SlideShare a Scribd company logo

Demystifying OAuth 2.0

Karl McGuinness
Karl McGuinness

It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication. During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.

Technology
1 of 57
Download to read offline
Karl McGuinness Senior Director, Identity @ Okta Demystifying OAuth
Why OAuth? Breaking down OAuth 2.0 Pseudo-Authentication OpenID Connect Agenda Security & The Enterprise
Direct Authentication Password anti-pattern 3 GET /index.html HTTP/1.1 Host: www.example.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Federated Identity 4 Identity Provider (IdP) Service Provider (SP) End User Trust Obtains Assertion Provides Assertion
Identity as Claims A claim is a statement or assertion that a certain fact applies to something or somebody • First Name = ‘Karl’ • Age > 21 • Okta Employee Issued by an Authority for a Subject (e.g. user, device, etc.) • Can self-asserted such as Facebook profile or issuer asserted such as Okta Organization • Explicit trust relationship with an issuer • Are subject to verification 5
SAML 2.0 OASIS Standard, 15 March 2005 6 Authentication Request Protocol Assertion
SAML 2.0 Authentication Request Protocol 7
SAML 2.0 Assertion 8 <Assertion   xmlns="urn:oasis:names:tc:SAML:2.0:assertion"   ID="b07b804c-­‐7c29-­‐ea16-­‐7300-­‐4f3d6f7928ac"   Version="2.0"   IssueInstant="2004-­‐12-­‐05T09:22:05" <Issuer>https://example.okta.com<Issuer> <ds:Signature   xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <Subject> <NameID  Format="urn:oasis:names:tc:SAML:2.0:nameid-­‐format:unspecified"> karl@example.com </NameID> <SubjectConfirmation   Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> </SubjectConfirmation> </Subject> <Conditions   NotBefore="2004-­‐12-­‐05T09:17:05"   NotOnOrAfter="2004-­‐12-­‐05T09:27:05"> <AudienceRestriction> <saml:Audience>https://sp.example.com/saml2/sso</saml:Audience> </AudienceRestriction> </Conditions> <AuthnStatement   AuthnInstant="2004-­‐12-­‐05T09:22:00"   SessionIndex="b07b804c-­‐7c29-­‐ea16-­‐7300-­‐4f3d6f7928ac"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute   Name=“displayName”> <AttributeValue>Karl   McGuinness</AttributeValue> </Attribute> </AttributeStatement> </Assertion>
SAML = Web SSO 9
What’s Changed since 2005? 10
Modern and Native Applications 11
Connected Experiences across Devices 12
Simple Web APIs GET POST PUT DELETE 13
API Economy 14
Delegated Authorization Problem How can a user authorize an app to access protected data on their behalf? 15
Have you ever seen one of these? 16
17
OAuth 2.0 Web-scale delegated authorization framework for REST/APIs • Enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s password • Decouples authentication from authorization • Supports multiple use cases addressing different client capabilities and deployment models • Server-to-server apps • Browser-based apps • Mobile/Native apps • Consoles/TVs Protecting APIs Since October 2012
Hotel Key Cards but for Apps 19
OAuth Simplified App requests authorization from User 20 1 User authorizes App and delivers proof2 App presents proof of authorization to server to get a Token3 Token is restricted to only access what the User authorized for the specific App 4
OAuth 2.0 21 • Scopes & Consent • Actors • Clients • Tokens • Authorization Server • Flows
Scopes • Additive bundles of permissions asked by client when requesting a token • Decouples authorization policy decisions from enforcement 22 Scopes to Deny Scopes to Allow
Capturing User Consent Authorization Grant (Trust of First Use) 23
Actors Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token
Actors Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token
Clients 26 Public (Client Identification) Confidential (Client Authentication)
Clients Client Registration is the DMV of OAuth
Tokens 28 • Short-lived token used by Client to access Resource Server (API) • No client authentication required (Public Clients) • Optimized for scale and performance • Usually can’t be revoked Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!
Authorization Server Authorization Grant Types are Extensible 29 Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server Authorization Grant Refresh Token Access Token
Token State Management Developer Friction 30
Flow Channels Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Back Channel Front Channel
Front Channel Flow Authorize via User Agent Resource Server (RS) Authorization Server (AS) 4 2 3 1 Resource Owner starts flow to delegate access to protected resource 1 Client 2 Client sends authorization request with desired scopes via browser redirect to Authorize Endpoint on Authorization Server 3 User authenticates and consents to Delegated Access (Grant) 4 Authorization Code Grant or Access Token is returned to Client via browser redirect Resource Owner (RO)
