![Page 1: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/1.jpg)
Lightning Talk: OAuth
Andrew Davidoff
Senior Software Developer
![Page 2: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/2.jpg)
What’s wrong with this picture?
![Page 3: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/3.jpg)
OAuth
• Delegates access to a user ’s resources to your service or application.• Limited and controlled -- granted by the user
• Doesn’t require the user to share their password• Your app gets its own delegation credential (access token)
• Open Protocol – RFC5849, RFC6749 and RFC6750
![Page 4: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/4.jpg)
OAuth 2.0
• Protocol Security == https
• Better support for mobile and native desktop apps
• Simplifies the authorization grant
![Page 5: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/5.jpg)
Authentication vs. Authorization
• AuthN – proof that someone is who they claim to be.• Something you know
• Something you have
• Something you are
• AuthZ – Determination of which permissions and rights a person or system is supposed to have.• Are you allowed to do what you are trying to do?
• Q: what is OAuth, OAuthN or OAuthZ?
A: Authorization (OAuthZ)
![Page 6: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/6.jpg)
Roles
• Resource Owner: End-user or other entity capable of granting access to the protected resources. • [email protected]
• Resource Server: Server that hosts the protected resources. • OneDrive
• Authorization Server: Server that authenticates the client and issues access tokens.• Microsoft account server
• Client: Application making protected resource requests to the Resource Server. • Microsoft Office / http://www.mybirthdayreminders.aspx
![Page 7: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/7.jpg)
Abstract OAuth2 logical flow
1 Authorization Request
2 Authorization Grant
4 Issue access token
6 Serve Request
3 Request access token
5 Request resource
ResourceOwner
ClientAuthorization Server
ResourceServer
![Page 8: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/8.jpg)
Grant Types
There are four grant types that the client may use to obtain the access token from the authorization server:
• Authorization Code Grant
• Implicit Grant
• Resource Owner Credentials Grant
• Client Credentials Grant
![Page 9: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/9.jpg)
Authorization Code Grant
• Follows a redirection-based flow
• Uses an authorization code as an intermediate credential
• Optimized for private clients
• Allows renewal of access tokens
• Allows client authentication
![Page 10: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/10.jpg)
Registering the Client
• Before using the grants, clients must be registered with the authorization server and provide:
• Client type (public/private)Private
• Allowed redirection uri’s (where to send the tokens)http://www.pandaemonium.com/callback.aspx
• Other information such as name, website, description, logos, etc.
![Page 11: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/11.jpg)
Registering the Client
After registering, the authorization server will provide the client developer:
• Client ID
000000004C0EC707
• Client Secret
PEIpZV8eUUpGX5r2jQUw5bWlms88qUlG
![Page 12: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/12.jpg)
Common Consent Framework in O365
• Single Authentication flow for O365• Azure AD Graph, Exchange, SharePoint, etc.
• Device apps and web apps
• Admin and end-user consent
• Secure protocol• OAuth 2.0 authorization
• No capturing of user credentials
• Fine-grained access scopes
• Supports multi-factor authentication (MFA) and federated user sign-in
• Long-term access through refresh tokens
![Page 13: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/13.jpg)
Thank You!
![Page 14: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/14.jpg)
AppendixAuthorization Code Grant
![Page 15: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/15.jpg)
Authorization Code Grant
• Follows a redirection-based flow
• Uses an authorization code as an intermediate credential
• Optimized for private clients
• Allows renewal of access tokens
• Allows client authentication
![Page 16: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/16.jpg)
Pandaemonium® Application
• Web Application Client (Private)
• Pastes pandas into pictures
• Wants to integrate with OneDrive
• Hosted at http://www.pandaemonium.com
![Page 17: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/17.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1a1b 1c
• Response_type=• “code”• Client_id• *Redirect_uri• *Scope• *State
1 User-agent loads the client, which redirects it to the authorization server
![Page 18: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/18.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
2b 2a2c 2d
![Page 19: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/19.jpg)
Authentication Dialog
![Page 20: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/20.jpg)
Permissions Dialog
![Page 21: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/21.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
2b 2a2c 2d
3a3b
• Code• *State
![Page 22: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/22.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
2b 2a
2c 2d
3a3b
4
• Grant_type=“authorization_code”
Code• *Redirect_uri• *Client_ID
![Page 23: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/23.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
2b 2a
2c 2d
3a3b
4
5
![Page 24: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/24.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
R-1 Client sends refresh token to the authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
![Page 25: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/25.jpg)
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
R-1 Client sends refresh token to the authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
R-2 Client gets back a new access token
R-2
![Page 26: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/26.jpg)
Accessing Resources
User’s pictures
Request for user’s pictures(includes access token)
Pandaemonium.com/pandafy
Pandafied pics!
ClientResource owner (user)
OneDrive
![Page 27: Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… · 20.04.2016 · •Your app gets its own delegation credential (access token) •Open](https://reader034.vdocuments.mx/reader034/viewer/2022042319/5f08f50b7e708231d4248b42/html5/thumbnails/27.jpg)
Thank You!