Upload File

@justin richer introduction to oauth 2 · the oauth 2.0 authorization framework enables a...

  • Home
  • Documents
  • @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of
116
@justin _ _ richer https://bspk.io/ Introduction to OAuth 2.0 Justin Richer Bespoke Engineering 1

Upload: others

Post on 25-May-2020

18 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

IntroductiontoOAuth2.0

JustinRicherBespokeEngineering

1

Page 2: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

COURSEVERSION1.6Feedbackiswelcome!

2

Page 3: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Trythehomeedition•  OAuth2InAction•  Codeisopensource•  PublishedMarch2017

3

Page 4: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

WHATISOAUTH2.0?

4

Page 5: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Fromthespec(RFC6749)The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

5

Page 6: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ThegoodbitsThe OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

6

Page 7: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

InotherwordsOAuth 2.0 is a delegation protocol that lets people allow applications to access things on their behalf.

7

Page 8: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whoisinvolved?

Resource Owner Authorization

Server

ProtectedResource

Client

8

Page 9: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theresourceowner•  HasaccesstosomeresourceorAPI•  CandelegateaccesstothatresourceorAPI•  Usuallyhasaccesstoawebbrowser•  Usuallyisaperson

9

Page 10: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theprotectedresource•  Webservice(API)withsecuritycontrols•  Protectsthingsfortheresourceowner•  Sharesthingsontheresourceowner’srequest

10

Page 11: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theclientapplication•  Wantstoaccesstheprotectedresource•  Doesthingsontheresourceowner’sbehalf•  Couldbeawebserver– Butit’sstilla“client”inOAuthparlance– CouldalsobeanativeapporJSapp

11

Page 12: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whatarewetryingtosolve?

Resource Owner

The Goal:

Give the client access to the protected

resource on behalf of the resource owner.

ProtectedResource

Client

12

Page 13: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

THISISN’TANEWPROBLEMPeoplehavebeensolvingthisforalongtime

13

Page 14: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Stealthekeys

Resource Owner

Copy the resource owner’s credentials

and replay them to the protected resource.

ProtectedResource

Client

14

Page 15: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Askforthekeys

Resource Owner

ProtectedResource

Client

?

Ask for the resource owner’s credentials

and replay them to the protected resource.

15

Page 16: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Useauniversalkey

Resource Owner

A universal key that’s good for opening the door no matter who locked it.

ProtectedResource

Client

16

Page 17: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Service-specificcredentials

Resource Owner

A special password (or token) that can be used to access just this

protected resource.

ProtectedResource

Client

17

Page 18: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

WE’REGETTINGCLOSER…

18

Page 19: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

IntroducingtheAuthorizationServer(AS)

Resource Owner Authorization

Server

ProtectedResource

Client

The Authorization Server gives us a

mechanism to bridge the gap between the client and the protected resource

19

Page 20: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

TheAuthorizationServer•  Generatestokensfortheclient•  Authenticatesresourceowners(users)•  Authenticatesclients•  Managesauthorizations

20

Page 21: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

OAuthTokens•  Representgranteddelegatedauthorities–  Fromtheresourceownertotheclientfortheprotectedresource

•  Issuedbyauthorizationserver•  Usedbyclient–  Formatisopaquetoclients

•  Consumedbyprotectedresource

21

Page 22: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ExampleOAuthTokens•  92d42038006dba95d0c501951ac5b5eb•  2df029c6-b38d-4083-b8d9-db67c774d13f•  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

•  waterbuffalo-elephant-helicopter-argument

22

Page 23: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

You’veusedOAuth

23

Page 24: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ABRIEFHISTORYOFOAUTH2.0

24

Page 25: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Circa2006•  HTTPpasswordauthenticationcommonforAPIaccess– “Givemeyourpassword”

•  Internetcompanieshaveproprietarysolutionsfordelegatedaccess– BBAuth,AuthSub,afewothers

25

Page 26: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theproblem•  TwosmallersiteswanttoconnecttheirAPIsfortheirusers

•  BothuseOpenIDforlogin– Nousername/passwordtopass!

