Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The modern OAuth 2.0

Avatar for Hsiaoming Yang Hsiaoming Yang
September 17, 2018
Programming
2
1.7k

The modern OAuth 2.0

An introduction of OAuth 2.0 framework. Slide for #pyconjp 2018.
Avatar for Hsiaoming Yang

Hsiaoming Yang

September 17, 2018
Tweet

More Decks by Hsiaoming Yang

See All by Hsiaoming Yang
Accessibility
Avatar for Hsiaoming Yang lepture
0
290
Vue: from view to view
Avatar for Hsiaoming Yang lepture
2
5.4k

Other Decks in Programming

See All in Programming
The Missing Link in Angular’s Signal Story: Resource API and httpResource
Avatar for Manfred Steyer manfredsteyer
PRO
0
150
2025年のz-index設計を考える
Avatar for TAK tak_dcxi
12
4.6k
Cloudflare Workersで進めるリモートMCP活用
Avatar for syumai syumai
5
660
ASP.NETアプリケーションのモダナイゼーションについて
Avatar for tomokusaba tomokusaba
0
260
Serving TUIs over SSH with Go
Avatar for Carlos Alexandro Becker caarlos0
0
710
Rubyの!メソッドをちゃんと理解する
Avatar for Yuto Urushima alstrocrack
1
320
プロフェッショナルとしての成長「問題の深掘り」が導く真のスキルアップ / issue-analysis-and-skill-up
Avatar for MinoDriven minodriven
8
2k
Cursorを活用したAIプログラミングについて 入門
Avatar for 株式会社レクト rect
0
230
GitHub Copilot for Azureを使い倒したい
Avatar for Kento.Yamada ymd65536
1
330
データと事例で振り返るDevin導入の"リアル" / The Realities of Devin Reflected in Data and Case Studies
Avatar for r-kagaya rkaga
3
2.3k
生成AIで知るお願いの仕方の難しさ
Avatar for uutan1108 ohmori_yusuke
1
120
Designing Your Organization's Test Pyramid ( #scrumniigata )
Avatar for teyamagu teyamagu
PRO
5
1.5k

Featured

See All Featured
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
Building an army of robots
Avatar for Kyle Neath kneath
305
45k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
160
15k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
47
2.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
52
2.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
19
1.2k
Fontdeck: Realign not Redesign
Avatar for Paul Robert Lloyd paulrobertlloyd
84
5.5k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Navigating Team Friction
Avatar for Lara Hogan lara
185
15k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
344
40k

Transcript

  1. The modern OAuth 2.0 Hsiaoming Yang

  2. About Me 0

  3. https://github.com/lepture https://lepture.com/about The Pallets Projects

  4. Welcome to contribute to Flask, Werkzeug & other Pallets Projects.

    AD
  5. None
  6. None

  7. https://authlib.org/

  8. The MODERN OAuth 2.0 1

  9. WHAT IS OAUTH

  10. The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  11. None

  12. WHAT IS MODERN

  13. A little bit of the History ★ November 2006, Blaine

    Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.

  14. 2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

  15. enable clients to obtain limited access to resources

  16. Protocol vs Framework 2

  17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

  18. JWT is created by OAuth Working Group

  19. eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based

    on JWS header payload signature

  20. https://tools.ietf.org/wg/oauth/

  21. grant types client auth methods token endpoints

  22. Python Libraries 3

  23. ★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0

    OAuth 1.0

  24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

  25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth

    1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)

  26. Authlib vs OAuthlib • Commercial Driven vs Community Driven •

    Monolithic vs Core Code • Flexible Clean Code vs Mixed Code

  27. Authlib

  28. OAuthLib

  29. None

  30. Grant Types 4

  31. Basic Grant Types • Authorization Code • Implicit • Client

    Credentials • Password

  32. Authorization Code

  33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

  34. Proof Key for Code Exchange by OAuth Public Clients RFC7636

  35. https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

  36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)

  37. client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret',

    access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )

  38. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

  39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.

    eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT

  40. Google Service Accounts

  41. None
  42. None

  43. Client Auth Methods 5 Token Endpoint Authentication Methods

  44. client auth methods

  45. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk client_secret_basic

  46. ★ none ★ client_secret_basic ★ client_secret_post

  47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd

    client_secret_post

  48. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication

    and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414
  49. None

  50. Token Endpoints 6

  51. token endpoints

  52. ★ token revocation endpoint ★ token introspection endpoint RFC7009 RFC7662

  53. https://tools.ietf.org/wg/oauth/

  54. OpenID Connect is built upon OAuth 2.0

  55. https://github.com/authlib/ example-oauth2-server

  56. Stay tuned for v0.10

  57. Thanks