hannes tschofenig, blaine cook (ietf#79, beijing)
TRANSCRIPT
![Page 1: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/1.jpg)
Hannes Tschofenig, Blaine Cook(IETF#79, Beijing)
![Page 2: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/2.jpg)
Acknowledgements
• I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation.
04/18/23 IETF #79, OAuth Tutorial Beijing 2
![Page 3: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/3.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 3
The Problem: Secure Data Sharing
![Page 4: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/4.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 4
![Page 5: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/5.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 5
Example OAuth Exchange
![Page 6: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/6.jpg)
Entities
User Agent(Web Browser)
Authorization Server(Yahoo)
User
Resource Server(Yahoo)
Resource Consumer(LinkedIn)
Access Request(incl. Token)
Token request
Authorization Request
04/18/23 6IETF #79, OAuth Tutorial Beijing
![Page 7: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/7.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 7
User navigates to Resource Client
![Page 8: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/8.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 8
User authenticated by Authorization Server
![Page 9: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/9.jpg)
04/18/23 9
User authorizes Resource Consumer to access Resource Server
IETF #79, OAuth Tutorial Beijing
![Page 10: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/10.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 10
Resource Client calls the Resource Server API
![Page 11: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/11.jpg)
Remark: Authentication• Yahoo in our example may outside the authentication part to
other providers (e.g. using OpenID).• Authorization Server and Resource Server do not need to be
operated by the same entity.
04/18/23 IETF #79, OAuth Tutorial Beijing 11
![Page 12: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/12.jpg)
Remark: Authorization
• Asking the user for consent prior to share information is considered privacy-friendly.
• User interfaces for obtaining user content may not always be great.
04/18/23 IETF #79, OAuth Tutorial Beijing 12
![Page 13: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/13.jpg)
Remark: Authorization, cont.
04/18/23 IETF #79, OAuth Tutorial Beijing 13
![Page 14: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/14.jpg)
Remark: Authorization, cont.
![Page 15: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/15.jpg)
Remark: Authorization, cont.
04/18/23 IETF #79, OAuth Tutorial Beijing 15
![Page 16: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/16.jpg)
Remark: Prior-Registration• Many Resource Server require registration of
Resource Client’s prior to usage. • Example: http://developer.cliqset.com/api
04/18/23 IETF #79, OAuth Tutorial Beijing 16
![Page 17: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/17.jpg)
Remark, cont.
04/18/23 IETF #79, OAuth Tutorial Beijing 17
![Page 18: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/18.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 18
History
![Page 19: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/19.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 19
History• November 2006: Blaine Cook was looking into the possibility of
using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need.
• December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft
• April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.
• July 2007: OAuth 1.0 (with code for major programming languages)
• September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows)
• Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders
![Page 20: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/20.jpg)
04/18/23 IETF #79, OAuth Tutorial Beijing 20
History, cont.• 1st OAuth BOF (Minneapolis, November 2008, IETF#73)
– BOF Chairs: Sam Hartman, Mark Nottingham
– BOF went OK but a couple of charter questions couldn’t be resolved.
• 2nd OAuth BOF (San Francisco, March 2009, IETF#74)– BOF Chairs: Hannes Tschofenig, Blaine Cook
– Charter discussed on the mailing list and also during the meeting. Finalized shortly after
the meeting
• IETF wide review of the OAuth charter text (28th April 2009)– Announcement:
http://www.ietf.org/mail-archive/web/ietf-announce/current/msg06009.html
• OAuth working group was created (May 2009)– Chairs: Blaine Cook, Peter Saint Andre
• Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC:– http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html
![Page 21: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/21.jpg)
History, cont.
• March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig
became Blaine’s co-chair.
• March 2010: IETF OAuth meeting in Anaheim
• April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran,
Dick, David.
• May 2010: First OAuth interim meeting co-located with IIW to discuss open issues.
• July 2010: Maastricht IETF meeting
• November 2010: Document split into “abstract” specification and separate bearer
token and message signing specification.
• November 2010: Beijing IETF meeting – no official OAuth working group meeting.
Discussions about security for OAuth
04/18/23 IETF #79, OAuth Tutorial Beijing 21
![Page 22: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/22.jpg)
Entities
User Agent
Authorization Server
User
Resource Server
Resource Consumer
Access Request(incl. Token)
Token request
Authorization Request
04/18/23 22IETF #79, OAuth Tutorial Beijing
![Page 23: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/23.jpg)
Scope of the OAuth WG• Currently only one working group item:
– http://tools.ietf.org/html/draft-ietf-oauth-v2 – Unlike OAuth v1.0 it does not contain signature mechanisms
• We have a punch of other documents as individual items – Providing security related extensions– User interface considerations – Token formats– Token by reference– Use case descriptions– Other OAuth profiles
04/18/23 IETF #79, OAuth Tutorial Beijing 23
![Page 24: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/24.jpg)
OAuth Profiles
Token Request
Work Areas
User
User Agent
Authorization Server
Resource Server
Resource Consumer
Access Request(incl. Token)
Authorization Request
04/18/23 24IETF #79, OAuth Tutorial Beijing
User Interface
Token FormatAnd Content
Authz ServerInteraction
Data Exchange
Authentication
Request Security
![Page 25: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/25.jpg)
Web Server Flow
![Page 26: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/26.jpg)
04/18/23 26IETF #79, OAuth Tutorial Beijing
![Page 27: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/27.jpg)
Security
A little bit about OAuth security…
![Page 28: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/28.jpg)
OAuth Profiles
Token Request
Work Areas
User
User Agent
Authorization Server
Resource Server
Resource Consumer
Access Request(incl. Token)
Authorization Request
04/18/23 28IETF #79, OAuth Tutorial Beijing
User Interface
Authz ServerInteraction
Data Exchange
Authentication
![Page 29: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/29.jpg)
“Bearer Token”
TLS
TLSResource Consumer
Resource Server
AuthorizationServer
Request
Token
Token
![Page 30: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/30.jpg)
“Message Signing”
Request
Token, {Request}SK,{SK}Bob
Token,SK, {SK}Bob
TLS
Resource Consumer
Resource Server
AuthorizationServer
![Page 31: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/31.jpg)
Conclusion• Open Web Authentication (OAuth) is developed in
the IETF to provide delegated authentication for Web-based environments. – Usage for non-Web based applications has been proposed
as well. • Work is in progress and re-chartering will expand the
work to include new features and use cases as well as security.
• Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution.
04/18/23 IETF #79, OAuth Tutorial Beijing 31
![Page 32: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/32.jpg)
Backup Slides
04/18/23 IETF #79, OAuth Tutorial Beijing 32
![Page 33: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/33.jpg)
JavaScript Flow (User Agent Flow in Draft)
![Page 34: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/34.jpg)
04/18/23 34IETF #79, OAuth Tutorial Beijing
![Page 35: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/35.jpg)
Native Application Flow
![Page 36: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/36.jpg)
04/18/23 36IETF #79, OAuth Tutorial Beijing
![Page 37: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/37.jpg)
Autonomous Flow
![Page 38: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/38.jpg)
04/18/23 38IETF #79, OAuth Tutorial Beijing
![Page 39: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/39.jpg)
Device Flow
![Page 40: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/40.jpg)
04/18/23 40IETF #79, OAuth Tutorial Beijing
![Page 41: Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)](https://reader035.vdocuments.site/reader035/viewer/2022081506/56649cfe5503460f949cfa73/html5/thumbnails/41.jpg)
04/18/23 41IETF #79, OAuth Tutorial Beijing