Authorization Request GET  https://accounts.google.com/o/oauth2/auth? Scope=gmail.insert  gmail.send& redirect_uri=https://app.example.com/oauth2/callback& response_type=code& client_id=812741506391& state=af0ifjsldkj HTTP/1.1  302  Found Location: https://app.example.com/oauth2/callback? code=MsCeLvIaQm6bTrgtp7& state=af0ifjsldkj Request Response Note: Parameters are not URL-encoded for example purposes
Back Channel Flow Exchange Grants for Tokens Resource Server (RS) Authorization Server (AS) 1 Client 2 Client accesses protected resource with Access Token Resource Owner (RS) 2 Client sends access token request to Token Endpoint on Authorization Server with confidential client credentials or public client id Exchanges Authorization Code Grant for Access Token and optionally Refresh Token 1
Token Request POST  /oauth2/v3/token  HTTP/1.1   Host:  www.googleapis.com   Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded code=MsCeLvIaQm6bTrgtp7& client_id=812741506391&client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code { "access_token"  :  "2YotnFZFEjr1zCsicMWpAA", "token_type":  "Bearer", "expires_in":  3600, "refresh_token":  "tGzv3JOkF0XG5Qx2TlKWIA", } Request Response Note: Parameters are not URL-encoded for example purposes
Making Protected Resource Requests curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" https://www.googleapis.com/gmail/v1/users/1444587525/messages 36
OAuth 2.0 Grant Types (Flows) 37 • Optimized for browser-only Public Clients • Access token returned directly from authorization request (Front-channel only) • Does not support refresh tokens • Assumes Resource Owner and Public Client are on the same device • Most vulnerable to security threats Implicit (2 Legged) • Front channel flow used by Client to obtain authorization code grant • Back channel flow used by Client to exchange authorization code grant for access token and optionally refresh token • Assumes Resource Owner and Client are on separate devices • Most secure flow as tokens never passes through user- agent Authorization Code (3 Legged) • Optimized for server-only Confidential Clients acting on behalf of itself or a user • Back-channel only flow to obtain an access token using the Client’s credentials • Supports shared secrets or assertions as Client credentials signed with either symmetric or asymmetric keys Client Credential (2 Legged)
OAuth 2.0 Grant Types (Flows) 38 • Legacy grant type for native username/password apps such as desktop apps • Username/password is authorization grant to obtain access token from Authorization Server • Does not support refresh tokens • Assumes Resource Owner and Public Client or on the same device Resource Owner Password • Allows Authorization Server to trust authorization grants from third party such as SAML IdP (Federation) • Assertion is used to obtain access token with token request • Does not support refresh tokens Assertion (2 Legged) • Optimized for devices that do not have access to web- browsers • User code is returned from authorization request that must be redeemed by visiting a URL on a device with a browser to authorize • Back channel flow used by Client to poll for authorization approval for access token and optionally refresh token Device (Non-Standard)
Common OAuth 2.0 Security Issues • Too many inputs that need validation • Token hijacking with CSRF • Always use CSRF token with state parameter to ensure OAuth flow integrity • Leaking authorization codes or tokens through redirects • Always whitelist redirect URIs and ensure proper URI validations • Token hijacking by switching clients • Bind the same client to authorization grants and token requests • Leaking client secrets • Unbounded & Bearer Tokens • See draft specification of OAuth Proof-of-Possession Token Extension 39
Key Enterprise OAuth 2.0 Use Cases • Decouples authorization policydecisions from enforcement • Enables the right blend of fine & coarse grained authorization • Replaces traditional Web Access management (WAM) Policies • Restrict & revoke which apps can access specific APIs • Ensure only managed and/or complaint devices can access specific APIs • Deep integration with identity deprovisioning workflow to revoke all tokens for a user and device • Federation with an IdP 40
OAuth 2.0 Facts • Not backward compatible with OAuth 1.0 • Replaces signatures with HTTPS for all communication • Interoperability issues exists as its not a protocol but rather an authorization framework • OAuth 2.0 is not an authentication protocol • OAuth 2.0 alone says absolutely nothing about the user 41
42 Authorization Framework?
Like WS-Security Security 43
Authorization Framework Return of Complexity through Extensions 44 OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange(PKCE) RFC 7636 Simple Authentication and SecurityLayer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
