Professional Documents
Culture Documents
Apisecuritywithoauth 181030043459
Apisecuritywithoauth 181030043459
1
Use Cases from Real World
2
Welcome John !
ABC Social Network sam@yahoo.com
john@yahoo.com
bob@yahoo.com
tom@gmail.com
John
3
Pre-Auth Era
Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
4
Pre-Auth Era
Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
5
Pre-Auth Era
6
Source: https://www.slideshare.net/wso2.org/oauth-based-reference-architecture-for-api-management
Online Movie Tickets Website
ABC Movie Tickets
● View showtimes
● View theaters
● Reserve seats
● Make payments
Developer
Online Movie Tickets Website
ABC Movie Tickets
● View showtimes
● View theaters
● Reserve seats
● Make payments
Developer
* User should be logged-in to perform above operations
Online Movie Tickets Website
● Userstores (LDAP/AD/DB)
ABC Movie Tickets
● Login
Email: john@yahoo.com
First Name: John
Last Name: Doe
john
Social Login Facebook
john@yahoo.com
ABC Movie Tickets
● Userstores (LDAP/AD/DB)
● Multi-Factor Authentication
OAuth 2.0 Framework
https://tools.ietf.org/html/rfc6749
12
Roles
13
Roles in OAuth Framework
Resource
Server
Client App
Authorization
Server
User
14
Roles in OAuth Framework
Resource Owner
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred
to as an end-user.
Resource Server
The server hosting the protected resources, capable of accepting and responding to protected resource
requests using access tokens.
Client
An application making protected resource requests on behalf of the resource owner and with its authorization.
The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes
on a server, a desktop, or other devices).
Authorization Server
The server issuing access tokens to the client after successfully authenticating the resource owner and
obtaining authorization. 15
Roles in OAuth Framework
Resource
Client App
Server
Hi5 Social
Yahoo
Network
Authorization
Server
Yahoo
User
16
Protocol Endpoints
17
Protocol Endpoints in OAuth
Authorization endpoint
Used by the client to obtain authorization from the resource owner via user-agent redirection.
Token endpoint
Used by the client to exchange an authorization grant for an access token, typically with client
authentication.
Redirection endpoint
Used by the authorization server to return responses containing authorization credentials to the
client via the resource owner user-agent.
18
Roles in OAuth Framework
Resource
Client App
Server
Hi5 Social
Yahoo
Network
Redirection Endpoint
Authorization Endpoint
Authorization
Server
Yahoo
Token Endpoint
User
19
Grant Types
20
Authorization Code
7. access token Resource
Client App Server
6. Token response
(access token)
1. Authz
request 4. Authz 5. Token
response request (code)
(code)
Token
endpoint Authorization
3. Authz response (code) Server
Authorize
User endpoint
Agent 2. Authz request
21
Implicit
Client App
1. Authz
request 4. Authz
response
(access token)
Authorization
Server
3. Authz response (access token)
Authorize
User endpoint
Agent 2. Authz request
22
Resource Owner Password Credentials
(password)
Client App
3. Token response
(access token)
2. Token
1. User request (user
credentials credentials)
Token
endpoint Authorization
Server
User
23
Password Grant: Example
24
Client Credentials
25
Refresh Tokens
26
Use of Refresh Tokens
Facebook
Login with Authorization
Token Server
Client App Facebook Token Request endpoint
(Ebay)
Token Response
(access_token, refresh_token)
Purchase Item
access_token
27
Use of Refresh Tokens
Facebook
Login with Authorization
Token Server
Client App Facebook Token Request endpoint
(Ebay)
Token Response
(access_token, refresh_token)
Purchase Item
access_token
28
Use of Refresh Tokens
Facebook
Authorization
Token Server
Client App Refresh Token Request endpoint
(Ebay)
Refresh Token Response
(new access_token, new refresh_token)
Purchase Item
New access_token
29
Refresh Token Grant
Facebook
Authorization
Token Server
Client App Refresh Token Request endpoint
31
Token Introspection
Facebook
Authorization
Server
Client App Token Request
Token Response
access_token
Email
Profile
Photos
Statuses 32
Token Introspection
Facebook
Authorization
Server
Client App Token Request
access_token
Resource Server
Introspection Response
Email
Profile
Photos
Statuses 33
Token Introspection Request
token=mF_9.B5f-4.1JqM&token_type_hint=access_token
34
Token Introspection Response
Valid Token Invalid Token
{ {
"active": true, "active": false
"client_id": "l238j323ds-23ij4", }
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}
35
Token Introspection
Facebook
Authorization
Server
Client App Token Request , scope=Profile
access_token
Resource Server
Introspection Response
? Email
Profile Active: true
Photos Scope: Profile
Statuses 36
OAuth 2.0
Token Revocation
https://tools.ietf.org/html/rfc7009
37
Token Revocation Request
Facebook
Authorization
Server
Client App Token Revocation Request
Token
Endpoint
Token Revocation Response
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
38
Thank You !
39