Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The modern OAuth 2.0

Hsiaoming Yang
September 17, 2018
Programming
2
1.7k

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

See All by Hsiaoming Yang
Accessibility
lepture
0
260
Vue: from view to view
lepture
2
5.3k

Other Decks in Programming

See All in Programming
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
Jakarta EE meets AI
ivargrimstad
0
600
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
Amazon Qを使ってIaCを触ろう!
maruto
0
410
C++でシェーダを書く
fadis
6
4.1k
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
Micro Frontends Unmasked Opportunities, Challenges, Alternatives
manfredsteyer
PRO
0
110
Ethereum_.pdf
nekomatu
0
470
RubyLSPのマルチバイト文字対応
notfounds
0
120

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
A designer walks into a library…
pauljervisheath
204
24k
Making Projects Easy
brettharned
115
5.9k
Speed Design
sergeychernyshev
25
620
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Navigating Team Friction
lara
183
14k
Happy Clients
brianwarren
98
6.7k
Producing Creativity
orderedlist
PRO
341
39k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k

Transcript

  1. The modern OAuth 2.0 Hsiaoming Yang

  2. About Me 0

  3. https://github.com/lepture https://lepture.com/about The Pallets Projects

  4. Welcome to contribute to Flask, Werkzeug & other Pallets Projects.

    AD
  5. None
  6. None

  7. https://authlib.org/

  8. The MODERN OAuth 2.0 1

  9. WHAT IS OAUTH

  10. The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  11. None

  12. WHAT IS MODERN

  13. A little bit of the History ★ November 2006, Blaine

    Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.

  14. 2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

  15. enable clients to obtain limited access to resources

  16. Protocol vs Framework 2

  17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

  18. JWT is created by OAuth Working Group

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based

    on JWS header payload signature

  20. https://tools.ietf.org/wg/oauth/

  21. grant types client auth methods token endpoints

  22. Python Libraries 3

  23. ★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0

    OAuth 1.0

  24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

  25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth

    1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)

  26. Authlib vs OAuthlib • Commercial Driven vs Community Driven •

    Monolithic vs Core Code • Flexible Clean Code vs Mixed Code

  27. Authlib

  28. OAuthLib

  29. None

  30. Grant Types 4

  31. Basic Grant Types • Authorization Code • Implicit • Client

    Credentials • Password

  32. Authorization Code

  33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

  34. Proof Key for Code Exchange by OAuth Public Clients RFC7636

  35. https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

  36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)

  37. client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret',

    access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )

  38. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

  39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.

    eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT

  40. Google Service Accounts

  41. None
  42. None

  43. Client Auth Methods 5 Token Endpoint Authentication Methods

  44. client auth methods

  45. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk client_secret_basic

  46. ★ none ★ client_secret_basic ★ client_secret_post

  47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd

    client_secret_post

  48. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414
  49. None

  50. Token Endpoints 6

  51. token endpoints

  52. ★ token revocation endpoint ★ token introspection endpoint RFC7009 RFC7662

  53. https://tools.ietf.org/wg/oauth/

  54. OpenID Connect is built upon OAuth 2.0

  55. https://github.com/authlib/ example-oauth2-server

  56. Stay tuned for v0.10

  57. Thanks