Upload File

oauth 2.0 & openid connect @ opensource conference 2011 tokyo #osc11tk

  • Home
  • Technology
  • OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
73
OAuth 2.0 & OpenID Connect

Upload: nov-matake

Post on 20-Jan-2015

4.106 views

Category:

Technology


0 download

Report

Tags:

DESCRIPTION

 

TRANSCRIPT

Page 1: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OAuth 2.0 &OpenID Connect

Page 2: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

@nov

OpenID Foundation Japan Evangelist

OAuth.jp

Ruby Libraries

rack-oauth2

openid_connect

fb_graph

Page 3: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 4: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Current Trend

Mobile Game Social

Page 5: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Platform ♥ 3rd-party Developers

Page 6: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

API Integration

Access Control for APIs

Page 7: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Page 8: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Using same passwordon 10+ services??

Page 9: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

OAuth

No password sharing

Limited access lifetime

Expire a*er N weeks

Limited access scope

Status Update : OK

Read Inbox : NG

Page 10: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

B2B is slow though..

Page 11: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Rough History

Page 12: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

2007.12 OAuth 1.0

Page 13: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Twitter API

Page 14: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

2010.04 OAuth 2.0(dra* 0)

Page 15: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Facebook Graph API

Page 16: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

2010.07 dra* 10

Page 17: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

mixi Graph API

Page 18: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Page 19: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

2011.09 dra* 22

Page 20: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

OAuth 1.0 OAuth 2.0

Page 21: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

OAuth 1.0 in Japaneseju.mp/oauth1_ja

OAuth 2.0 in Japaneseju.mp/oauth2_ja

http://ju.mp/oauth1_ja
http://ju.mp/oauth1_ja
http://ju.mp/oauth1_ja
http://ju.mp/oauth1_ja
Page 22: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 23: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 24: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 25: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 26: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Core Spec

Token Type Spec

Page 27: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Core Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 28: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

2 Response Types in Core

Code

Token

Extensions

Code + Token

and more..

Response TypeCore

Page 29: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Code

Code

Access Token

Core

Page 30: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

response_type = codeResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Code

Code

Core

client_id=...&response_type=code&redirect_uri=https://...&scope=...

Page 31: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Code

Code

response_type = codeCore

Page 32: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Code

Code

response_type = codeCore

Page 33: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Code

Code

code=...&client_id=...&client_secret=...&grant_type=authorization_code&redirect_uri=https://...

response_type = codeCore

Page 34: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Code

Code

response_type = codeCore

[NOTE] Facebook API returns access token in x-www-form-urlencoded

Page 35: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Core

Page 36: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Core

client_id=...&response_type=token&redirect_uri=https://...&scope=...

Page 37: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

response_type = tokenResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Core

Page 38: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Response Type

Code

Secure

2 HTTP request

Require Approval

Get Access Token

Token

Efficient

1 HTTP request

Both at once

+ extensions

Core

Page 39: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Token Type Spec

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 40: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Token Type Spec

Bearer

No signature

No token secret

Mainstream

MAC

Signature

Token secret

Similar to OAuth 1.0

Token

+ extensions

Page 41: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Token Type Spec

Bearer

No signature

No token secret

Mainstream

MAC

Signature

Token secret

Similar to OAuth 1.0

Token

+ extensions

In most cases, you use this.

Page 42: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Bearer Token

Access Token Response

Token

Page 43: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

API Access (Bearer)Token

Page 44: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

BUT

Page 45: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Not all API providers follow the latest dra*..

Page 46: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

NO “token_type”

Access Token Response

Page 47: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Different Scheme/Parameter

OAuth

oauth_token

Page 48: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

#MA7 Mashup Caravan & Meetup in Kyoto

Page 49: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 50: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

OpenID is dead!?Poor UX? URL as identifier?

Page 51: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Lack of API access!?You need “stream access”, don’t you?