Why all the complexity again? • Enterprise use cases such as federation • Interoperable tokens that can be signed and encrypted • Proof-of-Possession tokens that can’t be replayed • Embedded user agents with unsecure cross-app communication channels • Intermediates can capture resource owner credentials, grants, and tokens • Bindings for non-HTTP transports and legacy protocols such as LDAP or IMAP as well as constrained devices (IoT) 45
46 Not an Authentication Protocol?
OAuth 2.0 as Pseudo-Authentication As made famous by Facebook Connect and Twitter Client accessing a https://api.example.com/me resource with an access token is not authenticating the user Access tokens just prove the Client was authorized, are opaque, and intended to only be consumed by the Resource Server • Who is the user (claims)? • When did the user authenticate? • Does the user still have an active or expired session? • How did the user authenticate? • Just password or password + second factor 47
OpenID Connect OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts) • Extends OAuth 2.0 with new signed id_token for the Client and UserInfo endpoint to fetch user attributes • Provides a standard set of scopes and claims for identities • profile • email • address • phone • Built-in registration, discovery & metadata for dynamic federations • Bring Your Own Identity (BYOI) • Supports high assurance levels and key SAML use cases (enterprise) 48
OpenID Connect Authorization Request GET  https://accounts.google.com/o/oauth2/auth? scope=openid  email& redirect_uri=https://app.example.com/oauth2/callback& response_type=code& client_id=812741506391& state=af0ifjsldkj HTTP/1.1  302  Found Location: https://app.example.com/oauth2/callback? code=MsCeLvIaQm6bTrgtp7& state=af0ifjsldkj Request Response Note: Parameters are not URL-encoded for example purposes
OpenID Connect Token Request POST  /oauth2/v3/token  HTTP/1.1   Host:  www.googleapis.com   Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded code=MsCeLvIaQm6bTrgtp7& client_id=812741506391&client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code { "access_token"  :  "2YotnFZFEjr1zCsicMWpAA", "token_type":  "Bearer", "expires_in":  3600, "refresh_token":  "tGzv3JOkF0XG5Qx2TlKWIA", "id_token":  "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ…", } Request Response Note: Parameters are not URL-encoded for example purposes
JSON Web Token (JWT) base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodH RwczovL2V4YW1wbGUub2t0YS5jb20iLC JzdWIiOiIwMHVncmVuTWVxdllsYTRIVzB nMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVO eEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyL CJleHAiOjE0NDYzMDg4ODIsImFtciI6Wy Jwd2QiXSwiYXV0aF90aW1lIjoxNDQ2Mz A1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXB sZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6d HJ1ZX0.XcNXs4C7DqpR22LLti777AMMV CxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNm YSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZD jhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 51 { "alg":  "RS256" } { "iss":  "https://example.okta.com", "sub":  "00ugrenMeqvYla4HW0g3", "aud":  "w255HEWiSU4AuNxEjeij", "iat":  1446305282, "exp":  1446308882, "amr":  [ "pwd" ], "auth_time":  1446305282, "email":  "karl@example.com", "email_verified":  true } Header Claims Signature Header Claims
OpenID Connect is built on OAuth 2.0 Validate   (JWT) ID  Token Token Endpoint Authorization Endpoint /.well-known /webfinger /openid-configuration Client Registration Endpoint JWKS Endpoint Check Session iFrame End Session Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server API Endpoints Client (Relying Party) 1 2 3 5 6 4 1 Discover OIDC Metadata 2 Get JWT signature keys and optionally dynamically register Client 3 Perform OAuth flow to obtain id_token and access token 4 Validate JWT id_token 5 Get additional user attributes with access token 6 Validate session and/or logout
Summary • OAuth 2.0 is an authorization framework for delegated access to APIs • Clients request scopes that Resources Owners authorize (consent) • Authorization grants are exchanged for an access token and optionally refresh token • Multiple flows to address varying Client capabilities and authorization scenarios • Use JSON Web Tokens (JWT) for structured tokens between Authorization Server and Resource Server • OAuth 2,0 has a very large security surface area • Use a secure toolkit and remember to validate all inputs! • OAuth 2.0 is not an authentication protocol • OpenID Connect extends OAuth 2.0 for authentication scenarios “SAML with curly-braces” 53
Modern OAuth-based Protocols OAuth 2.0 OpenID Connect UMA NAPPS
Q&A
Rate this session in the mobile app!
Thank You.