•  Neitherwantstouseaproprietarysolution

26

Page 27: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Anewstandardisborn•  OAuth1.0ispublishedindependently– Noformalstandardsbody,peoplejustuseit

•  Asessionfixationattackisfoundandfixed– NewversioniscalledOAuth1.0a

•  ThiscommunitydocumentisstandardizedasRFC5849intheIETF

27

Page 28: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Peoplestartusingit•  OAuth1.0asolvesmajorpainpointsformanypeopleinastandardandunderstandableway

•  Google,Yahoo,andothersreplacetheirsolutionswiththenewstandard

28

Page 29: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Peoplestartabusingit•  PeoplealsodecidetostartusingOAuthforoff-labelusecases– Nativeapplications– Nouserintheloop– Distributedauthorizationsystems

29

Page 30: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Version2.0:Theframework•  Modularizedconcepts•  Separatedpreviouslyconflatedcomponents•  Addedexplicitextensibilitypoints•  Removedpainpointsofimplementers•  StandardizedinRFC6749andRFC6750

30

Page 31: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whatdoesthismean?•  Insteadofasingleprotocol,OAuth2.0definescommonconceptsandcomponentsanddifferentwaystomixthemtogether

•  It’snotasinglestandard,it’sasetofstandardsfordifferentusecases

31

Page 32: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

WHATOAUTHISN’T

32

Page 33: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

NotdefinedoutsideofHTTP•  CoreprotocoldefinedonlyforHTTP•  ReliesonTLSforsecuringmessages•  ThereareeffortstouseOAuthovernon-HTTPprotocols– GSSAPI– CoAP

33

Page 34: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Notanauthenticationprotocol•  Reliesonauthenticationinseveralplaces– Clientauthenticationtotokenendpoint– Resourceownerauthenticationatauthorizationendpoint

•  Doesn’tcommunicateanythingabouttheuser•  However:authenticationprotocolscanbebuiltusingOAuth(OpenIDConnect)

34

Page 35: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Nouser-to-userdelegation•  Allowsausertodelegatetoapieceofsoftwarebutnottoanotheruser

•  However,multi-partydelegationcanbebuiltusingOAuthasacorecomponent(UMA)

35

Page 36: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Noauthorizationprocessing•  Tokenscanrepresentscopesandotherauthorizationinformation

•  Processingofthisinformationisuptotheresourceserver

•  However,severalmethods(UMA,JWT,introspection)tocommunicatethisinformation

36

Page 37: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Notokenformat•  Tokenisopaquetotheclient•  Tokenneedstobeissuedbytheauthorizationserverandunderstoodbytheresourceserver,butthey’refreetousewhateverformattheywant

•  However,JSONWebTokens(JWT)provideausefulcommonformat

37

Page 38: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Nocryptographicmethods•  CoreOAuthreliesonTLSforprotectinginformationintransit

•  However,othermechanismslikeJSONObjectSigningandEncryption(JOSE)definethingsthatcanbeusedwithOAuth

38

Page 39: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Notasingleprotocol•  OAuth2.0isaframework– Severalcoreflowsplusextensions

•  Twothingscan“implementOAuth”butbeincompatiblewitheachother

•  However,codere-useandpatternsbetweencommoncomponentsmakeslifesimpler

39

Page 40: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

THEAUTHORIZATIONCODEFLOWAdeepdiveintothecanonicalOAuth2.0transaction

40

Page 41: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ThepiecesofOAuth

Resource Owner

Access Token

Authorization Server

ProtectedResource

Client

41

Page 42: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theauthorizationcodeflow

Resource Owner Authorization

Server

ProtectedResource

Client

Resource owner’s credentials

Client’s credentials

Authorization code

Access token

42

Page 43: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

TWOFORMSOFCOMMUNICATION

43

Page 44: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Thebackchannel

Resource Owner Authorization

Server

ProtectedResource

Client

Back channel uses direct HTTP connections between components,

the browser is not involved

44

Page 45: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Thefrontchannel

Resource Owner Authorization

Server

ProtectedResource

Client

Front channel uses HTTP redirects through the web browser, no direct connections

45

Page 46: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Afrontchannelrequest/response

Fron

t Cha

nnel

Re

spon

seFr

ont C

hann

el

Requ

est

Resource Owner

Authorization Server

Client

HTTP Redirect

HTTP Redirect

HTTP Request

HTTP Request

HTTP Response

HTTP Response

46

Page 47: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whyboth?•  Separationofinformation•  Frontchannelwhentheuser’sinvolved•  Backchannelwhenthey’renot

47

Page 48: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

THEAUTHORIZATIONCODEFLOWStepbystep

48

Page 49: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step1

Resource Owner Authorization

Server

ProtectedResource

Client

Client redirects the resource owner to the authorization server’s authorization endpoint

49

Page 50: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step2

Resource Owner Authorization

Server

ProtectedResource

Client

Resource owner authenticates to the authorization server

50

Page 51: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step3

Resource Owner Authorization

Server

ProtectedResource

Client

Resource owner authorizes the client

?

