introduc)on to oauth 2 · the oauth 2.0 authorization framework enables a third-party application...
TRANSCRIPT
![Page 1: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/1.jpg)
Introduc)ontoOAuth2.0
Jus)nRicherBespokeEngineering
1
©2016BespokeEngineeringLLC
![Page 2: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/2.jpg)
APIsaremeanttobeused• Muchofmydataandthefunc)onalityofmylifeisavailablethroughAPIstoday
• Iwanttohaveapplica)onsaccessmyAPIs• Idon’twanttheapplica)onstohavetoimpersonateme
• Idon’twanttosharemykeyswitheveryone
©2016BespokeEngineeringLLC
2
![Page 3: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/3.jpg)
AvaletkeyforAPIs• Avaletkeygivessomeoneelselimitedaccesstoacar
• WhatifwecoulddothatforwebAPIs?
©2016BespokeEngineeringLLC
3
![Page 4: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/4.jpg)
OAUTH2.0
4
©2016BespokeEngineeringLLC
![Page 5: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/5.jpg)
Fromthespec(RFC6749)The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
5
©2016BespokeEngineeringLLC
![Page 6: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/6.jpg)
ThegoodbitsThe OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
6
©2016BespokeEngineeringLLC
![Page 7: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/7.jpg)
InotherwordsOAuth 2.0 is a delegation protocol that lets people allow applications to access things (like APIs) on their behalf.
7
©2016BespokeEngineeringLLC
![Page 8: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/8.jpg)
Whoisinvolved?
Resource Owner Authorization
Server
ProtectedResource
Client
8
©2016BespokeEngineeringLLC
![Page 9: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/9.jpg)
Theresourceowner• HasaccesstosomeresourceorAPI• CandelegateaccesstothatresourceorAPI• Usuallyhasaccesstoawebbrowser• Usuallyisaperson
9
©2016BespokeEngineeringLLC
![Page 10: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/10.jpg)
Theprotectedresource• Webservice(API)withsecuritycontrols• Protectsthingsfortheresourceowner• Sharesthingsontheresourceowner’srequest
10
©2016BespokeEngineeringLLC
![Page 11: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/11.jpg)
Theclientapplica)on• Wantstoaccesstheprotectedresource• Doesthingsontheresourceowner’sbehalf• Couldbeawebserver– Butit’ss)lla“client”inOAuthparlance– Couldalsobeana)veapporJSapp
11
©2016BespokeEngineeringLLC
![Page 12: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/12.jpg)
Whatarewetryingtosolve?
Resource Owner
The Goal:
Give the client access to the protected
resource on behalf of the resource owner.
ProtectedResource
Client
12
©2016BespokeEngineeringLLC
![Page 13: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/13.jpg)
IntroducingtheAuthoriza)onServer(AS)
Resource Owner Authorization
Server
ProtectedResource
Client
The Authorization Server gives us a mechanism to bridge the gap between
the client and the protected resource
13
©2016BespokeEngineeringLLC
![Page 14: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/14.jpg)
TheAuthoriza)onServer• Generatestokensfortheclient• Authen)catesresourceowners(users)• Authen)catesclients• Managesauthoriza)ons
14
©2016BespokeEngineeringLLC
![Page 15: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/15.jpg)
OAuthTokens• Representgranteddelegatedauthori)es– Fromtheresourceownertotheclientfortheprotectedresource
• Issuedbyauthoriza)onserver• Usedbyclient– Formatisopaquetoclients
• Consumedbyprotectedresource
15
©2016BespokeEngineeringLLC
![Page 16: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/16.jpg)
ExampleOAuthTokens• 92d42038006dba95d0c501951ac5b5eb• 2df029c6-b38d-4083-b8d9-db67c774d13f• eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
• waterbuffalo-elephant-helicopter-argument
16
©2016BespokeEngineeringLLC
![Page 17: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/17.jpg)
TheOAuthapproachattheAS• Clientauthen)catesforitself• Userauthorizesclienttoactonuser’sbehalf• Servergeneratesatokentorepresentthatauthoriza)on
• Clientpresentsthattokentogainaccess
17
©2016BespokeEngineeringLLC
![Page 18: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/18.jpg)
You’veusedOAuth
18
©2016BespokeEngineeringLLC
![Page 19: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/19.jpg)
ThepiecesofOAuth
Resource Owner
Access Token
Authorization Server
ProtectedResource
Client
19
©2016BespokeEngineeringLLC
![Page 20: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/20.jpg)
THEAUTHORIZATIONCODEFLOWAdeepdiveintothecanonicalOAuth2.0transac)on
20
©2016BespokeEngineeringLLC
![Page 21: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/21.jpg)
