Suche senden
Hochladen
Introduction to OAuth2.0
•
4 gefällt mir
•
3,269 views
Oracle Corporation
Folgen
Bildung
Melden
Teilen
Melden
Teilen
1 von 18
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
Implementing OAuth
Implementing OAuth
leahculver
OpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
Empfohlen
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
Implementing OAuth
Implementing OAuth
leahculver
OpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
OAuth 2
OAuth 2
ChrisWood262
OAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
OAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
OAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
OAuth
OAuth
Iván Fernández Perea
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
Secure your app with keycloak
Secure your app with keycloak
Guy Marom
Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
Json Web Token - JWT
Json Web Token - JWT
Prashant Walke
OpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
Nikhil Kathole
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
Beveiliging en REST services
Beveiliging en REST services
Maurice De Beijer [MVP]
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
Weitere ähnliche Inhalte
Was ist angesagt?
OAuth 2
OAuth 2
ChrisWood262
OAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
OAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
OAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
OAuth
OAuth
Iván Fernández Perea
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
Secure your app with keycloak
Secure your app with keycloak
Guy Marom
Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
Json Web Token - JWT
Json Web Token - JWT
Prashant Walke
OpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
Nikhil Kathole
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
Was ist angesagt?
(20)
OAuth 2
OAuth 2
OAuth2 + API Security
OAuth2 + API Security
OAuth2 and Spring Security
OAuth2 and Spring Security
OAuth2 - Introduction
OAuth2 - Introduction
An Introduction to OAuth 2
An Introduction to OAuth 2
OAuth
OAuth
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Secure your app with keycloak
Secure your app with keycloak
Introduction to OpenID Connect
Introduction to OpenID Connect
OpenId Connect Protocol
OpenId Connect Protocol
API Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
An Introduction to OAuth2
An Introduction to OAuth2
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Json Web Token - JWT
Json Web Token - JWT
OpenID Connect: An Overview
OpenID Connect: An Overview
Building secure applications with keycloak
Building secure applications with keycloak
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Andere mochten auch
Beveiliging en REST services
Beveiliging en REST services
Maurice De Beijer [MVP]
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
04 june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projects
Aldo Fernandez
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Justin Richer
Transforming organizations into platforms
Transforming organizations into platforms
Twobo Technologies
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
Twobo Technologies
Designing an API
Designing an API
Twobo Technologies
Incorporating OAuth
Incorporating OAuth
Twobo Technologies
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
Dominopoint - Italian Lotus User Group
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Twobo Technologies
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
Neo-security Stack
Neo-security Stack
Twobo Technologies
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
Twobo Technologies
Principles and patterns for test driven development
Principles and patterns for test driven development
Stephen Fuqua
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
Postman
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
Andere mochten auch
(20)
Beveiliging en REST services
Beveiliging en REST services
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
04 june meetup - An overview of OAuth2 on Force.com projects
04 june meetup - An overview of OAuth2 on Force.com projects
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Transforming organizations into platforms
Transforming organizations into platforms
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
Designing an API
Designing an API
Incorporating OAuth
Incorporating OAuth
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
Neo-security Stack
Neo-security Stack
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
Principles and patterns for test driven development
Principles and patterns for test driven development
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Ähnlich wie Introduction to OAuth2.0
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
Introduction to OAuth
Introduction to OAuth
Wei-Tsung Su
OAuth2
OAuth2
SPARK MEDIA
Spring Security
Spring Security
Knoldus Inc.
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
Oauth2.0
Oauth2.0
Yasmine Gaber
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
OAuth
OAuth
Tom Elrod
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
eSAT Journals
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
OAuth
OAuth
Adi Challa
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
OAuth2 Introduction
OAuth2 Introduction
Arpit Suthar
API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
Twitter Authentication
Twitter Authentication
Vishal Shah
Rfc5849aut
Rfc5849aut
Vishal Shah
OAuth
OAuth
Aslam Jarwar
Ähnlich wie Introduction to OAuth2.0
(20)
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Introduction to OAuth
Introduction to OAuth
OAuth2
OAuth2
Spring Security
Spring Security
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Oauth2.0
Oauth2.0
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
OAuth
OAuth
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
OAuth
OAuth
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
OAuth2 Introduction
OAuth2 Introduction
API Security with OAuth2.0.
API Security with OAuth2.0.