51

Page 52: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step4

Resource Owner Authorization

Server

ProtectedResource

Client

Authorization server redirects resource owner back to the client with an

authorization code

52

Page 53: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step5

Resource Owner Authorization

Server

ProtectedResource

Client

Client sends the authorization code to the authorization

server’s token endpoint

Client authenticates using its own credentials

53

Page 54: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step6

Resource Owner Authorization

Server

ProtectedResource

Client

Authorization server issues an OAuth access

token to the client

54

Page 55: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

AuthorizationCode:Step7

Resource Owner Authorization

Server

ProtectedResource

Client

Client accesses the protected resource using

the access token

55

Page 56: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

REFRESHTOKENS

56

Page 57: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whentheuserisn’tthere•  Accesstokensworkaftertheuserleaves– OneoftheoriginaldesigngoalsofOAuth

•  Whatdoesaclientdowhentheaccesstokenstopsworking?– Expiration– Revocation

57

Page 58: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Gettinganewtoken•  Repeattheprocessofgettingatoken–  Interactivegrants:sendtheresourceownertotheauthorizationendpoint

•  Butwhatiftheuser’snotthereanymore?

58

Page 59: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Refreshtokens•  Issuedalongsidetheaccesstoken•  Usedforgettingnewaccesstokens– Presentedalongwithclientcredentials– Notgoodforcallingprotectedresourcesdirectly

59

Page 60: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

SCOPES

60

Page 61: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

APIDesign•  NaïveAPIs(likewhatwebuilt)allowsimpleyes/noaccess–  Ifyourtokenisgood,yourrequestisgood

•  SmarterAPIsdivideaccess

61

Page 62: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Limitedaccess•  Typeofaction– Read,write,delete

•  Typeofresource– Photos,metadata,profile

•  Timeofaccess– Userisoffline,limitednumberofaccesses

62

Page 63: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

OAuthScopes•  Stringsthatrepresentwhatthetokencando•  Clientcanaskforscopes•  Resourceownerapprovesscopes•  Accesstokenisboundtoscopes

63

Page 64: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

OTHERWAYSTODOOAUTH2.0

64

Page 65: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Protocolflexibility•  Canonicalusecase:webserverbasedapplicationaccessedthroughabrowser

•  Authorizationcodeflowisbuiltaroundthisusecase

•  Whataboutdifferentkindsofclients?•  Whataboutdifferentkindsofdelegation?

65

Page 66: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

IMPLICITFLOW

66

Page 67: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Stufftheclientintothebrowser•  Authorizationcodeflowkeepsthetokenoutofthebrowserandintheclient

•  Butwhatiftheclientisinsidethebrowser?

67

Page 68: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theimplicitflow

Resource Owner Authorization

Server

ProtectedResource

Client Inside the Browser

Implicit grant type uses only the front

channel since the client is inside the browser

68

Page 69: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

CLIENTCREDENTIALSFLOW

69

Page 70: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Clientactsonitsownbehalf•  Noexplicitresourceowner•  ReplacementforAPIkeys

70

Page 71: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theclientcredentialsflow

Authorization Server

ProtectedResource

Client

Client credentials grant type: Client trades its own credentials for a

token, uses only the back channel since the client is acting on its own behalf

71

Page 72: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

RESOURCEOWNERPASSWORDFLOW

72

Page 73: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Stealingthepassword•  Codifytheanti-pattern:asktheuserfortheircredentialsandreplaythem

•  Insteadofsavingthecredentials,tradeforanaccesstoken

73

Page 74: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theresourceownerpasswordflow

Resource Owner Authorization

Server

ProtectedResource

Client

?

