The modern OAuth 2.0 - Speaker Deck

The modern OAuth 2.0

by Hsiaoming Yang

Slide 1

Slide 1 text

The modern OAuth 2.0 Hsiaoming Yang

Slide 2

Slide 2 text

About Me 0

Slide 3

Slide 3 text

https://github.com/lepture https://lepture.com/about The Pallets Projects

Slide 4

Slide 4 text

Welcome to contribute to Flask, Werkzeug & other Pallets Projects. AD

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

https://authlib.org/

Slide 8

Slide 8 text

The MODERN OAuth 2.0 1

Slide 9

Slide 9 text

WHAT IS OAUTH

Slide 10

Slide 10 text

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

WHAT IS MODERN

Slide 13

Slide 13 text

A little bit of the History ★ November 2006, Blaine Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial speciﬁcation. ★ December 2007, OAuth Core 1.0 was released.

Slide 14

Slide 14 text

2010.4 RFC5849 IETF OAuth Working Group 2009 2012.12 RFC6749 RFC6750

Slide 15

Slide 15 text

enable clients to obtain limited access to resources

Slide 16

Slide 16 text

Protocol vs Framework 2

Slide 17

Slide 17 text

RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……

Slide 18

Slide 18 text

JWT is created by OAuth Working Group

Slide 19

Slide 19 text

eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk JWT based on JWS header payload signature

Slide 20

Slide 20 text

https://tools.ietf.org/wg/oauth/

Slide 21

Slide 21 text

grant types client auth methods token endpoints

Slide 22

Slide 22 text

Python Libraries 3

Slide 23

Slide 23 text

★ https://pypi.org/project/oauth/ ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org OAuth 1.0 OAuth 1.0

Slide 24

Slide 24 text

OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit

Slide 25

Slide 25 text

Authlib • built-in clients (requests, Flask, Django) • Flask OAuth 1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)

Slide 26

Slide 26 text

Authlib vs OAuthlib • Commercial Driven vs Community Driven • Monolithic vs Core Code • Flexible Clean Code vs Mixed Code

Slide 27

Slide 27 text

Authlib

Slide 28

Slide 28 text

OAuthLib

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Grant Types 4

Slide 31

Slide 31 text

Basic Grant Types • Authorization Code • Implicit • Client Credentials • Password

Slide 32

Slide 32 text

Authorization Code

Slide 33

Slide 33 text

POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Slide 34

Slide 34 text

Proof Key for Code Exchange by OAuth Public Clients RFC7636

Slide 35

Slide 35 text

https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 RFC7636

Slide 36

Slide 36 text

Slide 37

Slide 37 text

client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret', access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) Only available in Authlib authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )

Slide 38

Slide 38 text

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC7523 grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Slide 39

Slide 39 text

POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant- type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT

Slide 40

Slide 40 text

Google Service Accounts

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

Client Auth Methods 5 Token Endpoint Authentication Methods

Slide 44

Slide 44 text

client auth methods

Slide 45

Slide 45 text

Slide 46

Slide 46 text

★ none ★ client_secret_basic ★ client_secret_post

Slide 47

Slide 47 text

POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd client_secret_post

Slide 48

Slide 48 text

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC7523 ★ client_secret_jwt ★ private_key_jwt RFC8414