oauth 2 0
play

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric - PowerPoint PPT Presentation

Sep 20, 2023 •572 likes •1.03k views

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

  1. OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) – Berlin Expert Days 2013 – 4. April 2013

  2. Uwe Friedrichsen @ufried

  3. <session> <no-code> <motivation /> <history /> <solution /> <extensions /> <criticism /> <tips /> </no-code> <code> <authzorization /> <token /> <resource /> </code> <wrap-up /> </session>

  4. { „ session “ : { „ no- code“ : [ „ motivation “, „ history “, „ solution “, „ extensions “, „ criticism “, „ tips “ ], „ code “ : [ „ authorization “, „ token “, „ resource “ ], „ wrap-up “ : true }

  5. Players You Another Application with application protected resources

  6. Assignment You Access your resources Another Application with application protected resources

  7. Problem You Access your resources Another Application with application protected resources

  8. Challenge Secure ? You Access your resources Easy to use Another Application with application protected resources

  9. OAuth 1.0 • Started by Twitter in 2006 • 1st Draft Standard in 10/2007 • IETF RFC 5849 in 4/2010 • Widespread • Complex Client Security Handling • Limited Scope • Not extendable • Not „Enterprise -ready “

  10. OAuth 2.0 • Working Group started 4/2010 • 31 Draft Versions • Eran Hammer-Laval left 7/2012 * • IETF RFC 6749 in 10/2012 * http://hueniverse.com/2012/07/ oauth-2-0-and-the-road-to-hell/

  11. Players revisited You Another Application with application protected resources

  12. Players revisited You Authorization Server Client Resource Application Server

  13. Solution (Step 1) 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are code Client Resource Application Server

  14. Solution (Step 2) 6. I want to trade my authorization code for an access token You Authorization Server 7. Here you are Client Resource Application Server

  15. Solution (Step 3) You Authorization Server Give me some resources. Here is my access token, btw. … Client Resource Application Server

  16. A few more Details • TLS/SSL • Endpoints • Client Types • Client Identifier • Client Authentication • Redirect URI • Access T oken Scope • Refresh T oken • Client State

  17. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an GET /authorize?  authorization 5. Here you are response_type=code&  code client_id=s6BhdRkqt3&  state=xyz&  redirect_uri=https%3A%2F%2Fclient%2E  example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Client Resource Application Server

  18. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are HTTP/1.1 302 Found code Location:  https://client.example.com/cb?  code=SplxlOBeZQQYbYS6WxSbIA&  state=xyz Client Resource Application Server

  19. 6. I want to trade my authorization code for an access token You Authorization Server POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 7. Here you are Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&  code=SplxlOBeZQQYbYS6WxSbIA&  Client Resource redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb Application Server

  20. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { 6. I want to trade my authorization code "access_token":"2YotnFZFEjr1zCsicMWpAA", for an access token "token_type":"bearer", You Authorization "expires_in":3600, Server "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" } 7. Here you are Client Resource Application Server

  21. GET /resource/1 HTTP/1.1 Host: example.com You Authorization Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA Server Give me some resources. Here is my access token, btw. … Client Resource Application Server

  22. More flows & Extensions • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Refresh T oken Grant • Standard & custom Extensions • Standards based on OAuth 2.0

  23. Criticism • T oo many compromises • No built-in security • Relies solely on SSL • Bearer T oken • Self-encrypted token

  24. Tips • Turn MAY into MUST • Use HMAC T okens • Use HMAC to sign Content • No self-encrypted token • Always check the SSL Certificate

  25. How does the code feel like? using Apache Amber 0.22

  26. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an GET /authorize?  authorization 5. Here you are response_type=code&  code client_id=s6BhdRkqt3&  state=xyz&  redirect_uri=https%3A%2F%2Fclient%2E  example%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Client Resource Application Server

  27. Authorization Endpoint (1) @Path("/authorize") public class AuthorizationEndpoint { @Context private SecurityDataStore securityDataStore; @GET @Consumes(OAuth.ContentType.URL_ENCODED) public Response authorize(@Context HttpServletRequest request) { // Do the required validations OAuthAuthzRequest oauthRequest = wrapAndValidate (request); validateRedirectionURI (oauthRequest); // Actual authentication not defined by OAuth 2.0 // Here a forward to a login page is used String loginURI = buildLoginURI (oauthRequest); return Response.status(HttpServletResponse.SC_FOUND) .location(new URI(loginUri)).build(); } ...

  28. Authorization Endpoint (2) ... private OAuthAuthzRequest wrapAndValidate(HttpServletRequest req) { // Implicitly validates the request locally return new OAuthAuthzRequest(req); } ...