Recommended

An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 

Recommended

An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to SwaggerKnoldus Inc.
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
API Docs with OpenAPI 3.0
API Docs with OpenAPI 3.0API Docs with OpenAPI 3.0
API Docs with OpenAPI 3.0Fabrizio Ferri-Benedetti
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

More Related Content

What's hot

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to SwaggerKnoldus Inc.
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 

What's hot (20)

OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth
OAuthOAuth
OAuth
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to Swagger
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
API Docs with OpenAPI 3.0
API Docs with OpenAPI 3.0API Docs with OpenAPI 3.0
API Docs with OpenAPI 3.0
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 

Viewers also liked

Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenIDMax Manders
 
A Quick Introduction to YQL
A Quick Introduction to YQLA Quick Introduction to YQL
A Quick Introduction to YQLMax Manders
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
The Open, Social Web
The Open, Social WebThe Open, Social Web
The Open, Social WebChris Messina
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 

Viewers also liked (20)

Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
 
A Quick Introduction to YQL
A Quick Introduction to YQLA Quick Introduction to YQL
A Quick Introduction to YQL
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security Considerations
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
The Open, Social Web
The Open, Social WebThe Open, Social Web
The Open, Social Web
 
RESTful Security
RESTful SecurityRESTful Security
RESTful Security
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 

Similar to Demystifying OAuth 2.0

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 

Similar to Demystifying OAuth 2.0 (20)

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
OAuth2
OAuth2OAuth2
OAuth2
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Demystifying OAuth 2.0