Theauthoriza)oncodeflow
Resource Owner Authorization
Server
ProtectedResource
Client
21
©2016BespokeEngineeringLLC
![Page 22: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/22.jpg)
TWOFORMSOFCOMMUNICATION
22
©2016BespokeEngineeringLLC
![Page 23: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/23.jpg)
Thefrontchannel
Resource Owner Authorization
Server
ProtectedResource
Client
Front channel uses HTTP redirects through the web browser, no direct connections
23
©2016BespokeEngineeringLLC
![Page 24: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/24.jpg)
Thebackchannel
Resource Owner Authorization
Server
ProtectedResource
Client
Back channel uses direct HTTP connections between components,
the browser is not involved
24
©2016BespokeEngineeringLLC
![Page 25: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/25.jpg)
THEAUTHORIZATIONCODEFLOWStepbystep
25
©2016BespokeEngineeringLLC
![Page 26: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/26.jpg)
Authoriza)onCode:Step1
Resource Owner Authorization
Server
ProtectedResource
Client
Client redirects the resource owner to the authorization server
26
©2016BespokeEngineeringLLC
![Page 27: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/27.jpg)
Authoriza)onCode:Step2
Resource Owner Authorization
Server
ProtectedResource
Client
Resource owner authenticates to the authorization server
27
©2016BespokeEngineeringLLC
![Page 28: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/28.jpg)
Authoriza)onCode:Step3
Resource Owner Authorization
Server
ProtectedResource
Client
Resource owner authorizes the client
?
28
©2016BespokeEngineeringLLC
![Page 29: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/29.jpg)
AlayeredtrustmodelWhitelistInternal partiesKnown business partnersCustomer organizationsTrust frameworks
• Centralized control• Traditional policy management
GreylistUnknown entitiesTrust On First Uuse
• End user decisions• Extensive auditing and logging• Rules on when to move to the
white or black lists
BlacklistKnown bad partiesAttack sites
• Centralized control• Traditional policy management
29
©2016BespokeEngineeringLLC
![Page 30: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/30.jpg)
Authoriza)onCode:Step4
Resource Owner Authorization
Server
ProtectedResource
Client
Authorization server redirects resource owner back to the client with an
authorization code
30
©2016BespokeEngineeringLLC
![Page 31: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/31.jpg)
Authoriza)onCode:Step5
Resource Owner Authorization
Server
ProtectedResource
Client
Client sends the authorization code back
to the authorization server along with its own
credentials
31
©2016BespokeEngineeringLLC
![Page 32: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/32.jpg)
Authoriza)onCode:Step6
Resource Owner Authorization
Server
ProtectedResource
Client
Authorization server issues OAuth token to
the client
32
©2016BespokeEngineeringLLC
![Page 33: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/33.jpg)
Authoriza)onCode:Step7
Resource Owner Authorization
Server
ProtectedResource
Client
Client accesses the protected resource using
the access token
33
©2016BespokeEngineeringLLC
![Page 34: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/34.jpg)
Interpre)ngthetoken• Theclientneverknowsorcareswhat’sinthetokenitself
• Theresourceserverneedstounderstandwhat’sinthetoken– Whoit’sissuedfor– Whatit’sgoodfor
34
©2016BespokeEngineeringLLC
![Page 35: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/35.jpg)
ThankYou
©2016BespokeEngineeringLLC
35
![Page 36: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/36.jpg)
BACKUPSLIDESHeretherebedragons
©2016BespokeEngineeringLLC
36
![Page 37: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/37.jpg)
OTHERWAYSTODOOAUTH2.0
37
©2016BespokeEngineeringLLC
![Page 38: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/38.jpg)
Theimplicitflow
Resource Owner Authorization
Server
ProtectedResource
Client Inside the Browser
Implicit grant type uses only the front
channel since the client is inside the browser
38
©2016BespokeEngineeringLLC
![Page 39: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/39.jpg)
Theclientcreden)alsflow
Authorization Server
ProtectedResource
Client
Client credentials grant type: Client trades its own credentials for a
token, uses only the back channel since the client is acting on its own behalf
39
©2016BespokeEngineeringLLC
![Page 40: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/40.jpg)
Theresourceownerpasswordflow
Resource Owner Authorization
Server
ProtectedResource
Client
?
