$30 off During Our Annual Pro Sale. View Details »

The modern OAuth 2.0

Hsiaoming Yang
September 17, 2018

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

Other Decks in Programming

Transcript

  1. The modern OAuth 2.0
    Hsiaoming Yang

    View Slide

  2. About Me
    0

    View Slide

  3. https://github.com/lepture
    https://lepture.com/about
    The Pallets Projects

    View Slide

  4. Welcome to contribute to Flask,
    Werkzeug & other Pallets Projects.
    AD

    View Slide

  5. View Slide

  6. View Slide

  7. https://authlib.org/

    View Slide

  8. The MODERN
    OAuth 2.0
    1

    View Slide

  9. WHAT IS
    OAUTH

    View Slide

  10. The OAuth 2.0 authorization framework enables a
    third-party application to obtain limited
    access to an HTTP service, either on behalf
    of a resource owner by orchestrating an
    approval interaction between the resource owner and
    the HTTP service, or by allowing the third-party
    application to obtain access on its own behalf.

    View Slide

  11. View Slide

  12. WHAT IS
    MODERN

    View Slide

  13. A little bit of the History
    ★ November 2006, Blaine Cook was working on the
    Twitter OpenID implementation.
    ★ April 2007, a Google group was created.
    ★ July 2007, the team drafted an initial specification.
    ★ December 2007, OAuth Core 1.0 was released.

    View Slide

  14. 2010.4
    RFC5849
    IETF OAuth Working Group
    2009
    2012.12
    RFC6749
    RFC6750

    View Slide

  15. enable clients to
    obtain limited
    access to resources

    View Slide

  16. Protocol vs
    Framework
    2

    View Slide

  17. RFC6749
    RFC6750
    RFC6755
    RFC6749
    RFC7009
    RFC7519
    RFC7522
    RFC7523
    RFC7592
    RFC……

    View Slide

  18. JWT is created by
    OAuth Working Group

    View Slide

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz
    ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y
    b290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-
    mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    JWT based on JWS
    header
    payload
    signature

    View Slide

  20. https://tools.ietf.org/wg/oauth/

    View Slide

  21. grant types
    client
    auth methods
    token endpoints

    View Slide

  22. Python Libraries
    3

    View Slide

  23. ★ https://pypi.org/project/oauth/
    ★ https://pypi.org/project/oauth2/
    ★ https://github.com/oauthlib/oauthlib
    ★ https://authlib.org
    OAuth 1.0
    OAuth 1.0

    View Slide

  24. OAuthLib
    • requests-oauthlib
    • Flask-OAuthlib
    • django-oauth-toolkit

    View Slide

  25. Authlib
    • built-in clients (requests, Flask,
    Django)
    • Flask OAuth 1 & 2 providers
    • Django OAuth 1 provider
    (TODO: OAuth 2)

    View Slide

  26. Authlib vs OAuthlib
    • Commercial Driven vs Community Driven
    • Monolithic vs Core Code
    • Flexible Clean Code vs Mixed Code

    View Slide

  27. Authlib

    View Slide

  28. OAuthLib

    View Slide

  29. View Slide

  30. Grant Types
    4

    View Slide

  31. Basic Grant Types
    • Authorization Code
    • Implicit
    • Client Credentials
    • Password

    View Slide

  32. Authorization Code

    View Slide

  33. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

    View Slide

  34. Proof Key for Code Exchange by
    OAuth Public Clients
    RFC7636

    View Slide

  35. https://server/authorize?
    response_type=code&client_id=
    s6BhdRkqt3&state=xyz&
    code_challenge=E9Melhoa2OwvFr
    EMTJguCHaoeK1t8URWbuGJSstw-cM
    &code_challenge_method=S256
    RFC7636

    View Slide

  36. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    code_challenge=S256(code_verifier)

    View Slide

  37. client = oauth.register(
    'example',
    client_id='Example Client ID',
    client_secret='Example Client Secret',
    access_token_url='https://example.com/oauth/access_token',
    authorize_url='https://example.com/oauth/authorize',
    api_base_url=‘https://api.example.com/',
    code_challenge_method='S256',
    )
    Only available in Authlib
    authorization_server\
    .register_grant(
    AuthorizationCodeGrant,
    [CodeChallenge(required=True)]
    )

    View Slide

  38. JSON Web Token (JWT) Profile for OAuth 2.0
    Client Authentication and Authorization Grants
    RFC7523
    grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

    View Slide

  39. POST /token HTTP/1.1
    Host: example.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-
    type%3Ajwt-bearer
    &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
    eyJpc3Mi[...omitted for brevity...].
    J9l-ZhwP[...omitted for brevity...]
    JWT

    View Slide

  40. Google
    Service Accounts

    View Slide

  41. View Slide

  42. View Slide

  43. Client Auth
    Methods
    5
    Token Endpoint Authentication Methods

    View Slide

  44. client
    auth methods

    View Slide

  45. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    client_secret_basic

    View Slide

  46. ★ none
    ★ client_secret_basic
    ★ client_secret_post

    View Slide

  47. POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    client_id=sBj&client_secret=Sh8Vxd
    client_secret_post

    View Slide

  48. JSON Web Token (JWT) Profile for OAuth 2.0
    Client Authentication and Authorization Grants
    RFC7523
    ★ client_secret_jwt
    ★ private_key_jwt
    RFC8414

    View Slide

  49. View Slide

  50. Token Endpoints
    6

    View Slide

  51. token endpoints

    View Slide

  52. ★ token revocation endpoint
    ★ token introspection endpoint
    RFC7009
    RFC7662

    View Slide

  53. https://tools.ietf.org/wg/oauth/

    View Slide

  54. OpenID Connect is
    built upon OAuth 2.0

    View Slide

  55. https://github.com/authlib/
    example-oauth2-server

    View Slide

  56. Stay tuned for
    v0.10

    View Slide

  57. Thanks

    View Slide