Twitter Authentication
Twitter Authentication
Rfc5849aut
Rfc5849aut
OAuth
OAuth
Kürzlich hochgeladen
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
Amita Gupta
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
Nirmal Dwivedi
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
Jisc
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
Nguyen Thanh Tu Collection
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
dhanalakshmis0310
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
pradhanghanshyam7136
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
jbellavia9
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Denish Jangid
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
VishalSingh1417
Spatium Project Simulation student brief
Spatium Project Simulation student brief
Association for Project Management
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
Amanpreet Kaur
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
TechSoup
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
Admir Softic
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
Poonam Aher Patil
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
camerronhm
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
MaryamAhmad92
Kürzlich hochgeladen
(20)
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
Spatium Project Simulation student brief
Spatium Project Simulation student brief
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
Introduction to OAuth2.0
1.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.1 OAuth 2.0 Overview Oracle Asia Research and Development Center Alice Liu(lzhmails@gmail.com)
2.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.2 OAuth 2.0 Overview 3-Legged OAuth/ 2-Legged Oauth OAuth Workflow
3.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.3 OAuth Terms – Client is an application accessing an API, can be a web app, app inside a user agent, or a native app – Resource Owner is a “user” who can authorize/grant access to API resources – Resource Server is the API host – Authorization Server is the authorization PDP and STS OAuth 2.0 is relatively simple – Get the token – Use the token to access the protected resource OAuth 2.0 Overview OAuth 2.0 Authorization Server
4.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.4 In the traditional client-server authentication model, the client accesses a protected resource on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to protected resources, the resource owner shares its credentials with the third- party. This creates several problems and limitations. Third-party applications are required to store the resource-owner's credentials for future use, typically a password in clear-text. Servers are required to support password authentication, despite the security weaknesses created by passwords. Third-party applications gain overly broad access to the resource-owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. Resource owners cannot revoke access to an individual third-party without revoking access to all third- parties, and must do so by changing their password. OAuth 2.0 Overview OAuth 2.0 Authorization Server
5.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.5 3-Legged OAuth 1) The resource owner connects to an OAuth Client enabled service and requests it access resources at a different site 2) The OAuth Client (requesting site) redirects the user to the OAuth Authorization Server, which authenticates the user and presents a consent page. It then sends authorization code to the OAuth client 3) The OAuth Client uses the authorization code to retrieve an OAuth Access Token from the OAuth Authorization Server 4) The OAuth Client presents the Access Token to the OAuth Resource Server 5) The Resource Server validates the token with the Authorization Server 6) The Resource Server provides the requested content to the OAuth Client OAuth Client Resource Owner/Agent/ Native App OAuth Resource Server OAuth Authorizatio n Server 2 3 6 4 1Requesting Site Resource Site
6.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.6 2-Legged OAuth The requesting service (OAuth Client) preregisters with the OAuth Authorization Server and receives client credentials The requesting service uses its client credentials to connect to a resource server The Resource server validates the clients credentials and provides the requested content OAuth Client OAuth Resource Server OAuth Authorizati on Server 2 3 1
7.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.7 • OAuth allows resource owners to delegate resource access rights to third-parties. • No sharing of passwords with third-party apps • Authorize to certain limited resources • For a limited time • Can revoke consent given to the third-party apps • Where as sharing passwords approach with third-party apps • Trust issues • Unwanted level of access • Not able to revoke etc. OAuth 2.0 Overview OAuth 2.0 Authorization Server
8.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.8 OAuth Workflow Consumer (Client) Service Provider (Resource Server) User (Resource Owner) Ask for a Token with OAuth Responds with un- Authorized request token Redirects with authorized request token Requests exchange for access token Responds with requested data Ask for data with access token Ask for authorization of request token Redirect user to content Access page Log-in and grant permission
9.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.9 Using OAuth 2.0 Authorization Code Flow
10.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.10 OAuth Actors/What is OAuth 2.0? Client Application Resource Owner Resource Server OAuth Server Accesses Resources Login, Gives consent Issues Tokens Accesses Resources Data Delegates Authorization (e.g. photoprinting.com) (e.g. photos from “photos.com”) Authenticates, Authorizes
11.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.11 • Service Provider (Resource Server) the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a micro blogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID • User (Resource Owner) the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. However OAuth can be used with the two-legged scenarios involving clients and server, without the need of user interaction. • Consumer (Client) this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. • Protected Resources the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts etc.), activities (posting blog item, transferring funds) or any URL with a need for access restrictions. What is OAuth 2.0?
12.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.12 Access Token: Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server. Refresh Token: Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). What is OAuth 2.0?
13.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.13 OAuth 2.0 Grant Types • Authorization Code – usually clients running on web server • Implicit – clients run directly in the browser like Javascript plugins • Resource Owner – User Id/password of the user • Client Credentials – client credentials • Refresh Token – to refresh/get a new access token • Assertion Framework •Client Assertion ・(Authorization) Assertion ・Support multiple formats: JWT and SAML • Extended Grants •Depends on server and deployment needs •E.g. for Oracle to support OAM tokens
14.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.14 Typical 3-legged OAuth flow with Authorization Code Grant Type Background Checker Client Resource Server Enterprise OAuth Server Token-claim registry Scope registry Policy store User consent orchestration Get an “Access token” Obtain “Authorization Grant”(User consent) Use “Access Token” to access a resource
15.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.15 Questions
16.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.16 References & Terminology 1. OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749 2. OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf- oauth-assertions-11 3. OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf- oauth-jwt-bearer-05 4. OAuth 2.0でWebサービスの利用方法はどう変わるか http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html 5. http://lzhairs.blogspot.jp/2013/09/2-legged-oauth-3-legged-oauth.html
17.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.17
18.
Copyright © 2013,
Oracle and/or its affiliates. All rights reserved.18
Jetzt herunterladen