  • 1. Karl McGuinness Senior Director, Identity @ Okta Demystifying OAuth
  • 2. Why OAuth? Breaking down OAuth 2.0 Pseudo-Authentication OpenID Connect Agenda Security & The Enterprise
  • 3. Direct Authentication Password anti-pattern 3 GET /index.html HTTP/1.1 Host: www.example.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  • 4. Federated Identity 4 Identity Provider (IdP) Service Provider (SP) End User Trust Obtains Assertion Provides Assertion
  • 5. Identity as Claims A claim is a statement or assertion that a certain fact applies to something or somebody • First Name = ‘Karl’ • Age > 21 • Okta Employee Issued by an Authority for a Subject (e.g. user, device, etc.) • Can self-asserted such as Facebook profile or issuer asserted such as Okta Organization • Explicit trust relationship with an issuer • Are subject to verification 5
  • 6. SAML 2.0 OASIS Standard, 15 March 2005 6 Authentication Request Protocol Assertion
  • 7. SAML 2.0 Authentication Request Protocol 7
  • 8. SAML 2.0 Assertion 8 <Assertion   xmlns="urn:oasis:names:tc:SAML:2.0:assertion"   ID="b07b804c-­‐7c29-­‐ea16-­‐7300-­‐4f3d6f7928ac"   Version="2.0"   IssueInstant="2004-­‐12-­‐05T09:22:05" <Issuer>https://example.okta.com<Issuer> <ds:Signature   xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <Subject> <NameID  Format="urn:oasis:names:tc:SAML:2.0:nameid-­‐format:unspecified"> karl@example.com </NameID> <SubjectConfirmation   Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> </SubjectConfirmation> </Subject> <Conditions   NotBefore="2004-­‐12-­‐05T09:17:05"   NotOnOrAfter="2004-­‐12-­‐05T09:27:05"> <AudienceRestriction> <saml:Audience>https://sp.example.com/saml2/sso</saml:Audience> </AudienceRestriction> </Conditions> <AuthnStatement   AuthnInstant="2004-­‐12-­‐05T09:22:00"   SessionIndex="b07b804c-­‐7c29-­‐ea16-­‐7300-­‐4f3d6f7928ac"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute   Name=“displayName”> <AttributeValue>Karl   McGuinness</AttributeValue> </Attribute> </AttributeStatement> </Assertion>
  • 9. SAML = Web SSO 9
  • 11. Modern and Native Applications 11
  • 13. Simple Web APIs GET POST PUT DELETE 13
  • 15. Delegated Authorization Problem How can a user authorize an app to access protected data on their behalf? 15
  • 16. Have you ever seen one of these? 16
  • 17. 17
  • 18. OAuth 2.0 Web-scale delegated authorization framework for REST/APIs • Enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s password • Decouples authentication from authorization • Supports multiple use cases addressing different client capabilities and deployment models • Server-to-server apps • Browser-based apps • Mobile/Native apps • Consoles/TVs Protecting APIs Since October 2012
  • 19. Hotel Key Cards but for Apps 19
  • 20. OAuth Simplified App requests authorization from User 20 1 User authorizes App and delivers proof2 App presents proof of authorization to server to get a Token3 Token is restricted to only access what the User authorized for the specific App 4
  • 21. OAuth 2.0 21 • Scopes & Consent • Actors • Clients • Tokens • Authorization Server • Flows
  • 22. Scopes • Additive bundles of permissions asked by client when requesting a token • Decouples authorization policy decisions from enforcement 22 Scopes to Deny Scopes to Allow
  • 23. Capturing User Consent Authorization Grant (Trust of First Use) 23
  • 24. Actors Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token
  • 25. Actors Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token
  • 27. Clients Client Registration is the DMV of OAuth
  • 28. Tokens 28 • Short-lived token used by Client to access Resource Server (API) • No client authentication required (Public Clients) • Optimized for scale and performance • Usually can’t be revoked Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!
  • 29. Authorization Server Authorization Grant Types are Extensible 29 Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server Authorization Grant Refresh Token Access Token
  • 31. Flow Channels Resource Server (RS) Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Back Channel Front Channel
  • 32. Front Channel Flow Authorize via User Agent Resource Server (RS) Authorization Server (AS) 4 2 3 1 Resource Owner starts flow to delegate access to protected resource 1 Client 2 Client sends authorization request with desired scopes via browser redirect to Authorize Endpoint on Authorization Server 3 User authenticates and consents to Delegated Access (Grant) 4 Authorization Code Grant or Access Token is returned to Client via browser redirect Resource Owner (RO)