Resource owner credentials grant type:
Client trades username and password for an OAuth token over the back channel
40
©2016BespokeEngineeringLLC
![Page 41: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/41.jpg)
Theasser)onsflows
Authorization Server
Assertion provider
ProtectedResource
Client
Client trades a cryptographically protected element
(assertion) for a token
41
©2016BespokeEngineeringLLC
![Page 42: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/42.jpg)
Differentusecases• Authoriza)oncodeflow:webapplica)ons,somena)veapplica)ons
• Implicitflow:in-browserapplica)ons• Clientcreden)alsflow:non-interac)ve• Passwordflow:trustedlegacyclients• Asser)onflows:trustframeworks
42
©2016BespokeEngineeringLLC
![Page 43: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/43.jpg)
HowtochooseaflowIs the client acting on behalf of a resource
owner?
Is the client running completely inside of a
web browser?
Yes
Yes
Yes
Yes
Yes Yes
No
No
NoNo
Can the resource owner interact with a web browser
while using the client?
Does the user have a simple set of credentials
like a password?
Is the client acting on its own behalf?
Authorization Code
Assertion
Resource Owner Credentials
Client Credentials
Implicit
Is the client acting on behalf of a third party
authority?
Choose the appropriate OAuth grant type for
the type of application you’re building
43
©2016BespokeEngineeringLLC
![Page 44: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/44.jpg)
CANWEBUILDAUTHENTICATIONONOAUTH?
44
©2016BespokeEngineeringLLC
![Page 45: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/45.jpg)
Howcanwesplitthenetwork?
Resource Owner
User
Authorization Server
Identity Provider
The security domain
boundary is crossed
ProtectedResource
Security Dom
ain Boundary
Client
Relying Party
OAuthSign-In
45
©2016BespokeEngineeringLLC
![Page 46: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/46.jpg)
Abemerwaytosplitthenetwork
Resource Owner
User
Authorization Server
Identity Provider
ProtectedResource
Client
+
OAuth
Security Dom
ain Boundary
Sign-In
Relying Party
The security domain
boundary is preserved
46
©2016BespokeEngineeringLLC
![Page 47: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/47.jpg)
Thatworks!• We’reusingOAuthtoprotecttheiden)ty• Theclientconsumestheiden)ty
©2016BespokeEngineeringLLC
47
![Page 48: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/48.jpg)
Authoriza)onisChocolate• Goodonitsown• Greataspartofalargerrecipe• Manydifferentrecipescanuseit
48
©2016BespokeEngineeringLLC
![Page 49: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/49.jpg)
Authen)ca)onisFudge• Confec)onwithseveralingredients• Tendstohaveoneflavorasthemostobvious• Couldbemadeusingchocolate– Butnotrequired
49
©2016BespokeEngineeringLLC
![Page 50: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/50.jpg)
Agreeingonarecipe• Let’smakearecipeforchocolatefudge:– Standardauthen)ca)onprotocol– Builtontopofstandardauthoriza)onprotocol– Interoperablecrossdomain
50
©2016BespokeEngineeringLLC
![Page 51: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/51.jpg)
OpenIDConnect• IdPoffersinterac)veOAuthflows• IDTokencarriesauthen)ca)oninforma)on– FormamedasaJWT– Audienceistheclient,nottheresource
• UserInfoEndpoint– Standardsetofclaimsandscopes
51
©2016BespokeEngineeringLLC
![Page 52: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/52.jpg)
USERMANAGEDACCESS
52
©2016BespokeEngineeringLLC
![Page 53: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/53.jpg)
Persontopersondelega)on• OAuthletsAlicesharewithherself• UMAletsAlicesharewithBob– Bobisthe“Reques)ngParty(RqP)”toAlice’s“ResourceOwner(RO)”
– Alicecansetpoliciesaheadof)me
53
©2016BespokeEngineeringLLC
![Page 54: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/54.jpg)
UserManagedAccess
Resource Owner
Requesting Party
Authorization Server
Protection API Authorization API
ProtectedResource
Client
©2016BespokeEngineeringLLC
54
![Page 55: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/55.jpg)
Wideecosystembenefits• AlicecanintroduceanewresourcetoherAS• TheresourceservercanmanageitsaccessusingthisASanditstokens
55
©2016BespokeEngineeringLLC
![Page 56: Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •](https://reader034.vdocuments.mx/reader034/viewer/2022042709/5f3dd9e10602ac21ff44d844/html5/thumbnails/56.jpg)
ReferencebookforOAuth2• OAuth2InAc+on• First9chaptersavailabletoday,morecomingsoon
• Outthisspring/summer
56
©2016BespokeEngineeringLLC
hmps://manning.com/books/oauth-2-in-ac)on