Suche senden
Hochladen
OAuth 2.0 101
•
1 gefällt mir
•
2,045 views
Anand Sharma
Folgen
Technologie
Bildung
Melden
Teilen
Melden
Teilen
1 von 25
Empfohlen
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
Empfohlen
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
Certification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
Núcleo de Computação Científica
Presentation sso design_security
Presentation sso design_security
Marco Morana
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
Justin Richer
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
OpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSO
WSO2
Best Practices for API Security
Best Practices for API Security
MuleSoft
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
CA API Management
Identiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
Smart Card Authentication
Smart Card Authentication
Dan Usher
OAuth 2.0
OAuth 2.0
Alex Bilbie
Enterprise mode vs doc mode 사용 전략
Enterprise mode vs doc mode 사용 전략
InGuen Hwang
Weitere ähnliche Inhalte
Was ist angesagt?
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
Certification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
Núcleo de Computação Científica
Presentation sso design_security
Presentation sso design_security
Marco Morana
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
Justin Richer
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
OpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSO
WSO2
Best Practices for API Security
Best Practices for API Security
MuleSoft
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
CA API Management
Identiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
Smart Card Authentication
Smart Card Authentication
Dan Usher
Was ist angesagt?
(20)
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Certification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
Presentation sso design_security
Presentation sso design_security
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OpenID Connect Explained
OpenID Connect Explained
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSO
Best Practices for API Security
Best Practices for API Security
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
Identiverse - Microservices Security
Identiverse - Microservices Security
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
Smart Card Authentication
Smart Card Authentication
Andere mochten auch
OAuth 2.0
OAuth 2.0
Alex Bilbie
Enterprise mode vs doc mode 사용 전략
Enterprise mode vs doc mode 사용 전략
InGuen Hwang
Implementing OpenID
Implementing OpenID
Uri Levanon
OpenID Bootcamp Tutorial
OpenID Bootcamp Tutorial
David Recordon
OpenID Authentication by example
OpenID Authentication by example
Chris Vertonghen
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
Andere mochten auch
(6)
OAuth 2.0
OAuth 2.0
Enterprise mode vs doc mode 사용 전략
Enterprise mode vs doc mode 사용 전략
Implementing OpenID
Implementing OpenID
OpenID Bootcamp Tutorial
OpenID Bootcamp Tutorial
OpenID Authentication by example
OpenID Authentication by example
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Ähnlich wie OAuth 2.0 101
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cisco Canada
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco Canada
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cisco Canada
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
Managing Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada
Securing APIs with oAuth2
Securing APIs with oAuth2
Michae Blakeney
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10b
Bruce O'Dell
Best Practices for API Security
Best Practices for API Security
Bui Kiet
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
OpenStack Architecture
OpenStack Architecture
Mirantis
OpenStack Architecture
OpenStack Architecture
Mirantis
Ähnlich wie OAuth 2.0 101
(20)
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
API Security with OAuth2.0.
API Security with OAuth2.0.
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
Managing Identities in the World of APIs
Managing Identities in the World of APIs
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Securing APIs with oAuth2
Securing APIs with oAuth2
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10b
Best Practices for API Security
Best Practices for API Security
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
Kürzlich hochgeladen
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Bhuvaneswari Subramani
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Kürzlich hochgeladen
(20)
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
OAuth 2.0 101
1.
OAuth 2.0 101 Adapting
to the Web Beyond the Browser Anand Sharma IT Architect April 2012 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
2.
Beyond the Browser: ©
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
© 2010 Cisco
and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
5.
For the successful
companies, 80% of traffic will be coming from beyond the browser. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
The resource is
some website; the user is the consumer Authorization is granted by the an Admin © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
The resource is
owned by the user The application consumes the resource The application is given too much power © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8.
The resource is
owned by the user The application consumes the resource The application is given too much power © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9.
Because, Services (APIs)
and Passwords don’t mix well © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
OAuth 2.0: © 2010
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11.
Defines Authorization &
Authentication framework for RESTful services Supports variety of clients – from Servers to Mobile Apps Puts the user in control of what resources are shared – mitigates password anti-pattern © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.
Application that calls
API (Client) Software application that calls REST APIs Human User using the App (Resource Owner) End-user whose data is offered up through an API to Clients API Proxy or Host (Resource Server) Accepts access tokens on API calls in order to authenticate calling client Token Server (Authorization Server) Issues Access tokens after Authenticating the client and/or Resource Owner © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13.
Short-lived Token (Access
Token) Applications authenticate to APIs using an Access Token Long-lived Token (Refresh Token) Refresh Tokens, if present, can be used to get a new Access Token © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14.
1.
Client Gets Token 2. Client Uses Token 3. Resource Server Validates Token 4. Client Refreshes Token (Optional) 95% of OAuth (and OAuth Complexity) is about: - Step #1: How to get Access Token - OAuth’s Confusing terminology © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
Client Identity
Human User Identity Access Token © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16.
Directly exchanges Client’s
credentials for an Access token For accessing client-owned resources (no Human User involvement) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17.
Directly exchanges Human
User’s credentials for an access token Useful where the Client is well-trusted by the user and where a browser redirect would be awkward Commonly used with trusted Mobile apps © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18.
Similar to OAuth
1.0a flow - Starts with redirect to provider for authorization - After authorization, redirects back to client with code query parameter – Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19.
Simplified Authorization flow
– After Authorization, redirects back to client with Access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by in browser JavaScript apps or widgets © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20.
The client sends
an access token request to the authorization server that includes a SAML 2.0 Assertion The authorization server validates the Assertion per the processing rules defined in this specification and issues an access token. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21.
OAuth Challenges: © 2010
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
22.
OAuth: What version
should we use? Standardize on OAuth 2.0 Draft 20 Lack of Understanding Book(s), Brown-bags Lack of tools and frameworks © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23.
“Getting Started with
OAuth 2.0” O’Reilly Book OAuth 2.0 Draft 25 (http://bit.ly/dft-oauth) Search for “OAuth 2.0” in Google © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
24.
Backup Slides
Q&A © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24