$30 off During Our Annual Pro Sale. View Details »

The modern OAuth 2.0

Hsiaoming Yang
September 17, 2018
Programming
2
1.5k

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

See All by Hsiaoming Yang
Accessibility
lepture
0
220
Vue: from view to view
lepture
2
5k

Other Decks in Programming

See All in Programming
Unity Searchを拡張して高度な検索型UIを実現する
trapezoid
0
140
Cloudflare Workers は楽しい!
codehex
8
2.2k
Git 和 DevOps - 在混亂的流星群開發流程中找到小確幸
eddie
1
870
Accelerating App Dev with Cloudflare Workers
chimame
1
200
Flutterで構築する漫画ビューア / FlutterKaigi 2023
katsu8686
0
2.5k
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
860
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
600
.NET 8世代のBlazorについて
tomokusaba
0
140
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
2
1k
日時処理の新スタンダード: Synchro によるタイムゾーン安全、楽々開発
codehex
0
140
フロントエンドの書くべきだったテスト、書かなくてよかったテスト
takefumiyoshii
31
11k
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
58k

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Web development in the modern age
philhawksworth
201
9.9k
[RailsConf 2023] Rails as a piece of cake
palkan
16
3.2k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
Become a Pro
speakerdeck
PRO
8
3.6k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
A Philosophy of Restraint
colly
194
15k
Six Lessons from altMBA
skipperchong
18
2.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k

Transcript

  1. The modern OAuth 2.0
    Hsiaoming Yang

    View Slide

  2. About Me
    0

    View Slide

  3. https://github.com/lepture
    https://lepture.com/about
    The Pallets Projects

    View Slide

  4. Welcome to contribute to Flask,
    Werkzeug & other Pallets Projects.
    AD

    View Slide

  5. View Slide

  6. View Slide

  7. https://authlib.org/

    View Slide

  8. The MODERN
    OAuth 2.0
    1

    View Slide

  9. WHAT IS
    OAUTH

    View Slide

  10. The OAuth 2.0 authorization framework enables a
    third-party application to obtain limited
    access to an HTTP service, either on behalf
    of a resource owner by orchestrating an
    approval interaction between the resource owner and
    the HTTP service, or by allowing the third-party
    application to obtain access on its own behalf.

    View Slide

  11. View Slide

  12. WHAT IS
    MODERN

    View Slide

  13. A little bit of the History
    ★ November 2006, Blaine Cook was working on the
    Twitter OpenID implementation.
    ★ April 2007, a Google group was created.
    ★ July 2007, the team drafted an initial specification.
    ★ December 2007, OAuth Core 1.0 was released.

    View Slide

  14. 2010.4
    RFC5849
    IETF OAuth Working Group
    2009
    2012.12
    RFC6749
    RFC6750

    View Slide

  15. enable clients to
    obtain limited
    access to resources

    View Slide

  16. Protocol vs
    Framework
    2

    View Slide

  17. RFC6749
    RFC6750
    RFC6755
    RFC6749
    RFC7009
    RFC7519
    RFC7522
    RFC7523
    RFC7592
    RFC……

    View Slide

  18. JWT is created by
    OAuth Working Group

    View Slide

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz
    ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y
    b290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-
    mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    JWT based on JWS
    header
    payload
    signature

    View Slide

  20. https://tools.ietf.org/wg/oauth/

    View Slide

  21. grant types
    client
    auth methods
    token endpoints

    View Slide

  22. Python Libraries
    3

    View Slide

  23. ★ https://pypi.org/project/oauth/
    ★ https://pypi.org/project/oauth2/
    ★ https://github.com/oauthlib/oauthlib
    ★ https://authlib.org
    OAuth 1.0
    OAuth 1.0

    View Slide

  24. OAuthLib
    • requests-oauthlib
    • Flask-OAuthlib
    • django-oauth-toolkit

    View Slide

  25. Authlib
    • built-in clients (requests, Flask,
    Django)
    • Flask OAuth 1 & 2 providers
    • Django OAuth 1 provider
    (TODO: OAuth 2)

    View Slide

  26. Authlib vs OAuthlib
    • Commercial Driven vs Community Driven
    • Monolithic vs Core Code
    • Flexible Clean Code vs Mixed Code

    View Slide

  27. Authlib

    View Slide

  28. OAuthLib

    View Slide

  29. View Slide

  30. Grant Types
    4

    View Slide

  31. Basic Grant Types
    • Authorization Code
    • Implicit
    • Client Credentials
    • Password

    View Slide

  32. Authorization Code

    View Slide

  33. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

    View Slide

  34. Proof Key for Code Exchange by
    OAuth Public Clients
    RFC7636

    View Slide

  35. https://server/authorize?
    response_type=code&client_id=
    s6BhdRkqt3&state=xyz&
    code_challenge=E9Melhoa2OwvFr
    EMTJguCHaoeK1t8URWbuGJSstw-cM
    &code_challenge_method=S256
    RFC7636

    View Slide

  36. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    code_challenge=S256(code_verifier)

    View Slide

  37. client = oauth.register(
    'example',
    client_id='Example Client ID',
    client_secret='Example Client Secret',
    access_token_url='https://example.com/oauth/access_token',
    authorize_url='https://example.com/oauth/authorize',
    api_base_url=‘https://api.example.com/',
    code_challenge_method='S256',
    )
    Only available in Authlib
    authorization_server\
    .register_grant(
    AuthorizationCodeGrant,
    [CodeChallenge(required=True)]
    )

    View Slide

  38. JSON Web Token (JWT) Profile for OAuth 2.0
    Client Authentication and Authorization Grants
    RFC7523
    grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

    View Slide

  39. POST /token HTTP/1.1
    Host: example.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-
    type%3Ajwt-bearer
    &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
    eyJpc3Mi[...omitted for brevity...].
    J9l-ZhwP[...omitted for brevity...]
    JWT

    View Slide

  40. Google
    Service Accounts

    View Slide

  41. View Slide

  42. View Slide

  43. Client Auth
    Methods
    5
    Token Endpoint Authentication Methods

    View Slide

  44. client
    auth methods

    View Slide

  45. POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    client_secret_basic

    View Slide

  46. ★ none
    ★ client_secret_basic
    ★ client_secret_post

    View Slide

  47. POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
    client_id=sBj&client_secret=Sh8Vxd
    client_secret_post

    View Slide

  48. JSON Web Token (JWT) Profile for OAuth 2.0
    Client Authentication and Authorization Grants
    RFC7523
    ★ client_secret_jwt
    ★ private_key_jwt
    RFC8414

    View Slide

  49. View Slide

  50. Token Endpoints
    6

    View Slide

  51. token endpoints

    View Slide

  52. ★ token revocation endpoint
    ★ token introspection endpoint
    RFC7009
    RFC7662

    View Slide

  53. https://tools.ietf.org/wg/oauth/

    View Slide

  54. OpenID Connect is
    built upon OAuth 2.0

    View Slide

  55. https://github.com/authlib/
    example-oauth2-server

    View Slide

  56. Stay tuned for
    v0.10

    View Slide

  57. Thanks

    View Slide