Resource owner credentials grant type:

Client trades username and password for an OAuth token over the back channel

74

Page 75: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

HOLDON!Didn’twesayitwasbadtostealthecredentials?

75

Page 76: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ASSERTIONFLOWS

76

Page 77: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Third-partyauthorization•  Haveatrustedthirdpartyhandauthorizationtotheclient

•  Clienttradesthatforatoken

77

Page 78: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Theassertionsflows

Authorization Server

Assertion provider

ProtectedResource

Client

Client trades a cryptographically protected element

(assertion) for a token

78

Page 79: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

DEVICEFLOW

79

Page 80: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Limitedinteractivity•  Noteveryclienthasawebbrowser– Set-topboxes– Smartdevices

•  Howdowegetuserinteraction?– Splitthepieces– Usetheusertocarrytheinformation

80

Page 81: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

ThedeviceflowDevice grant type

gives the resource owner a user code to enter at the authorization server

Resource Owner Authorization

Server

ProtectedResource

Device

Device Code

User Code

Device code is presented in the back

channel

81

Page 82: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

NATIVECLIENTS

82

Page 83: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

What’sanativeclient?•  Runsontheenduser’ssystem– Nothostedonaremotewebserver– Notexecutedinsideofawebbrowser

•  Canbedesktopormobile– Localself-containedwebserverappsqualify

83

Page 84: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whatmakesanativeclientdifferent?

•  Functionalitylivesoutsidethebrowser•  Can’tkeepsecretsfromtheuser– Especiallyconfigure-timesecrets

•  RequiresadaptationstoredirectURItousethefrontchannel

84

Page 85: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Dealingwithsecrets•  Applicationiscopiedandrunmanytimes– Shouldn’tgiveeachcopythesamesecret

•  Dynamicclientregistration– GiveeachinstanceitsownIDandsecret

•  Publicclients– ShareanIDanddon’tusesecrets

85

Page 86: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

RedirectURIs•  CustomURIscheme– myapp:/oauth_callback?code=ABC123

•  Locallyhostedwebserver–  http://localhost:39103/myapp?code=ABC123

•  Remotehostwithpushnotification–  https://push.example.com/app-942/code=ABC123

86

Page 87: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

RedirectURIswithcustomschemes

•  Appsneedtoregisterfornamespace•  Anyappcantakeanynamespace•  MaliciousappscantrytograbitemscominginonredirectURIs– Authorizationcodes(forcodeflow)– Tokens(forimplicitflow)

87

Page 88: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

PKCE:Sendingthechallenge

Resource Owner Authorization

Server

ProtectedResource

Client

Client generates the code verifi er and

challenge, includes the challenge in the front-channel request to the authorization server

88

Page 89: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

PKCE:Sendingtheverifier

Resource Owner Authorization

Server

ProtectedResource

Client

Client sends the verifi er in the back-

channel request to the authorization server

89

Page 90: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

PKCE:Verifyingthechallenge

Resource Owner Authorization

Server

ProtectedResource

Client

Authorization server re-generates the

challenge from the verifi er and compares

it to the challenge previously sent

90

Page 91: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

MANAGINGTHEGRANTTYPES

91

Page 92: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Differentusecases•  Authorizationcodeflow:webapplications,somenativeapplications

•  Implicitflow:in-browserapplications•  Clientcredentialsflow:non-interactive•  Passwordflow:trustedlegacyclients•  Assertionflows:trustframeworks

92

Page 93: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

HOWTOCHOOSEAGRANTTYPE

93

Page 94: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

94

Can the client display a simple code, image, or

URL to the user?

Is the client acting on behalf of a

resource owner?

Is the client running completely inside of a

web browser?

Is the client a native application?

Yes

YesYes Yes

Yes

Yes

Yes Yes

No

No

NoNo

Can the resource owner interact with a web browser

while using the client?

Does the user have a simple set of credentials

like a password?

Is the client acting on its own behalf?

Authorization Code

Add PKCE or DynReg

Assertion

Resource Owner Credentials

Client Credentials

Implicit

Is the client acting on the authority of a trusted third party?

