oauth 2.0 & openid connect @ opensource conference 2011 tokyo #osc11tk
DESCRIPTION
TRANSCRIPT
OAuth 2.0 &OpenID Connect
OpenSource Conference 2011
@nov
OpenID Foundation Japan Evangelist
OAuth.jp
Ruby Libraries
rack-oauth2
openid_connect
fb_graph
OpenSource Conference 2011
OpenID TechNight #7
Current Trend
Mobile Game Social
OpenSource Conference 2011
Platform ♥ 3rd-party Developers
OpenID TechNight #7
API Integration
Access Control for APIs
OpenID TechNight #7
OpenID TechNight #7
Using same passwordon 10+ services??
OpenID TechNight #7
OAuth
No password sharing
Limited access lifetime
Expire a*er N weeks
Limited access scope
Status Update : OK
Read Inbox : NG
OpenID TechNight #7
B2B is slow though..
OpenID TechNight #7
Rough History
OpenID TechNight #7
2007.12 OAuth 1.0
OpenID TechNight #7
Twitter API
OpenID TechNight #7
2010.04 OAuth 2.0(dra* 0)
OpenID TechNight #7
Facebook Graph API
OpenID TechNight #7
2010.07 dra* 10
OpenID TechNight #7
mixi Graph API
OpenID TechNight #7
OpenID TechNight #7
2011.09 dra* 22
OpenSource Conference 2011
OAuth 1.0 OAuth 2.0
OpenSource Conference 2011
OAuth 1.0 in Japaneseju.mp/oauth1_ja
OAuth 2.0 in Japaneseju.mp/oauth2_ja
OpenSource Conference 2011
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
Core Spec
Token Type Spec
OpenID TechNight #7
Core Spec
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenSource Conference 2011
2 Response Types in Core
Code
Token
Extensions
Code + Token
and more..
Response TypeCore
OpenID TechNight #7
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
Core
OpenSource Conference 2011
response_type = codeResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Code
Code
Core
client_id=...&response_type=code&redirect_uri=https://...&scope=...
OpenSource Conference 2011
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Code
Code
response_type = codeCore
OpenSource Conference 2011
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Code
Code
response_type = codeCore
OpenSource Conference 2011
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Code
Code
code=...&client_id=...&client_secret=...&grant_type=authorization_code&redirect_uri=https://...
response_type = codeCore
OpenSource Conference 2011
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Code
Code
response_type = codeCore
[NOTE] Facebook API returns access token in x-www-form-urlencoded
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Core
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Core
client_id=...&response_type=token&redirect_uri=https://...&scope=...
OpenID TechNight #7
response_type = tokenResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Core
OpenID TechNight #7
Response Type
Code
Secure
2 HTTP request
Require Approval
Get Access Token
Token
Efficient
1 HTTP request
Both at once
+ extensions
Core
OpenID TechNight #7
Token Type Spec
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
Token Type Spec
Bearer
No signature
No token secret
Mainstream
MAC
Signature
Token secret
Similar to OAuth 1.0
Token
+ extensions
OpenID TechNight #7
Token Type Spec
Bearer
No signature
No token secret
Mainstream
MAC
Signature
Token secret
Similar to OAuth 1.0
Token
+ extensions
In most cases, you use this.
OpenID TechNight #7
Bearer Token
Access Token Response
Token
OpenID TechNight #7
API Access (Bearer)Token
OpenSource Conference 2011
BUT
OpenSource Conference 2011
Not all API providers follow the latest dra*..
OpenID TechNight #7
NO “token_type”
Access Token Response
OpenID TechNight #7
Different Scheme/Parameter
OAuth
oauth_token
#MA7 Mashup Caravan & Meetup in Kyoto
OpenSource Conference 2011
OpenSource Conference 2011
OpenID is dead!?Poor UX? URL as identifier?
OpenSource Conference 2011
Lack of API access!?You need “stream access”, don’t you?
OpenSource Conference 2011
♥OpenID Connect
~ OpenID based on OAuth 2.0 ~
OpenSource Conference 2011ref.) slideshare.net/oid;/openidconnect-nat
OpenID TechNight #7
ResourceOwner
Client
ResourceServer
APIAccess
AccessToken
AuthorizationServer
AuthorizeClient Access
OpenID TechNight #7
Basic FlowResource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
OpenID TechNight #7
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
client_id=...&response_type=token+id_token&redirect_uri=https://...&scope=openid
Basic Flow
OpenID TechNight #7
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
Basic Flow
OpenSource Conference 2011
OAuth 2.0 + “ID Token”
OpenSource Conference 2011
connect-rp.heroku.com
OpenSource Conference 2011
ID Token
Represent Session Information
JWT-encoded JSON Object
Singed using JWS
Encrypted using JWE
OpenSource Conference 2011
OpenSource Conference 2011
OpenSource Conference 2011
UserInfo
OAuth 2.0 Protected Resource
REQUIRED “profile” scope
OPTIONAL “email” and “address” scopes
Standardized JSON Format
PoCo (Portable Contacts) + Facebook Graph API
OpenSource Conference 2011
OpenSource Conference 2011
OpenSource Conference 2011
OpenSource Conference 2011
So, why these matters?
OpenSource Conference 2011
Social
OpenSource Conference 2011
Cloud
OpenSource Conference 2011
Living in the Web
OpenSource Conference 2011
Discovery
Identity
Access Control
Streams
People
Applications
OpenSource Conference 2011
OpenID Summit Tokyoin Tokyo, Japan December 1, 2011
OpenSource Conference 2011
openid-foundation-japan.github.com
slideshare.net/matake
github.com/nov
twitter.com/nov