oauth 2 0
play

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric - PowerPoint PPT Presentation

Sep 20, 2023 •572 likes •1.03k views

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

  1. OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) – Berlin Expert Days 2013 – 4. April 2013

  2. Uwe Friedrichsen @ufried

  3. <session> <no-code> <motivation /> <history /> <solution /> <extensions /> <criticism /> <tips /> </no-code> <code> <authzorization /> <token /> <resource /> </code> <wrap-up /> </session>

  4. { „ session “ : { „ no- code“ : [ „ motivation “, „ history “, „ solution “, „ extensions “, „ criticism “, „ tips “ ], „ code “ : [ „ authorization “, „ token “, „ resource “ ], „ wrap-up “ : true }

  5. Players You Another Application with application protected resources

  6. Assignment You Access your resources Another Application with application protected resources

  7. Problem You Access your resources Another Application with application protected resources

  8. Challenge Secure ? You Access your resources Easy to use Another Application with application protected resources

  9. OAuth 1.0 • Started by Twitter in 2006 • 1st Draft Standard in 10/2007 • IETF RFC 5849 in 4/2010 • Widespread • Complex Client Security Handling • Limited Scope • Not extendable • Not „Enterprise -ready “

  10. OAuth 2.0 • Working Group started 4/2010 • 31 Draft Versions • Eran Hammer-Laval left 7/2012 * • IETF RFC 6749 in 10/2012 * http://hueniverse.com/2012/07/ oauth-2-0-and-the-road-to-hell/

  11. Players revisited You Another Application with application protected resources

  12. Players revisited You Authorization Server Client Resource Application Server

  13. Solution (Step 1) 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are code Client Resource Application Server

  14. Solution (Step 2) 6. I want to trade my authorization code for an access token You Authorization Server 7. Here you are Client Resource Application Server

  15. Solution (Step 3) You Authorization Server Give me some resources. Here is my access token, btw. … Client Resource Application Server

  16. A few more Details • TLS/SSL • Endpoints • Client Types • Client Identifier • Client Authentication • Redirect URI • Access T oken Scope • Refresh T oken • Client State

  17. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an GET /authorize?  authorization 5. Here you are response_type=code&  code client_id=s6BhdRkqt3&  state=xyz&  redirect_uri=https%3A%2F%2Fclient%2E  example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Client Resource Application Server

  18. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are HTTP/1.1 302 Found code Location:  https://client.example.com/cb?  code=SplxlOBeZQQYbYS6WxSbIA&  state=xyz Client Resource Application Server

  19. 6. I want to trade my authorization code for an access token You Authorization Server POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 7. Here you are Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&  code=SplxlOBeZQQYbYS6WxSbIA&  Client Resource redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb Application Server

  20. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { 6. I want to trade my authorization code "access_token":"2YotnFZFEjr1zCsicMWpAA", for an access token "token_type":"bearer", You Authorization "expires_in":3600, Server "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" } 7. Here you are Client Resource Application Server

  21. GET /resource/1 HTTP/1.1 Host: example.com You Authorization Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA Server Give me some resources. Here is my access token, btw. … Client Resource Application Server

  22. More flows & Extensions • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Refresh T oken Grant • Standard & custom Extensions • Standards based on OAuth 2.0

  23. Criticism • T oo many compromises • No built-in security • Relies solely on SSL • Bearer T oken • Self-encrypted token

  24. Tips • Turn MAY into MUST • Use HMAC T okens • Use HMAC to sign Content • No self-encrypted token • Always check the SSL Certificate

  25. How does the code feel like? using Apache Amber 0.22

  26. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an GET /authorize?  authorization 5. Here you are response_type=code&  code client_id=s6BhdRkqt3&  state=xyz&  redirect_uri=https%3A%2F%2Fclient%2E  example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Client Resource Application Server

  27. Authorization Endpoint (1) @Path("/authorize") public class AuthorizationEndpoint { @Context private SecurityDataStore securityDataStore; @GET @Consumes(OAuth.ContentType.URL_ENCODED) public Response authorize(@Context HttpServletRequest request) { // Do the required validations OAuthAuthzRequest oauthRequest = wrapAndValidate (request); validateRedirectionURI (oauthRequest); // Actual authentication not defined by OAuth 2.0 // Here a forward to a login page is used String loginURI = buildLoginURI (oauthRequest); return Response.status(HttpServletResponse.SC_FOUND) .location(new URI(loginUri)).build(); } ...

