The modern OAuth 2.0

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

83a5c46f52b4835e6048159bfa85478e?s=128

Hsiaoming Yang

September 17, 2018
Tweet

Transcript

  1. The modern OAuth 2.0 Hsiaoming Yang

  2. About Me 0

  3. https://github.com/lepture https://lepture.com/about The Pallets Projects

  4. Welcome to contribute to Flask, Werkzeug & other Pallets Projects.

    AD
  5. None
  6. None
  7. https://authlib.org/

  8. The MODERN OAuth 2.0 1

  9. WHAT IS OAUTH

  10. The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  11. None
  12. WHAT IS MODERN

  13. A little bit of the History ★ November 2006, Blaine

    Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.
  14. 2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

  15. enable clients to obtain limited access to resources

  16. Protocol vs Framework 2

  17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

  18. JWT is created by OAuth Working Group

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based

    on JWS header payload signature
  20. https://tools.ietf.org/wg/oauth/

  21. grant types client auth methods token endpoints

  22. Python Libraries 3

  23. ★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0

    OAuth 1.0
  24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

  25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth

    1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)
  26. Authlib vs OAuthlib • Commercial Driven vs Community Driven •

    Monolithic vs Core Code • Flexible Clean Code vs Mixed Code
  27. Authlib

  28. OAuthLib

  29. None
  30. Grant Types 4

  31. Basic Grant Types • Authorization Code • Implicit • Client

    Credentials • Password
  32. Authorization Code

  33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  34. Proof Key for Code Exchange by OAuth Public Clients RFC7636

  35. https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

  36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)
  37. client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret',

    access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )
  38. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
  39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.

    eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT
  40. Google Service Accounts

  41. None
  42. None
  43. Client Auth Methods 5 Token Endpoint Authentication Methods

  44. client auth methods

  45. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk client_secret_basic
  46. ★ none ★ client_secret_basic ★ client_secret_post

  47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd

    client_secret_post
  48. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414
  49. None
  50. Token Endpoints 6

  51. token endpoints

  52. ★ token revocation endpoint ★ token introspection endpoint RFC7009 RFC7662

  53. https://tools.ietf.org/wg/oauth/

  54. OpenID Connect is built upon OAuth 2.0

  55. https://github.com/authlib/ example-oauth2-server

  56. Stay tuned for v0.10

  57. Thanks