Page 52: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

♥OpenID Connect

~ OpenID based on OAuth 2.0 ~

Page 53: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011ref.) slideshare.net/oid;/openidconnect-nat

http://www.slideshare.net/oidfj/openidconnect-nat
http://www.slideshare.net/oidfj/openidconnect-nat
Page 54: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

ResourceOwner

Client

ResourceServer

APIAccess

AccessToken

AuthorizationServer

AuthorizeClient Access

Page 55: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Basic FlowResource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Page 56: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

client_id=...&response_type=token+id_token&redirect_uri=https://...&scope=openid

Basic Flow

Page 57: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenID TechNight #7

Resource Owner Client Authorization Server

Initiate

Require Approval

Approve

Access Token

Basic Flow

Page 58: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

OAuth 2.0 + “ID Token”

Page 59: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

connect-rp.heroku.com

https://connect-rp.heroku.com
https://connect-rp.heroku.com
Page 60: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

ID Token

Represent Session Information

JWT-encoded JSON Object

Singed using JWS

Encrypted using JWE

Page 61: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 62: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 63: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

UserInfo

OAuth 2.0 Protected Resource

REQUIRED “profile” scope

OPTIONAL “email” and “address” scopes

Standardized JSON Format

PoCo (Portable Contacts) + Facebook Graph API

Page 64: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 65: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 66: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Page 67: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

So, why these matters?

Page 68: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Social

Page 69: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Cloud

Page 70: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Living in the Web

Page 71: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

Discovery

Identity

Access Control

Streams

People

Applications

Page 72: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

OpenID Summit Tokyoin Tokyo, Japan December 1, 2011

Page 73: OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

OpenSource Conference 2011

openid-foundation-japan.github.com

slideshare.net/matake

github.com/nov

twitter.com/nov


OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015

OpenId Tech Night vol.6 OAuth

OAuth 2.0 and OpenId Connect

CIS14: OAuth and OpenID Connect in Action

OAuth and OpenID Connect for Microservices

What the Heck is OAuth and OpenID Connect - RWX 2017

Single Sign On with OAuth and OpenID

Federated Shibboleth, OpenID, oAuth, and Multifactor Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst

Federated Shibboleth, OpenID , oAuth , and Multifactor

OAuth 2.0 & OpenID Connect #MA7

Hybrid Auth: OpenID + OAuth

Online Identity for Community Managers: OpenID, OAuth, Information Cards

OpenID Connect - dior.ics.muni.czmakub/oidc/OpenID_Connect_Martin_Kuba.pdf · OpenID Connect a OAuth2 OpenID Connect (dále OIDC) je rozšíření autorizačního protokolu OAuth

SAML vs OAuth 2.0 vs OpenID Connect

Bechtel On OpenID and OAuth from Cloud Identity Summit

LASCON 2017: SAML v. OpenID v. Oauth

Federated Shibboleth, OpenID, oAuth, and Multifactor · 2013-04-15 · Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor

OpenID and OAuth

Authentication, Authorization, OAuth, OpenID Connect and Pyramid

Secure your APIs using OAuth 2 and OpenID Connect

OpenID Connect & OAuth - Demystifying Cloud Identity

Single Sign-On Security - Hackmanit...3 History of Single Sign-On OAuth 1.0 Oct 2007 OAuth 2.0 Oct 2012 OAuth 1.0 Rev A Jun 2009 OpenID Connect 1.0 Feb 2014 OpenID 1.1 May 2006 OpenID

Enterprise Openid Sso Oauth for Google Apps

FROM A PROPOSAL TO HAPPY MARRIAGE...OpenID Connect 2005 SAML 2.0 SAML 1.1 Liberty Alliance ID-FF 2003 2015 Mobile Connect 2012 OAuth 2.0 2007 OAuth 1.0 OpenID 2.0 2008 OpenID 1.0 1999

Using OpenID/OAuth to access  Federated Data Services 

Securing your APIs with OAuth, OpenID, and OpenID Connect

CIS14: Working with OAuth and OpenID Connect

Oauth vs OpenId

アイデンティティ2.0とOAuth/OpenID Connect

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University

DEMOgala 2010: OpenID and OAuth, Technologies to increase customer engagement

AngularJS mit OAuth 2 und OpenId Connect, w-jax 2015

Mobile authentication and authorisation: OpenID and OAuth

Yahoo! OpenID and OAuth

OAuth 2.0 und OpenId Connect