engineer • Currently working with SAPO - Service Delivery Broker team • Co-author of Designing Evolvable Web APIs with ASP.NET (to be published in 2014 by O’Reilly)
Server Token Endpoint Authorization Endpoint state code state HTTP/1.1 302 Found Location: https://the.redirect.uri? code=... &state=xyz access_token client_secret client_id code
consent provided at direct at Authorization Server • Implicit Grant • Similar to previous, no client authentication • Resource Owner Password Credentials Grant • User gives password to Client, Client uses it to obtain access token • Client Credentials Grant • No user, Client accesses on its own behalf
grant • Grant represents the logical outcome of • Client authentication • User authentication and consent • Not a protocol concept • Core domain concept • Bound to all the Authorization Server artifacts • Code • Access token • Refresh token
Endpoint • Authorization request – redirect from Client to AE via the User-agent • Authorization response – redirect from AE to Client via the User-agent • Human interface and out-of-protocol interactions • User authentication and authorization consent • Not secure for Client secrets – no Client authentication • Back channel • Token Endpoint • Direct request-response between Client and Token Endpoint • No User interaction • Optional Client authentication
of their credentials” (e.g. client implemented as a secure Web server) • Public “Clients incapable of maintaining the confidentiality of their credentials” (e.g. clients executing on the device used by the resource owner, i.e., native apps or client-side Web apps )
secret • Username and password • Authorization code • Complete reliance on transport security • Session fixation via CSRF • Use the state parameter to correlate requests to responses • Front-channel code and token stealing • Enforce strict redirect URIs
• Require HTTPS • Beware of incorrect use • RFC 6750 • Similar to cookie usage • Behare of the fallacy • Same origin policies • Discoverability • MAC • Safer • More complex – signature • Client library integration 17
not define access token format • Does not define token processing rules • Tight coupling between Authorization Server and Resource Server • Typically run by the same organization • Using opaque formats and processing rules • No protocol provision for cross-boundary AS and RS interaction 18
framework • But everybody is using it also for authentication • E.g. social logins with Google, Facebook and Github • Using OAuth 2.0 for Authentication • RS exposes a resource with the User’s identity • Is that OK? • It depends! • Not secure in the general case – token reusage • Not interoperable
layer on top of the OAuth 2.0 protocol” • Adds features to OAuth 2.0 • Very different from OpenID 2.0 • Defines • UserInfo resource for obtaining the User claims • ID token - standard token format to transmit claims • Standard claims and scopes for authentication • Unified solution for authentication and authorization • Being adopted by Google, Microsoft and others