  28. Authorization Endpoint (2) ... private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) { // Implicitly validates the request locally return new OAuthAuthzRequest(req); } ...

  29. Authorization Endpoint (3) ... private void validateRedirectionURI(OAuthAuthzRequest oauthReq) { String redirectionURISent = oauthReq.getRedirectURI(); String redirectionURIStored = securityDataStore .getRedirectUriForClient( oauthReq.getClientId() ) ; if (!redirectionURIStored .equalsIgnoreCase(redirectionURISent)) { OAuthProblemException oAuthProblem = OAuthProblemException .error(OAuthError.CodeResponse.ACCESS_DENIED, "Invalid Redirection URI"); oAuthProblem.setRedirectUri(redirectionURISent); throw oAuthProblem; } } ...

  30. Authorization Endpoint (4) ... private String buildLoginURI(OAuthAuthzRequest oauthRequest) { String loginURI = getBaseLoginURI() ; // As an example loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“ + oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE); loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“ + oauthRequest.getClientId(); loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“ + redirectUri; loginURI += "&" + OAuth.OAUTH_SCOPE + "=“ + getParam(OAuth.OAUTH_SCOPE); loginURI += "&" + OAuth.OAUTH_STATE + "=“ + getParam(OAuth.OAUTH_STATE); return loginURI; } }

  31. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are HTTP/1.1 302 Found code Location:  https://client.example.com/cb?  code=SplxlOBeZQQYbYS6WxSbIA&  state=xyz Client Resource Application Server

  32. Login page handler private void getAndSendAuthorizationCode(HttpServletRequest req, HttpServletResponse resp) { // Assuming login was successful and forwarded // parameters can be found in the request String userId = (String) request.getAttribute("userId"); String clientId = (String) request.getAttribute(OAuth.OAUTH_CLIENT_ID); // Create a new authorization code and store it in the database String authzCode = securityDataStore.getAuthorizationCode( userId, clientId ) ; // Redirect back to client String redirectUri = (String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI); redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode); redirectUri += "&" + OAuth.OAUTH_STATE + "=“ + request.getAttribute(OAuth.OAUTH_STATE); resp.sendRedirect(redirectUri); }

  33. 6. I want to trade my authorization code for an access token You Authorization Server POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 7. Here you are Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&  code=SplxlOBeZQQYbYS6WxSbIA&  Client Resource redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb Application Server

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney &lt;jbasney@ncsa.Illinois.edu&gt; Brian Bockelman &lt;bbockelm@cse.unl.edu&gt; This material is based upon work supported by the National S cience Foundation under Grant

379 views • 20 slides
&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto authentication standard &amp; &amp; Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo How

419 views • 21 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
R configuration for packages install.packages(c(&quot;devtools&quot;, &quot;usethis&quot;,

R configuration for packages install.packages(c(&quot;devtools&quot;, &quot;usethis&quot;,

R configuration for packages install.packages(c(&quot;devtools&quot;, &quot;usethis&quot;, &quot;testthat&quot;, &quot;reprex&quot;, &quot;pkgdown&quot;)) git_sitrep() &gt; library(usethis) &gt; git_sitrep() Git user * Name: 'Amelia McNamara'

308 views • 9 slides
Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material Web sites Microsoft links from last lecture Linux Capabilities - man 7 capabilities or http://www.linuxjournal.com/article/5737

1.17k views • 29 slides
Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF What Is Apache CXF Production

465 views • 25 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides
15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon

15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon

15-388/688 - Practical Data Science: Data collection and scraping J. Zico Kolter Carnegie Mellon University Fall 2019 1 Outline The data collection process Common data formats and handling Regular expressions and parsing 2 Outline The

605 views • 27 slides

More recommend