Upload File

oauth 2.0 token exchange - ietf.org

4
An STS for the REST of Us Brian Campbell et al. IETF 96 Berlin July 2016 current: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05 OAuth 2.0 Token Exchange 1

Upload: others

Post on 16-Feb-2022

13 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: OAuth 2.0 Token Exchange - ietf.org

An STS for the REST of Us

Brian Campbell et al.

IETF 96

Berlin July 2016

current: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05

OAuth 2.0 Token Exchange

1

Page 2: OAuth 2.0 Token Exchange - ietf.org

2

Resource Server frontend.example.com

AS/STS as.example.com

Backend Service backend.example.com

Client

Just One Example (a quick illustration in the very unlikely event of some folks not having read the draft)

2

Page 3: OAuth 2.0 Token Exchange - ietf.org

Current Status

l  Draft -05 published July 8 (yes, the cut-off) with relatively minor changes l  Added "cid” JWT claim that can express the client identifier

of the client that requested the token. l  Token introspection response parameter registration for

"act" and "may_act” l  refresh_token now OPTIONAL (was NOT RECOMMENDED) l  Attempt to better clarify the distinction between JWT and

access token URIs. l  Remove some of the ‘Open Issues’

l  No short names l  No supplementary info/claims

3

Page 4: OAuth 2.0 Token Exchange - ietf.org

Moving Forward l  I believe it’s getting close… l  Open Issues

l  Facilitating proof-of-possession cases l  In & out, token binding, use-case diversity

4

l  Other stuff l  ID Tokens

l  URI l  Scope &

“id_token” response parameter

l  The title…


OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Merchant Integration Information PAC/PMC - API Documentation · Michael McDevitt Head of Business Name Position Date and Signature Kieron Nolan CFO . ... either using an OAuth token,

CODEMATCH - ietf.org

Demystifying the SharePoint Hybrid Environment...Support pass-through authentication for OAuth 2.0, including unlimited OAuth bearer token transactions. Accept unsolicited inbound

Measuring and Mitigating OAuth Access Token …homepage.divms.uiowa.edu/~mshafiq/files/shehroze-oauth-imc2017.pdfMeasuring and Mitigating OAuth Access Token Abuse by Collusion Networks

Travel: August 2020 Release Notes · Web viewPreviously, when an API customer using Legacy OAuth refreshed an access token, the same token would be updated with a new expiry date

Mobile Android Configuration Guide€¦ · using Identity and Data APIs. Connected Apps use the OAuth 2.0 protocol for authentication, Single Sign-On, and access token acquisition,

VMware Horizon Workspace Security · PDF fileWith OAuth token timeout and refresh where the client or device is registered as an OAuth Client, two kinds ... VMware Horizon Workspace

OAuth 2.0 Token Binding - IETF Again? l Specify a proof-of-possession mechanism based on Token Binding for OAuth 2.0 (& OpenID Connect) to defeat replay of lost or stolen tokens

Measuring and Mitigating OAuth Access Token Abuse …sfarooqi/Files/oauth-imc2017.pdfMeasuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi The University

OAuth Today - files.meetup.comfiles.meetup.com/17533002/oauth-Slides-Greg.pdf · For reference: OAuth 1.0 only supported a “Mac” style of token Token Type What it Is Signed? Spec

PASI MUSTONEN ACCESS CONTROL FOR LINKED DATA … · 2019. 5. 4. · Avainsanat: pääsynhallinta, OAuth 2.0, HTTP Basic Authentication, avainrengas ... 2.2.1 Obtaining an access token

Token Binding & OAuth: Status & Next Steps · 10 What about federation? There’s an HTTP response header for that! Tells the browser that it should reveal the Token Binding ID used

 · Supports OAuth (Open Authorization) which is an open standard for token-based authentication and ... Mikrotik, Ubiquiti UAP, Fortigate, Extreme Network

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

TWAMP Services KPIs Extension - ietf.org

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

Authentication in the Cloud€¦ · OAuth 2.0 Obtaining authorization (access/refresh token) Authorization code – Server-side webapp Implicit grant – JavaScript app – Access

Measuring and Mitigating OAuth Access Token Abuse by ...sfarooqi/Files/oauth-imc2017.pdf · research has reported several security weaknesses in OAuth and its implementations [54,

Measuring and Mitigating OAuth Access Token Abuse by … · 2017-10-18 · Facebook implements OAuth 2.0 authorization frame-work [30] which allows third-party applications to gain

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

SAP Cloud Platform Integration Suite Monthly Updates June 2020 › webinars › sap-user... · –OAuth 2.0 JSON Web Token profile in REST adapter Cloud Integration Runtime –Support

Yang Data Model for TE Topologies - ietf.org

ERHÖHTE TRANSPARENZ IN DER SUPPLY CHAIN. · SAP Cloud Identity OAuth 2.0 Authorization and Token Service Roles Permissions Menu Dashboard Data Visulization SAP Vehicle Insights Condition

SAML and OAUTH Technologies WebSphere Application Server€¦ · SAML and OAUTH Technologies WebSphere Application Server ... SAML Web Services Token ... 3 The signature of the SAML

OFX Implementation Guide · OAuth 2.0 server that supports implicit grant may require re-authentication to acquire a new security token. [See Brief Overview of OAuth 2 Implementation

Introduction to OpenID Foundation · 2020. 7. 29. · OpenID Connect 1.0 OAuth 2.0 JSON Web Signature (JWS) JSON Web Token (JWT) Client Initiated Backchannel Authentication (CIBA)

py0511 wimax overview r2 - ietf.org

OAuth 2.0 Security Introduction - SecAppDev Manico/04a. OAUTH...OAuth token used to directly access protected resources on behalf of a user or service. Refresh Token Refresh tokens,

IBM. Tivoli. Federated Identity Manager Version 6.2.2.7: … · 2016-05-14 · About two-legged OAuth .....371 Security Token Service interface for two-legged OAuth flow .....372

OAuth 2.0 Token Binding - IETF | Internet Engineering … Binding for Access Tokens l Section 3 of draft-ietf-oauth-token-binding-01 l Binds the access token to the token binding key

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

DetNet BoF - ietf.org

OAuth 2.0 Token Exchange: An STS for the REST of Us

OpenID Connect & OAuth 2.0 Server for the Enterprise · API access management identity provision identity ... Modern token based security for web, ... User authentication