Weitere ähnliche Inhalte
Ähnlich wie OAuth Multiple Lifetime Token (20)
Kürzlich hochgeladen (20)
OAuth Multiple Lifetime Token
- 2. 1 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Summary
–Proposal toward OAuth v2 spec
–multiple lifetime tokens
(access_token & refresh_token)
–no change in process of OAuth, only
change in token,lifetime and scope
parameter.
–Introduction of Yahoo! JAPAN OAuth
API and security policy
- 3. 2 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Yahoo! JAPAN OAuth APIs
Payment API ”Credit Card Payment”
Point API ”Award and use Y!Points”
Contacts API ”Read Contact List of Y!Mail”
Social API ”Read & Update Y!Profiles”
Attribute API ”Read User Attributes”
Auction API ”Bidding or Selling at Y!Auction”
- 4. 3 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Security Level of APIs
Security Level
Token
Lifetime
Payment API
Y! Point API high short
Attribute API
Contacts API
middle medium
Social APIs
(User Status &
Updates)
low long
- 5. 4 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Current issue
– Moba-ge-town(http://yahoo-mbga.jp/)
– Social API (security level: low)
– Update Yahoo! Profile
– Contacts API (security level: middle)
– Find Friends, Send Invitation to Friends
– Payment API (security level: high)
– Purchase Avatar Item, Virtual coin
expires in 2w
- 6. 5 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Web Server Profile
User-Agent
(Web browser)
Client
(Web App)
AuthZ Server
(Service Provider)
Access Grant
Ask for Permission
Authorization Request w/ multiple scopes
Authorization code & multiple scopes
Authorization code & multiple scopes
Access(and refresh) Tokens with
different lifetime w/ multiple scopes
- 7. 6 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
User-agent Profile
– Still needs consideration about the URL lengh
User-Agent
(Web browser)
AuthZ Server
(Service provider
Access Grant
Ask for Permission
Authorization Request w/ multiple scopes
multiple Access(or refresh) Token with
different lifetime w/ multiple scopes
- 8. 7 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Idea of multiple liftetime access token
– Manage each access token lifetime by “expires_in”
{
“scope": “payment social"
"access_token": "SlAV32hkKG V2v5ehmLY"
"expires_in": "3600 1206900"
}
expires in 1h. expires in 2w
- 9. 8 Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Idea of multiple lifetime refresh_token
– set access token lifetimes short and set refresh_token lifetimes
longer
{
“scope": “payment social"
"access_token": "SlAV32hkKG V2v5ehmLY"
"expires_in": "3600 3600"
"refresh_token": "8xLOxBtZp8 7euhZh4E"
}
expires in 1h. expires in 2w