Click here to load reader
Upload
ellington-su
View
290
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Introduction to OAuth
Wei-Tsung Su
10/30/2013 (Ver. 1.0)
Ubiquitous Computing & Ambient Networking Laboratory Page : 1
OAuth
• OAuth is an open standard of authorization. (Wikipedia)
• OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials). (oauth.net)
• Standard
– RFC 6749: The OAuth 2.0 Authorization Framework
– RFC 5849: The OAuth 1.0 Protocol
• Implementation
– Apache Oltu (http://oltu.apache.org/)
– Others on .NET, PHP, Ruby, Python, …
Ubiquitous Computing & Ambient Networking Laboratory Page : 2
OAuth 2.0 Protocol Flow
Ubiquitous Computing & Ambient Networking Laboratory Page : 3
Client
AuthorizationServer
ResourceServer
(3) AuthorizationRequest
(5) AccessToken
(6) ProtectedResource
Resource Owner
(User)
(1) AuthorizationRequest
(2) AuthorizationGrant
API
(4) AccessToken
OAuth 2.0: Case Study
• Resource owner– You
• Client– Google Calendar APIs Explorer
• Authorization server– Google OAuth 2.0 Server
• API– Google Calendar APIs
• Resource Server– Google Calendar
Ubiquitous Computing & Ambient Networking Laboratory Page : 4
OAuth 2.0: Case Study (con’t)
Ubiquitous Computing & Ambient Networking Laboratory Page : 5
Google Calendar
APIs Explorer
Google OAuth 2.0 Server
Google Calendar Server (to access your Google calendar data)
(3) AuthorizationRequest
(5) AccessToken
(6) ProtectedResource
Resource Owner
(User)
(1) AuthorizationRequest
(2) AuthorizationGrant
Google Calendar
APIs
(4) AccessToken
Authorization Grant
• There are four ways how a user grants the authorization to a client
– Authorization Code• The client directs the user to authorization server
• The user inputs ID/PWD on authorization server.
• The authorization server sends authorization code to client
• The client sends authorization code to authorization server for obtaining the access token
– Implicit• Simplifying the above process, the client can directly obtain the access token
– Resource Owner Password Credentials (less security)• The users inputs ID/PWD on the client
• The client sends the ID/PWD to authorization server for obtaining the access token
– Client Credentials• Used when the client is also the resource owner or
• The authorization of access protected resources are previously arranged to the client with the authorization server
Ubiquitous Computing & Ambient Networking Laboratory Page : 6
Access Token
• Access token
– is a credential used to access protected resources.
– is a string (usually opaque to the client) representing an authorization issued to the client.
– represents specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
• Standard
– RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
Ubiquitous Computing & Ambient Networking Laboratory Page : 7
References
• OAuth Official Sites
– http://oauth.net/
– http://wiki.oauth.net
• OAuth 2.0 Implementations
– http://wiki.oauth.net/w/page/25236487/OAuth
Ubiquitous Computing & Ambient Networking Laboratory Page : 8