OpenID and OAuth 2.0 - and what you should know if you want to build providers in Python

Transcript

1. OpenID and OAuth 2.0 and what you should know if

   you want to build providers in Python Andre Lee

2. Outline • Outline • Authentication & Authorization • OpenID •

   OpenID Provider in Python • OpenID Demo • OAuth 2.0 • OAuth 2.0 Provider in Python • OAuth 2.0 Demo • Q&A

3. Authentication & Authorization • Authentication is about verifing who you

   are • Authorization is about verifing what you are authorized to do Hey, who are you? Could I read /root/secret_dir ?

4. OpenID & OAuth 2.0 are ? • OpenID is for

   • OAuth 2.0 is for Authentication Authorization

5. OpenID • is an open standard that allows users to

   be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service, eliminating the need for webmasters to provide their own ad hoc systems and allowing users to consolidate their digital identities. (from Wikipedia)

6. OpenID (Cont.) Terms • Identifier • User-Agent • Relying Party,

   RP • OpenID Provider, OP

7. OpenID (Cont.) • December 5, 2007 ◦ OpenID Authentication 2.0

   ◦ OpenID Attribute Exchange 1.0 • Diff between 1.0 2.0 1.0 has been marked as Obsolete Specification

8. OpenID Authentication Flow (from http://www.ibm.com/developerworks/tivoli/library/t-openid-tfim/)

9. OpenID Provider in Python • python-openid 2.2.5

10. OpenID Live Demo • Relying Party • OpenID Providers •

    Authentication Flow

11. OAuth 2.0 • The OAuth 2.0 authorization framework enables a

    third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. • The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.

12. OAuth 2.0 (Cont.) Version • Draft 31 → PROPOSED STANDARD

    (October 2012)

13. OAuth 2.0 & 1.0a OAuth 1.0 • Current version: OAuth

    1.0a • which fixes a security problem with 1.0 Main Diffs • SSL is required • Signatures are no longer required • Only one security token • Clearly specifies the parts of the protocal for roles

14. OAuth 2.0 Roles Roles • resource owner • resource server

    • client • authorization server

15. OAuth 2.0 Terms Terms • grant_type (authorization_code, password, client_credentials, refresh_token,

    and etc.) • client_id • client_secret • redirect_uri • response_type (code, token) • scope • state

16. OAuth 2.0 Client Type • web application • user-agent-based application

    • native application

17. OAuth 2.0 Flow (from RFC 6749 )

18. 2-legged and 3-legged • public resources: 2-legged • private resource:

    3-legged

19. OAuth 2.0 Provider in Python (from Inside the Head of

    PYDANNY)

20. OAuth 2.0 Provider Libraries in Python • oauthlib • pyoauth2

21. OAuth 2.0 Live Demo • Resource Owner • Authorization Server

    • Authorization Flow for Web-App

22. Q&A • Why can't we just implement it on our

    own? • OpenID + OAuth? • OAuth is an extension of OpenID? • Using OAuth 2.0 for Authentication?

23. References • http://openid.net/ • http://oauth.net/2/ • http://pydanny.com/the-sorry-state-of- python-oauth-providers.html • https://blog.apigee.

    com/detail/oauth_differences

24. Thank you!

25. Using OAuth 2.0 for Authentication? (from Wikipedia)