OAuth 101

Transcript

1. Cisco Confidential © 2010 Cisco and/or its affiliates. All rights

   reserved. 1 OAuth 2.0 101 Adapting to the Web Beyond the Browser Anand Sharma IT Architect April 2012

2. Cisco Confidential © 2010 Cisco and/or its affiliates. All rights

   reserved. 2 Beyond the Browser:

3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 3
4. None

5. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 5 For the successful companies, 80% of traffic will be coming from beyond the browser.

6. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 6 The resource is some website; the user is the consumer Authorization is granted by the an Admin

7. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 7 The resource is owned by the user The application consumes the resource The application is given too much power

8. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 8 The resource is owned by the user The application consumes the resource The application is given too much power

9. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential 9 Because, Services (APIs) and Passwords don’t mix well

10. Cisco Confidential © 2010 Cisco and/or its affiliates. All rights

    reserved. 10 OAuth 2.0:

11. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 11 Defines Authorization & Authentication framework for RESTful services Supports variety of clients – from Servers to Mobile Apps Puts the user in control of what resources are shared – mitigates password anti-pattern

12. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 12 Application that calls API (Client) Software application that calls REST APIs Human User using the App (Resource Owner) End-user whose data is offered up through an API to Clients API Proxy or Host (Resource Server) Accepts access tokens on API calls in order to authenticate calling client Token Server (Authorization Server) Issues Access tokens after Authenticating the client and/or Resource Owner

13. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 13 Short-lived Token (Access Token) Applications authenticate to APIs using an Access Token Long-lived Token (Refresh Token) Refresh Tokens, if present, can be used to get a new Access Token

14. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 14 1. Client Gets Token 2. Client Uses Token 3. Resource Server Validates Token 4. Client Refreshes Token (Optional) 95% of OAuth (and OAuth Complexity) is about: - Step #1: How to get Access Token - OAuth’s Confusing terminology

15. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 15 Client Identity Human User Identity Access Token

16. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 16 Directly exchanges Client’s credentials for an Access token For accessing client-owned resources (no Human User involvement)

17. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 17 Directly exchanges Human User’s credentials for an access token Useful where the Client is well-trusted by the user and where a browser redirect would be awkward Commonly used with trusted Mobile apps

18. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 18 Similar to OAuth 1.0a flow - Starts with redirect to provider for authorization - After authorization, redirects back to client with code query parameter – Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers

19. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 19 Simplified Authorization flow – After Authorization, redirects back to client with Access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by in browser JavaScript apps or widgets

20. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 20 The client sends an access token request to the authorization server that includes a SAML 2.0 Assertion The authorization server validates the Assertion per the processing rules defined in this specification and issues an access token.

21. Cisco Confidential © 2010 Cisco and/or its affiliates. All rights

    reserved. 21 OAuth Challenges:

22. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 22 OAuth: What version should we use? Standardize on OAuth 2.0 Draft 20 Lack of Understanding Book(s), Brown-bags Lack of tools and frameworks

23. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 23 “Getting Started with OAuth 2.0” O’Reilly Book OAuth 2.0 Draft 25 (http://bit.ly/dft-oauth) Search for “OAuth 2.0” in Google

24. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 24 Backup Slides Q&A
25. None