Confidential 11 Defines Authorization & Authentication framework for RESTful services Supports variety of clients – from Servers to Mobile Apps Puts the user in control of what resources are shared – mitigates password anti-pattern
Confidential 12 Application that calls API (Client) Software application that calls REST APIs Human User using the App (Resource Owner) End-user whose data is offered up through an API to Clients API Proxy or Host (Resource Server) Accepts access tokens on API calls in order to authenticate calling client Token Server (Authorization Server) Issues Access tokens after Authenticating the client and/or Resource Owner
Confidential 13 Short-lived Token (Access Token) Applications authenticate to APIs using an Access Token Long-lived Token (Refresh Token) Refresh Tokens, if present, can be used to get a new Access Token
Confidential 17 Directly exchanges Human User’s credentials for an access token Useful where the Client is well-trusted by the user and where a browser redirect would be awkward Commonly used with trusted Mobile apps
Confidential 18 Similar to OAuth 1.0a flow - Starts with redirect to provider for authorization - After authorization, redirects back to client with code query parameter – Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers
Confidential 19 Simplified Authorization flow – After Authorization, redirects back to client with Access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by in browser JavaScript apps or widgets
Confidential 20 The client sends an access token request to the authorization server that includes a SAML 2.0 Assertion The authorization server validates the Assertion per the processing rules defined in this specification and issues an access token.
Confidential 22 OAuth: What version should we use? Standardize on OAuth 2.0 Draft 20 Lack of Understanding Book(s), Brown-bags Lack of tools and frameworks