Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The modern OAuth 2.0

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Hsiaoming Yang Hsiaoming Yang
September 17, 2018
Programming
2
1.8k

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

Avatar for Hsiaoming Yang

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

See All by Hsiaoming Yang
Accessibility
Avatar for Hsiaoming Yang lepture
0
320
Vue: from view to view
Avatar for Hsiaoming Yang lepture
2
5.6k

Other Decks in Programming

See All in Programming
ZJIT: The Ruby 4 JIT Compiler / Ruby Release 30th Anniversary Party
Avatar for Takashi Kokubun k0kubun
1
390
CSC307 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
830
Smart Handoff/Pickup ガイド - Claude Code セッション管理
Avatar for rasshii yukiigarashi
0
120
CSC307 Lecture 03
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
490
余白を設計しフロントエンド開発を 加速させる
Avatar for karacoro / からころ tsukuha
7
2.1k
生成AIを使ったコードレビューで定性的に品質カバー
Avatar for Chiaki Okamoto chiilog
1
230
Implementation Patterns
Avatar for Denys Poltorak denyspoltorak
0
280
高速開発のためのコード整理術
Avatar for sutetotanuki sutetotanuki
1
380
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
Avatar for r-kagaya rkaga
6
4.5k
AI Agent Tool のためのバックエンドアーキテクチャを考える #encraft
Avatar for izumin5210 izumin5210
6
1.8k
インターン生でもAuth0で 認証基盤刷新が出来るのか
Avatar for takumi taku271
0
190
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
Avatar for Kenta Suzuki kekekenta
0
200

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
55k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.8k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
270
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
Avatar for Liv Day livdayseo
0
63
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.4k
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
2
250
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.6k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
420
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
110
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
96

Transcript

  1. The modern OAuth 2.0 Hsiaoming Yang

  2. About Me 0

  3. https://github.com/lepture https://lepture.com/about The Pallets Projects

  4. Welcome to contribute to Flask, Werkzeug & other Pallets Projects.

    AD
  5. None
  6. None

  7. https://authlib.org/

  8. The MODERN OAuth 2.0 1

  9. WHAT IS OAUTH

  10. The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  11. None

  12. WHAT IS MODERN

  13. A little bit of the History ★ November 2006, Blaine

    Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.

  14. 2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

  15. enable clients to obtain limited access to resources

  16. Protocol vs Framework 2

  17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

  18. JWT is created by OAuth Working Group

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based

    on JWS header payload signature

  20. https://tools.ietf.org/wg/oauth/

  21. grant types client auth methods token endpoints

  22. Python Libraries 3

  23. ★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0

    OAuth 1.0

  24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

  25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth

    1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)

  26. Authlib vs OAuthlib • Commercial Driven vs Community Driven •

    Monolithic vs Core Code • Flexible Clean Code vs Mixed Code

  27. Authlib

  28. OAuthLib

  29. None

  30. Grant Types 4

  31. Basic Grant Types • Authorization Code • Implicit • Client

    Credentials • Password

  32. Authorization Code

  33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

  34. Proof Key for Code Exchange by OAuth Public Clients RFC7636

  35. https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

  36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)

  37. client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret',

    access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )

  38. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

  39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.

    eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT

  40. Google Service Accounts

  41. None
  42. None

  43. Client Auth Methods 5 Token Endpoint Authentication Methods

  44. client auth methods

  45. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk client_secret_basic

  46. ★ none ★ client_secret_basic ★ client_secret_post

  47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd

    client_secret_post

  48. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414
  49. None

  50. Token Endpoints 6

  51. token endpoints

  52. ★ token revocation endpoint ★ token introspection endpoint RFC7009 RFC7662

  53. https://tools.ietf.org/wg/oauth/

  54. OpenID Connect is built upon OAuth 2.0

  55. https://github.com/authlib/ example-oauth2-server

  56. Stay tuned for v0.10

  57. Thanks