  • 33. Authorization Request GET  https://accounts.google.com/o/oauth2/auth? Scope=gmail.insert  gmail.send& redirect_uri=https://app.example.com/oauth2/callback& response_type=code& client_id=812741506391& state=af0ifjsldkj HTTP/1.1  302  Found Location: https://app.example.com/oauth2/callback? code=MsCeLvIaQm6bTrgtp7& state=af0ifjsldkj Request Response Note: Parameters are not URL-encoded for example purposes
  • 34. Back Channel Flow Exchange Grants for Tokens Resource Server (RS) Authorization Server (AS) 1 Client 2 Client accesses protected resource with Access Token Resource Owner (RS) 2 Client sends access token request to Token Endpoint on Authorization Server with confidential client credentials or public client id Exchanges Authorization Code Grant for Access Token and optionally Refresh Token 1
  • 35. Token Request POST  /oauth2/v3/token  HTTP/1.1   Host:  www.googleapis.com   Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded code=MsCeLvIaQm6bTrgtp7& client_id=812741506391&client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code { "access_token"  :  "2YotnFZFEjr1zCsicMWpAA", "token_type":  "Bearer", "expires_in":  3600, "refresh_token":  "tGzv3JOkF0XG5Qx2TlKWIA", } Request Response Note: Parameters are not URL-encoded for example purposes
  • 36. Making Protected Resource Requests curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" https://www.googleapis.com/gmail/v1/users/1444587525/messages 36
  • 37. OAuth 2.0 Grant Types (Flows) 37 • Optimized for browser-only Public Clients • Access token returned directly from authorization request (Front-channel only) • Does not support refresh tokens • Assumes Resource Owner and Public Client are on the same device • Most vulnerable to security threats Implicit (2 Legged) • Front channel flow used by Client to obtain authorization code grant • Back channel flow used by Client to exchange authorization code grant for access token and optionally refresh token • Assumes Resource Owner and Client are on separate devices • Most secure flow as tokens never passes through user- agent Authorization Code (3 Legged) • Optimized for server-only Confidential Clients acting on behalf of itself or a user • Back-channel only flow to obtain an access token using the Client’s credentials • Supports shared secrets or assertions as Client credentials signed with either symmetric or asymmetric keys Client Credential (2 Legged)
  • 38. OAuth 2.0 Grant Types (Flows) 38 • Legacy grant type for native username/password apps such as desktop apps • Username/password is authorization grant to obtain access token from Authorization Server • Does not support refresh tokens • Assumes Resource Owner and Public Client or on the same device Resource Owner Password • Allows Authorization Server to trust authorization grants from third party such as SAML IdP (Federation) • Assertion is used to obtain access token with token request • Does not support refresh tokens Assertion (2 Legged) • Optimized for devices that do not have access to web- browsers • User code is returned from authorization request that must be redeemed by visiting a URL on a device with a browser to authorize • Back channel flow used by Client to poll for authorization approval for access token and optionally refresh token Device (Non-Standard)
  • 39. Common OAuth 2.0 Security Issues • Too many inputs that need validation • Token hijacking with CSRF • Always use CSRF token with state parameter to ensure OAuth flow integrity • Leaking authorization codes or tokens through redirects • Always whitelist redirect URIs and ensure proper URI validations • Token hijacking by switching clients • Bind the same client to authorization grants and token requests • Leaking client secrets • Unbounded & Bearer Tokens • See draft specification of OAuth Proof-of-Possession Token Extension 39
  • 40. Key Enterprise OAuth 2.0 Use Cases • Decouples authorization policydecisions from enforcement • Enables the right blend of fine & coarse grained authorization • Replaces traditional Web Access management (WAM) Policies • Restrict & revoke which apps can access specific APIs • Ensure only managed and/or complaint devices can access specific APIs • Deep integration with identity deprovisioning workflow to revoke all tokens for a user and device • Federation with an IdP 40
  • 41. OAuth 2.0 Facts • Not backward compatible with OAuth 1.0 • Replaces signatures with HTTPS for all communication • Interoperability issues exists as its not a protocol but rather an authorization framework • OAuth 2.0 is not an authentication protocol • OAuth 2.0 alone says absolutely nothing about the user 41
  • 44. Authorization Framework Return of Complexity through Extensions 44 OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange(PKCE) RFC 7636 Simple Authentication and SecurityLayer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
