Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The modern OAuth 2.0

Hsiaoming Yang
September 17, 2018
Programming
2
1.5k

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

See All by Hsiaoming Yang
Accessibility
lepture
0
230
Vue: from view to view
lepture
2
5.1k

Other Decks in Programming

See All in Programming
両面どころかインフラもTSでできるよ ~ 全方位TypeScriptによるプロダクト開発 ~
myfinder
9
3.2k
ゆるい個人開発のススメ
kuroppe1819
10
890
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
290
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
380
本格ローグライク制作にEbitengineを選んでみた
nagainaganawa
0
280
オブジェクトしこう
okuramasafumi
2
150
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
290
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
300
プールにゆこう
irof
2
120
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
340
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
230
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
320

Featured

See All Featured
Thoughts on Productivity
jonyablonski
57
3.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.2k
The Invisible Customer
myddelton
114
12k
Navigating Team Friction
lara
177
13k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Into the Great Unknown - MozCon
thekraken
10
980
Designing for humans not robots
tammielis
247
25k
Building an army of robots
kneath
300
41k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k

Transcript

  1. The modern OAuth 2.0 Hsiaoming Yang

  2. About Me 0

  3. https://github.com/lepture https://lepture.com/about The Pallets Projects

  4. Welcome to contribute to Flask, Werkzeug & other Pallets Projects.

    AD
  5. None
  6. None

  7. https://authlib.org/

  8. The MODERN OAuth 2.0 1

  9. WHAT IS OAUTH

  10. The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  11. None

  12. WHAT IS MODERN

  13. A little bit of the History ★ November 2006, Blaine

    Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.

  14. 2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

  15. enable clients to obtain limited access to resources

  16. Protocol vs Framework 2

  17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

  18. JWT is created by OAuth Working Group

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based

    on JWS header payload signature

  20. https://tools.ietf.org/wg/oauth/

  21. grant types client auth methods token endpoints

  22. Python Libraries 3

  23. ★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0

    OAuth 1.0

  24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

  25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth

    1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)

  26. Authlib vs OAuthlib • Commercial Driven vs Community Driven •

    Monolithic vs Core Code • Flexible Clean Code vs Mixed Code

  27. Authlib

  28. OAuthLib

  29. None

  30. Grant Types 4

  31. Basic Grant Types • Authorization Code • Implicit • Client

    Credentials • Password

  32. Authorization Code

  33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

  34. Proof Key for Code Exchange by OAuth Public Clients RFC7636

  35. https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

  36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)

  37. client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret',

    access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )

  38. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

  39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.

    eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT

  40. Google Service Accounts

  41. None
  42. None

  43. Client Auth Methods 5 Token Endpoint Authentication Methods

  44. client auth methods

  45. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk client_secret_basic

  46. ★ none ★ client_secret_basic ★ client_secret_post

  47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd

    client_secret_post

  48. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414
  49. None

  50. Token Endpoints 6

  51. token endpoints

  52. ★ token revocation endpoint ★ token introspection endpoint RFC7009 RFC7662

  53. https://tools.ietf.org/wg/oauth/

  54. OpenID Connect is built upon OAuth 2.0

  55. https://github.com/authlib/ example-oauth2-server

  56. Stay tuned for v0.10

  57. Thanks