Choose the appropriate OAuth grant type for

the type of application you’re building

Device

Page 95: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

OpenIDConnect

End User

Session at the Relying Party

Identity Provider

Identity Profi le APIReyling Party(Application)

End User’s Credentials, Authorization of the Relying Party

ID Token and Access Token

Access Token and User Information

95

Page 96: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

DynamicClientRegistration

Resource Owner Authorization

Server

ProtectedResource

Client

Request: Display name, redirect URIs, etc.

Response: Client identifi er, client secret, etc.

96

Page 97: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Softwarestatements•  Thirdpartygeneratesanassertionthatcontainsfixedattributesoftheclient–  Clientcan’tchangeoroverridewhat’sinthestatement

•  Clientpresentsthestatementalongsideanyvariableattributes

•  ServergeneratesuniqueIDandsecretforclient

97

Page 98: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whyuseasoftwarestatement?•  Manyinstancesofaclientsoftware– EachinstanceneedsitsownID/secret– Allinstancesshouldbe“recognizable”

•  Allowpre-registrationacrossdomains– Softwarestatementfromtrustedserver–  IndividualASregistrationsforclients

98

Page 99: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

TOKENINTROSPECTION

99

Page 100: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

OAuthtokensareopaque•  Butthey’reonlyopaquetotheclient•  Protectedresourceneedstoknowthetoken– What’sitgoodfor?– Whoissuedit?–  Isitvalid?

100

Page 101: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Howdoestheresourceknow?•  Databaselookup– ASandRSareinthesamebox

•  Packinformationintothetokenitself– RememberJWT?

•  QuerytheAS– Runtimelookupoverthenetwork

101

Page 102: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

“What’sthistokengoodfor?”•  ProtectedresourcequeriestheASaboutatokenitreceived

•  ASrespondswithaJSONstructuredescribingthetoken’sstatus

102

Page 103: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Introspectiontrade-offs•  Requiresextracredentials(attheRS)•  Morenetworktraffic•  Subjecttocacheconsistencyproblems–  Introspecteverytime?Onlyontimeout?

103

Page 104: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

TOKENREVOCATION

104

Page 105: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Completingthetokenlifecycle•  OAuthdefineshowtogetanewtokenandrefreshadeadtoken

•  Revocationallowsclientstoproactivelythrowawaytokenstheynolongeruse

105

Page 106: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Whyrevoketokens?•  Nativeapplicationbeinguninstalled•  Userselects“logout”or“de-authorize”fromtheclient(nottheAS)

106

Page 107: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Asimpleprotocol•  ClientPOSTstotherevocationendpoint–  Tokenincludedinbody

•  Serverdeletesthetokenifitfindsit•  ServertellstheclienteverythingisOK–  Evenifnotokenwasdeleted,wepretendwedid– Otherwiseclientscouldusethistofishfortokenvalues

•  Clientthrowsoutitscopyofthetoken107

Page 108: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

POP,MTLS,ANDTOKENBINDING

108

Page 109: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Beyondbearertokens•  Bearertokensaresentas-isoverthewire•  Anyonewhohasaccesstothetokencanuseit•  ProofofPossession(PoP)tokensrequirecryptographicproofofakey– Tokenistransmittedas-is– Keyisusedtosignsomething,nottransmitteditself

109

Page 110: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Twoparts

Token:Opaque to client

Associated with scopes and ROSent as-is to PR

Key:Known to client

Associated with tokenUsed to sign request

110

Page 111: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

MutualTLS•  Clientpresentscertificatetotokenendpoint•  AShashescertificateandtiesittotoken•  ClientpresentssamecertificatetoRS•  RShashescertificateandseesifit’sthesameastheoneboundtothetoken

•  ClientdoesnothavetoauthenticatewithTLS

111

Page 112: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Tokenbinding

Resource Owner Authorization

Server

Use TLS Channel ABC

Here’s a cookie, only use it on TLS

Channel ABC

Here’s that cookie again, this is TLS

Channel ABC

112

Page 113: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

Aproblemwithtokenbinding

Resource Owner Authorization

Server

ProtectedResource

Client

1

2 3

4

5

113

Page 114: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

WRAPPINGUP

114

Page 115: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

SURVEY!https://www.surveymonkey.com/r/101introOAuth

115

Page 116: @justin richer Introduction to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of

@justin _ _ richer

https://bspk.io/

THANKYOUhttp://oauthinaction.com/

116


RFC 6749 - The OAuth 2.0 Authorization Framework...The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