  29. Authorization Endpoint (3) ... private void validateRedirectionURI(OAuthAuthzRequest oauthReq) { String redirectionURISent = oauthReq.getRedirectURI(); String redirectionURIStored = securityDataStore .getRedirectUriForClient( oauthReq.getClientId() ) ; if (!redirectionURIStored .equalsIgnoreCase(redirectionURISent)) { OAuthProblemException oAuthProblem = OAuthProblemException .error(OAuthError.CodeResponse.ACCESS_DENIED, "Invalid Redirection URI"); oAuthProblem.setRedirectUri(redirectionURISent); throw oAuthProblem; } } ...

  30. Authorization Endpoint (4) ... private String buildLoginURI(OAuthAuthzRequest oauthRequest) { String loginURI = getBaseLoginURI() ; // As an example loginURI += "&" + OAuth.OAUTH_RESPONSE_TYPE + "=“ + oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE); loginURI += "?" + OAuth.OAUTH_CLIENT_ID + "=“ + oauthRequest.getClientId(); loginURI += "&" + OAuth.OAUTH_REDIRECT_URI + "=“ + redirectUri; loginURI += "&" + OAuth.OAUTH_SCOPE + "=“ + getParam(OAuth.OAUTH_SCOPE); loginURI += "&" + OAuth.OAUTH_STATE + "=“ + getParam(OAuth.OAUTH_STATE); return loginURI; } }

  31. 2.Client XYZ wants an authorization code 3. User: „Yes, it‘s okay“ 4. Here is an authorization code for client XYZ You Authorization Server 1. I want an authorization 5. Here you are HTTP/1.1 302 Found code Location:  https://client.example.com/cb?  code=SplxlOBeZQQYbYS6WxSbIA&  state=xyz Client Resource Application Server

  32. Login page handler private void getAndSendAuthorizationCode(HttpServletRequest req, HttpServletResponse resp) { // Assuming login was successful and forwarded // parameters can be found in the request String userId = (String) request.getAttribute("userId"); String clientId = (String) request.getAttribute(OAuth.OAUTH_CLIENT_ID); // Create a new authorization code and store it in the database String authzCode = securityDataStore.getAuthorizationCode( userId, clientId ) ; // Redirect back to client String redirectUri = (String) req.getAttribute(OAuth.OAUTH_REDIRECT_URI); redirectUri += "?" + OAuth.OAUTH_CODE + "=" + authzCode); redirectUri += "&" + OAuth.OAUTH_STATE + "=“ + request.getAttribute(OAuth.OAUTH_STATE); resp.sendRedirect(redirectUri); }

  33. 6. I want to trade my authorization code for an access token You Authorization Server POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 7. Here you are Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&  code=SplxlOBeZQQYbYS6WxSbIA&  Client Resource redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb Application Server

Recommend

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney &lt;jbasney@ncsa.Illinois.edu&gt; Brian Bockelman &lt;bbockelm@cse.unl.edu&gt; This material is based upon work supported by the National S cience Foundation under Grant

379 views • 20 slides
&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto authentication standard &amp; &amp; Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo How

419 views • 21 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106, 21.11.2019, Singapore Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt { &quot;userinfo&quot;:{

340 views • 16 slides
Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case:

Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case:

Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case: Non-repudiation for backend JSON API calls Example 1: A payment request sent as a JSON payload to an API endpoint Example 2: A JSON API response from

369 views • 5 slides
OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios

OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios

OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris, Spyros Voulgaris, George C. Polyzos Resource sharing Authorization Client Resource owner Resource storage Resource access Resource

1.11k views • 18 slides
WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Marco Squarcina

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Marco Squarcina

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Marco Squarcina Joint work w. Stefano Calzavara, Riccardo Focardi, Matteo Ma ff ei, Clara Schneidewind, Mauro Tempesta 4th OAuth Security Workshop 2019 March 21,

585 views • 34 slides
The Protocol Founded in 1999 &gt;100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 &gt;100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 &gt;100 persons Clment OUDOT Montral, Quebec City, Ottawa, Paris @clementoudot ISO 9001:2004 / ISO 14001:2008 contact@savoirfairelinux.com GET /summary { part1:Some words on OAuth

796 views • 48 slides
Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business

Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business

Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business workflow, more. Worked at Google for 8 years on Google Apps, Cloud Platform Technologies: Python, Java, BigQuery, Oracle, MySQL, OAuth

791 views • 60 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

533 views • 32 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

569 views • 37 slides

More recommend