Andrew Davidoff

Senior Software Development Engineer (Test)

Microsoft Corporation

Introduction to OAuth

What drives the need?

Versions of OAuth

Authentication vs. Authorization

3

Limited and controlled -- granted by the user

Your app gets its own delegation credential (access token)

FlickrAuth, Google AuthSub, Yahoo BBAuth

Something you knowSomething you haveSomething you are

Are you allowed to do what you are trying to do?

Four roles in OAuth 2

Types of Clients

Logical flow

9

Resource Owner: End-user or other entity capable of granting access to the protected resources.

james@live.com

Resource Server: Server that hosts the protected resources.

SkyDrive

Authorization Server: Server that authenticates the client and issues access tokens.

Microsoft account server

Client: Application making protected resource requests to the Resource Server.

Microsoft Office / http://www.mybirthdayreminders.aspx

Can and must keep its credentials confidential

Can’t keep its credentials confidential

Private client

Public client

Public client

1 Authorization Request

2 Authorization Grant

4 Issue access token

6 Serve Request

3 Request access token

5 Request resource

Resource

OwnerClient

Authorization

Server

Resource

Server

14

Authorization Code Grant

Implicit Grant

Follows a redirection-based flow

Uses an authorization code as an intermediate credential

Optimized for private clients

Allows renewal of access tokens

Allows client authentication

16

http://www.pandaemonium.com

Private

http://www.pandaemonium.com/callback.aspx

000000004C0EC707

PEIpZV8eUUpGX5r2jQUw5bWlms88qUlG

Resource

Owner

User

AgentClient Authorization Server

1a

1b 1c

• Response_type=

• “code”

• Client_id

• *Redirect_uri

• *Scope

• *State

1 User-agent loads the client, which

redirects it to the authorization

server

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the

authorization server, reviews and grants

the client’s request for permissions

2b 2a2c 2d

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the authorization

server, reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to the redirect_uri.

2b 2a

2c 2d

3a3b

• Code

• *State

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the authorization

server, reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to the redirect_uri.

4 Client sends the authorization code to

the authorization server

2b 2a

2c 2d

3a3b

4

• Grant_type=“authorization_code”

Code

• *Redirect_uri

• *Client_ID

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the authorization

server, reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to the redirect_uri.

4 Client sends the authorization code to the

authorization server

5 Authorization server sends the access

token to client

2b 2a

2c 2d

3a3b

4

5

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the authorization

server, reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to the redirect_uri.

4 Client sends the authorization code to the

authorization server

5 Authorization server sends the access

token to client

R-1 Client sends refresh token to the

authorization server

2b 2a

2c 2d

3a3b

4

5

R-1

Resource

Owner

User

AgentClient Authorization Server

1 User-agent loads the client, which

redirects it to the authorization server

1a

1b 1c

2 User authenticates into the authorization

server, reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to the redirect_uri.

4 Client sends the authorization code to the

authorization server

5 Authorization server sends the access

token to client

R-1 Client sends refresh token to the

authorization server

2b 2a

2c 2d

3a3b

4

5

R-1

R-2 Client gets back a new access token

R-2

User’s pictures

Request for user’s pictures

(includes access token)

Pandaemonium.com/pandafy

Pandafied pics!

ClientResource owner

(user)

Redirection-based flow

Does not involve intermediate credentials

Optimized for public clients

Does not support client authentication

Many native (desktop or mobile) clients use this grant

30

Resource

Owner

User

AgentClient Authorization Server

1 Client navigates the user-agent to the

authorization server

1a 1b

• Response_type=

• “token”

• Client_id

• *Redirect_uri

• *Scope

• *State

Resource

Owner

User

AgentClient Authorization Server

1 Client navigates the user-agent to the

authorization server

2 User authenticates into the authorization

server then reviews and grants the client’s

request for permissions

1a 1b

2b 2a2c 2d

Resource

Owner

User

AgentClient Authorization Server

1 Client navigates the user-agent to the

authorization server

2 User authenticates into the authorization

server then reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to (redirect_uri)#access_token

1a 1b

2b 2a

2c 2d

3

• Token

• Type

• *Expires_in

• *Scope

• *State

Resource

Owner

User

AgentClient Authorization Server

1 Client navigates the user-agent to the

authorization server

2 User authenticates into the authorization

server then reviews and grants the client’s

request for permissions

3 Authorization server redirects the user-

agent to (redirect_uri)#access_token

4 Native client detects the redirect and

extracts the access token

1a 1b

4

2b 2a

2c 2d

3

35

40

http://tools.ietf.org/html/rfc6749

http://tools.ietf.org/html/rfc6819

http://msdn.microsoft.com/en-us/library/live/hh243647.aspx

http://msdn.microsoft.com/en-us/library/fp142382(v=office.15).aspx

http://openid.net/connect/