  • 45. Why all the complexity again? • Enterprise use cases such as federation • Interoperable tokens that can be signed and encrypted • Proof-of-Possession tokens that can’t be replayed • Embedded user agents with unsecure cross-app communication channels • Intermediates can capture resource owner credentials, grants, and tokens • Bindings for non-HTTP transports and legacy protocols such as LDAP or IMAP as well as constrained devices (IoT) 45
  • 47. OAuth 2.0 as Pseudo-Authentication As made famous by Facebook Connect and Twitter Client accessing a https://api.example.com/me resource with an access token is not authenticating the user Access tokens just prove the Client was authorized, are opaque, and intended to only be consumed by the Resource Server • Who is the user (claims)? • When did the user authenticate? • Does the user still have an active or expired session? • How did the user authenticate? • Just password or password + second factor 47
  • 48. OpenID Connect OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts) • Extends OAuth 2.0 with new signed id_token for the Client and UserInfo endpoint to fetch user attributes • Provides a standard set of scopes and claims for identities • profile • email • address • phone • Built-in registration, discovery & metadata for dynamic federations • Bring Your Own Identity (BYOI) • Supports high assurance levels and key SAML use cases (enterprise) 48
  • 49. OpenID Connect Authorization Request GET  https://accounts.google.com/o/oauth2/auth? scope=openid  email& redirect_uri=https://app.example.com/oauth2/callback& response_type=code& client_id=812741506391& state=af0ifjsldkj HTTP/1.1  302  Found Location: https://app.example.com/oauth2/callback? code=MsCeLvIaQm6bTrgtp7& state=af0ifjsldkj Request Response Note: Parameters are not URL-encoded for example purposes
  • 50. OpenID Connect Token Request POST  /oauth2/v3/token  HTTP/1.1   Host:  www.googleapis.com   Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded code=MsCeLvIaQm6bTrgtp7& client_id=812741506391&client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code { "access_token"  :  "2YotnFZFEjr1zCsicMWpAA", "token_type":  "Bearer", "expires_in":  3600, "refresh_token":  "tGzv3JOkF0XG5Qx2TlKWIA", "id_token":  "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ…", } Request Response Note: Parameters are not URL-encoded for example purposes
  • 51. JSON Web Token (JWT) base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodH RwczovL2V4YW1wbGUub2t0YS5jb20iLC JzdWIiOiIwMHVncmVuTWVxdllsYTRIVzB nMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVO eEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyL CJleHAiOjE0NDYzMDg4ODIsImFtciI6Wy Jwd2QiXSwiYXV0aF90aW1lIjoxNDQ2Mz A1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXB sZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6d HJ1ZX0.XcNXs4C7DqpR22LLti777AMMV CxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNm YSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZD jhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 51 { "alg":  "RS256" } { "iss":  "https://example.okta.com", "sub":  "00ugrenMeqvYla4HW0g3", "aud":  "w255HEWiSU4AuNxEjeij", "iat":  1446305282, "exp":  1446308882, "amr":  [ "pwd" ], "auth_time":  1446305282, "email":  "karl@example.com", "email_verified":  true } Header Claims Signature Header Claims
  • 52. OpenID Connect is built on OAuth 2.0 Validate   (JWT) ID  Token Token Endpoint Authorization Endpoint /.well-known /webfinger /openid-configuration Client Registration Endpoint JWKS Endpoint Check Session iFrame End Session Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server API Endpoints Client (Relying Party) 1 2 3 5 6 4 1 Discover OIDC Metadata 2 Get JWT signature keys and optionally dynamically register Client 3 Perform OAuth flow to obtain id_token and access token 4 Validate JWT id_token 5 Get additional user attributes with access token 6 Validate session and/or logout
  • 53. Summary • OAuth 2.0 is an authorization framework for delegated access to APIs • Clients request scopes that Resources Owners authorize (consent) • Authorization grants are exchanged for an access token and optionally refresh token • Multiple flows to address varying Client capabilities and authorization scenarios • Use JSON Web Tokens (JWT) for structured tokens between Authorization Server and Resource Server • OAuth 2,0 has a very large security surface area • Use a secure toolkit and remember to validate all inputs! • OAuth 2.0 is not an authentication protocol • OpenID Connect extends OAuth 2.0 for authentication scenarios “SAML with curly-braces” 53
  • 55. Q&A
  • 56. Rate this session in the mobile app!