- •Hannes Tschofenig, Blaine Cook
- •Acknowledgements
- •The Problem: Secure Data Sharing
- •Example OAuth Exchange
- •Entities
- •User navigates to Resource Client
- •User authenticated by Authorization Server
- •User authorizes Resource Consumer to access Resource Server
- •Resource Client calls the Resource Server API
- •Remark: Authentication
- •Remark: Authorization
- •Remark: Authorization, cont.
- •Remark: Authorization, cont.
- •Remark: Authorization, cont.
- •Remark: Prior-Registration
- •Remark,
- •History
- •History
- •History, cont.
- •History, cont.
- •Entities
- •Scope of the OAuth WG
- •Work Areas
- •Web Server Flow
- •A little bit about OAuth security…
- •Work Areas
- •“Bearer Token”
- •“Message Signing”
- •Conclusion
- •Backup Slides
- •JavaScript Flow
- •Native Application Flow
- •Autonomous Flow
- •Device Flow
History, cont.
•March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair.
•March 2010: IETF OAuth meeting in Anaheim
•April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran, Dick, David.
•May 2010: First OAuth interim meeting co-located with IIW to discuss open issues.
•July 2010: Maastricht IETF meeting
•November 2010: Document split into “abstract” specification and separate bearer token and message signing specification.
•November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
21 |
Entities
|
User Agent |
|
Authorization Request |
|
User |
Resource Consumer
Token request |
Authorization Server |
Access Request |
|
(incl. Token) |
Resource Server |
|
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
22 |
Scope of the OAuth WG
•Currently only one working group item:
–http://tools.ietf.org/html/draft-ietf-oauth-v2
–Unlike OAuth v1.0 it does not contain signature mechanisms
•We have a punch of other documents as individual items
–Providing security related extensions
–User interface considerations
–Token formats
–Token by reference
–Use case descriptions
–Other OAuth profiles
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
23 |
Work Areas
|
|
|
User Interface |
|
Authentication |
|
User Agent |
|
|
|
|
|
Authorization Request |
|
User |
Resource Consumer |
Token Format |
|
|
|
Token Request |
Authorization Server |
|
|
And Content |
||
|
Data Exchange |
|
Authz Server |
|
Access Request |
|
Interaction |
|
|
|
|
|
(incl. Token) |
|
Resource Server |
|
Request Security |
|
|
OAuth Profiles |
|
|
|
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
24 |
|
|
|
Web Server Flow
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
26 |
A little bit about OAuth security…
|
|
|
|
|
|
y |
|
|
|
|
|
t |
|
|
|
|
|
i |
|
|
|
|
|
r |
|
|
|
|
|
u |
|
|
|
|
|
c |
|
|
|
|
|
e |
|
|
|
|
|
|
S |
|
|
|
|
|
|
Work Areas
|
|
|
User Interface |
|
Authentication |
|
User Agent |
|
|
|
|
|
Authorization Request |
|
User |
Resource Consumer |
Token Request |
|
|
|
Authorization Server |
||
|
|
||
|
Data Exchange |
|
Authz Server |
|
Access Request |
|
Interaction |
|
|
|
|
|
(incl. Token) |
|
Resource Server |
|
|
|
|
OAuth Profiles |
|
|
|
02/02/21 |
IETF #79, OAuth Tutorial Beijing |
28 |
|
|
|
“Bearer Token”
Authorization
Server
Request
Resource
Consumer
TLS |
Token |
|
|
|
Token |
|
TLS |
Resource
Server
“Message Signing”
Authorization
Server
Request
TLS Token,SK,{SK}Bob
Resource
Consumer Token,
{Request}SK,
{SK}Bob
Resource
Server