5. OAuth 1.0系の課題 by Eran
• Authentication and Signatures
– 署名が複雑、ライブラリが必要
• User Experience and Alternative Token Issuance
Options
– Flowを1つにまとめたらWeb App以外のUXが・・・
– Facebook Connectって使いやすいよね
• Performance at Scale
– 2種類のToken、Client Credentialの管理が必要
– APIアクセス時にClient Credential,
TokenCredentialの両方を確認必須
5
6. OAuth 2.0 Spec
• IETF OAuth WG
– based OAuth WRAP
• Abstruct
– Client type and profile
•アクセス権の委譲までの流れ
– Endpoint
•2つのエンドポイントの処理
– Resource access
•bearer tokenを用いたAPIアクセス
6
7. Client Type and Profile
• 4 Client types
– Web Servers
– User-Agents
– Native Applications
– Autonomous Clients
7
8. Web Server Profile
• Client Credential
– Client ID
– Client Secret
• Facebook
User-Agent AuthZ Server
• Diff with OAuth 1.0a
– No Request Token
– No Signature
Web Client Protected
Resource – No Token Secret
8
12. Native Applications
iPhone/Android App, Desktop App
• External User-Agent
– Use custom URI scheme
– Polling UA window and looking for a title
change
• Embedded User-Agent
– Check URL Redirection
• Prompt for user credential
– ID/PW to Access Token (discouraged)
12
21. Accessing a Protected Resource
• Param
– Access Tokenのみ
•ブラウザとHTTP Cookieのような位置づけ by
Allen
• Method
– The Authorization Request Header Field
– URI Query Parameter
– Form-Encoded Body Parameter
21