoint PPT Presentation

May 23, 2023 •327 likes •786 views

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

  1. OAuth 2.0 Weina Ma Weina.Ma@uoit.ca

  2. Agenda • OAuth overview • Simple example • OAuth protocol workflow • Server-side web application flow • Client-side web application flow

  3. What’s the problem • As the web grows, more and more sites rely on distributed services and cloud computing: – a photo lab printing your Flickr photos, – a social network using your Google address book to look for friends – a multiple services. third-party application utilizing APIs from multiple services. • The problem is, in order for these applications to access user data on other sites, they ask for user names and passwords. • This require exposing user passwords to someone else. • It also provides these application unlimited access to do as they wish.

  4. How Oauth was born • The idea of Yahoo asking for Google user passwords scared both firms as well as end users.

  5. What is OAuth • OAuth is a protocol that allows a user to grant a third party limited permission to access a web application on her behalf, without sharing her credentials (username and password) with the third party. • The third party can be a web application, or any other application with the capability of invoking a web browser for the user, such as a desktop application or an app running on a smart phone.

  6. OAuth’s Goal • Website X can access your protected data at API Y – All without sharing your password off- site – especially when there isn’t one like with OpenID

  7. Terminology • Authentication – A process of verifying the identity of a user, knowing that the user is who they claim to be. • Federated Authentication OAuth works similar: a user – Instead of having their own system of accounts grants access to an application (username/password), some applications rely on other and the application can only services to verify the identity of users. perform the authorized actions • Authorization – The process of verifying that a user has the right to perform some actions, like reading a document or accessing an email account • Delegated Authorization – Grant access to another person or application to perform actions on your behalf.

  8. Terminology - Roles • Resource Server – The server hosting user-owned resources that are protected by OAuth. • Resource Owner – The user of the application. – Has the ability to grant access to their owned data. • Client – An application making API requests to perform actions on protected resources. • Authorization Server – Get consent from resource owner – Issue access tokens to clients for accessing protected resources.

  9. Simple Example • Jane is back from her Scotland vacation. She spent 2 weeks on the island of Islay sampling Scotch. When she gets back home, Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private.

  10. Simple Example • Using OAuth terminology, Jane is the resource owner and Faji the server. The 2 photos Jane uploaded are the protected resources.

  11. Simple Example • After sharing her photos with a few of her online friends, Jane wants to also share them with her grandmother. She doesn’t want to share her rare bottle of Scotch with anyone. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service. • Using OAuth terminology, Beppa is the client. Since Jane marked the photos as private, Beppa must use OAuth to gain access to the photos in order to print them.

  12. Simple Example • Jane visits beppa.com and begins to order prints. Beppa supports importing images from many photo sharing sites, including Faji. Jane selects the photos source and clicks Continue.

  13. Simple Example • After Jane clicks Continue, something important happens in the background between Beppa and Faji. Beppa requests from Faji a set of temporary credentials. At this point, the temporary credentials are not resource-owner-specific, and can be used by Beppa to gain resource owner approval from Jane to access her private photos.

  14. Simple Example • When Beppa receives the temporary credentials, it redirects Jane to the Faji OAuth User Authorization URL with the temporary credentials and asks Faji to redirect Jane back once approval has been granted. • Jane has been redirected to Faji and is requested to sign into the site. OAuth requires that servers first authenticate the resource owner, and then ask them to grant access to the client.

  15. Simple Example • After successfully logging into Faji, Jane is asked to grant access to Beppa, the client. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.

  16. Simple Example • Once Jane approves the request, Faji marks the temporary credentials as resource-owner- authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the temporary credentials identifier. This allows Beppa to know it can now continue to fetch Jane’s photos.

  17. Simple Example • Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources.

  18. Simple Example • Beppa successfully fetched Jane’s photo. They are presented as thumbnails for her to pick and place her order.

  19. Basic Steps of OAuth Application • Register Application • Obtain an Access Token from the Authorization Server • Send Access Token to an API • Refresh the Access Token (optional)

  20. Application Registration • API request is able to be identified after registering. • Information required to register an OAuth client with Google: – Google Account – Product Name – Product logon (optional) – Website URL used for Redirect URIs • After registration, the developer gets client credentials: – Client ID – Client secret

  21. Client Profiles • Server-side web application • Client-side application running in a web browser • Native application

  22. Access Tokens • The goal of using OAuth is obtaining an OAuth access token that your application can use to perform API request on behalf of a user or the application itself.

  23. Authorization Flows • Authorization code – Code must be exchanged – Allow to refresh tokens for long-lived access to API

  24. Authorization Flows • Implicit grant for browser-based client-side applications – Not need for code exchange – Not allow to refresh token for long-lived access

  25. Authorization Flows • Resource owner password-based grant – For highly-trusted clients like mobile application – Password is exposed to client, but not stored on the device.

  26. Authorization Flows • Client credentials – For installed application – Similar to the flow of Authorization code – On behalf of themselves (application) rather than a specific user.

  27. Authorization Flows • Device profile – For devices that do not have build-in web browser or have limited input options – Separate access to a computer or device with richer input capabilities is needed. • User will first interact with application on the limited device, obtain an URL and a code from the device • then switch to a device or computer with richer input capabilities and launch a browser. • Once in a browser, the user will navigate to the URL specified on the device, authenticate, and enter the code.

  28. Authorization Flows • SAML bearer assertion profile – Enable exchanging SAML 2.0 assertion for an OAuth access token. – Useful in enterprise environment that already have SAML authorization servers set up to control application and data access.

  29. Server-Side Web Application Flow • From application developer’s point of view. • Assume application registration is done • Step1: Let the user know what you’re doing and request authorization

  30. Server-Side Web Application Flow • Since OAuth flows involves directing your users to the website of the API provider, let them know in advance what will happen.

  31. Server-Side Web Application Flow • After user initiates the flow, your application need to send the user’s browser to the OAuth authorization page. • Get URL for OAuth authorization endpoint in API provider’s documentation. • For Google App Engine, the authorization endpoint is at: – https:// your_app_id .appspot.com/_ah/OAuth...

  32. Server-Side Web Application Flow • Specify a few query parameters with this link: – Client_id – Redirect_url – Scope – Response_type – State • Specific parameters to Google’s implementation: – Approval_promt – Access_type

  33. Server-Side Web Application Flow • Error handling – access_denied • Types of error – Invalid_request – Unauthorized_client – Unsupported_response_type – Invalid_scope – Server_error – Temporarily_unavailable

  34. Server-Side Web Application Flow • Step2: Exchange authorization code for an access token – When the user has granted access, two parametes will be included in the redirect back to the web application: • Code • State – be compared against the value generated in Step 1.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney <jbasney@ncsa.Illinois.edu> Brian Bockelman <bbockelm@cse.unl.edu> This material is based upon work supported by the National S cience Foundation under Grant

379 views • 20 slides
& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto

& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto

& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto authentication standard & & Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo How

419 views • 21 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

1.03k views • 44 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Windows Security

265 views • 23 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

A UTHENTICATION WITH O PEN ID C ONNECT IN A NGULAR D R . P HILIPPE D E R YCK https://Pragmatic Web Security.com D R . P HILIPPE D E R YCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) -

1.23k views • 44 slides
The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City, Ottawa, Paris @clementoudot ISO 9001:2004 / ISO 14001:2008 contact@savoirfairelinux.com GET /summary { part1:Some words on OAuth

796 views • 48 slides
Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

CS3 2020 Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks <michael.meeks@collabora.com> General Manager at Collabora Productjvity @michael_meeks, mmeeks #libreoffjce-dev irc.freenode.net

821 views • 60 slides

More recommend