[MS-XOAUTH]: OAuth 2.0 Authorization Protocol ExtensionsMS... · 5.1 Security Considerations for Implementers ... The OAuth 2.0 Authorization Protocol Extensions extend the OAuth

[MS-XOAUTH]: OAuth 2.0 Authorization Protocol …interoperability.blob.core.windows.net/files/MS-XOAUTH/[MS-XOAUTH].pdfThe OAuth 2.0 Authorization Protocol Extensions extend the OAuth

[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that

Oracle OAuth ServiceOAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0 Resource Server roles. OAM OAuth

[MS-OAPX]: OAuth 2.0 Protocol Extensions · PDF fileThe OAuth 2.0 Protocol Extensions specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework). When no operating system

CHAPTER 4 OAUTH€¦ · 2 OBJECTIVES After completing “OAuth,” you will be able to: Identify issues of authorization for RESTful services. Explain the OAuth standard for establishing

Recent Enhancements to Scale the Conversation...OAuth 2.0 Authorization Server n s NOTE: OAuth 2.0 is not currently supported for the Appliance. OAuth 2.0 is now supported for all

[MS-ADFSOAL]: Active Directory Federation Services …... · Active Directory Federation Services OAuth Authorization Code ... Active Directory Federation Services OAuth ... Federation

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/draft-ietf-oauth-v2-30.pdf · 2012. 7. 15. · The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30 Abstract The

Introduction - Microsoft... · Web viewIntroduction The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that

OAuth 2.0 Proof-of-Possession: Authorization Server to ......OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution draft-bradley-oauth-pop-key-distribution-01.txt

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

[MS-OAPXBC-Diff]: OAuth 2.0 Protocol Extensions …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST

OAuth 2.0 and the Road to XSS - HITBconference.hitb.org/hitbsecconf2013ams/materials/D2T1 - Andrey... · OAuth 2.0 in 60 seconds Resource Owner User-Agent Authorization Server Web-Hosted

@dfett42 How (Not) to Use OAuth - danielfett.de...Authorization OAuth (RFC6749+RFC6750) Authorization Server & Resource Server User Client Photo Editor Google Photos account authorizes

Building Office 365 App with AAD OAuth - Microsoft · OAuth •Widely adopted open standard for authorization •Provides client app a “secure delegated access” to server resources

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

YouTube API v2.0 - OAuth 2.0 Authorization - YouTube — Google Developers.pdf

The OAuth 2.0 Authorization Framework

The OAuth 2.0 Authorization for the Internet of Things · PDF file Thesis Title: The OAuth 2.0 Authorization for the Internet of Things Description of the units: The Networked Embedded

OAuth Guide Release 6 - Oracle Preface This guide explains how to use the Open Authorization Protocol (OAuth) features with Oracle Communications Services Gatekeeper. Audience

Authorization with OAuth - CDATA Zone

Authentication in the Cloud€¦ · OAuth 2.0 Obtaining authorization (access/refresh token) Authorization code – Server-side webapp Implicit grant – JavaScript app – Access

Introduction to OpenID Connect - self-issued.infoself-issued.info/presentations/OpenID_Connect... · •OAuth 2.0 Form Post Response Mode –Defines how to return OAuth 2.0 Authorization

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization ... · The Active Directory Federation Services OAuth Authcode Lookup Protocol is defined as a RESTful protocol

OAuth and OpenID Connect · OAuth 2.0 authorization code flow yelp.com Connect with Google Redirect URI: accounts.google.com Email Password accounts.google.com Allow Yelp to access

An OAuth-Based Authorization Remote Collaboration Systems

[MS-OAPX]: OAuth 2.0 Protocol Extensions... · 1 Introduction The OAuth 2.0 Protocol Extensions specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework). When no operating

OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications

Make Redirection Evil Again URL Parser Issues in OAuth...History of Redirection Issues in OAuth •Dec 2012. In RFC 6749 - The OAuth 2.0 Authorization Framework • The authorization

(4) OAuth 2.0 Obtaining Authorization

Authorization Architecture Patterns: How to Avoid Pitfalls in … · 2019-10-28 · implement OAuth 2.0, OpenID Connect, Financial-grade API and CIBA. ... • OAuth / OpenID Connect