oauth 2.0 with pet care house
DESCRIPTION
OAuth 2.0 with Pet Care HouseTRANSCRIPT
![Page 1: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/1.jpg)
Prabath Siriwardena Senior Architect & Chair, Integration MC
![Page 2: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/2.jpg)
![Page 3: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/3.jpg)
![Page 4: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/4.jpg)
![Page 5: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/5.jpg)
![Page 6: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/6.jpg)
Third-‐party applications are required to store the resource owner's credentials for future use, typically a password in clear-‐
text.
![Page 7: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/7.jpg)
Servers are required to support password authentication, despite the security weaknesses created by passwords.
![Page 8: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/8.jpg)
Third-‐party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited
subset of resources.
![Page 9: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/9.jpg)
Resource owners cannot revoke access to an individual third-‐party without revoking access to all third-‐parties, and must do
so by changing their password.
![Page 10: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/10.jpg)
Compromise of any third-‐party application results in compromise of the end-‐user's password and all of the data
protected by that password.
![Page 11: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/11.jpg)
![Page 12: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/12.jpg)
![Page 13: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/13.jpg)
![Page 14: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/14.jpg)
![Page 15: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/15.jpg)
![Page 16: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/16.jpg)
![Page 17: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/17.jpg)
• Complexity in validating and generating signatures. • No clear separation between Resource Server and
Authorization Server. • Browser based re-‐redirections.
![Page 18: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/18.jpg)
• An entity capable of granting access to a protected resource.
• When the resource owner is a person, it is referred to as an end-‐user.
![Page 19: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/19.jpg)
• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
![Page 20: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/20.jpg)
• An application making protected resource requests on behalf of the resource owner and with its authorization
![Page 21: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/21.jpg)
• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
![Page 22: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/22.jpg)
![Page 23: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/23.jpg)
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
![Page 24: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/24.jpg)
OAuth Handshake
Scope
![Page 25: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/25.jpg)
OAuth Handshake
Scope
Scope is defined by the Authorization Server.
Scope indicates what resource client wants access and which actions he wants to perform on that.
The value of the scope parameter is expressed as a list of
space-‐delimited, case sensitive strings.
The strings are defined by the authorization server.
![Page 26: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/26.jpg)
Confidential Client Type
Web Application
OAuth Handshake
![Page 27: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/27.jpg)
Client Authenticates to AuthZ Server
BasicAuth client_id / client_secret
OAuth Handshake
![Page 28: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/28.jpg)
Authorization Grant Request
OAuth Handshake
• response_type : REQUIRED. Value MUST be set to "code". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED. An opaque value used by the client to maintain state
between the request and callback.
![Page 29: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/29.jpg)
Authorization Grant Response
OAuth Handshake
• code: REQUIRED. The authorization code generated by the authorization server • state : REQUIRED if the "state" parameter was present in the client authorization
request.
![Page 30: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/30.jpg)
Access Token Request
OAuth Handshake
• grant_type : REQUIRED. Value MUST be set to "authorization_code". • code : REQUIRED. The authorization code received from the Authorization Server. • redirect_uri : REQUIRED, if the "redirect_uri" parameter was included in the
authorization
![Page 31: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/31.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 32: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/32.jpg)
OAuth Handshake
Scope
![Page 33: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/33.jpg)
Public Client Type
User Agent based Application
OAuth Handshake
![Page 34: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/34.jpg)
Anonymous Clients
OAuth Handshake
![Page 35: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/35.jpg)
OAuth Handshake
Authorization Grant Request
• response_type : REQUIRED. Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED. An opaque value used by the client to maintain state
between the request and callback.
![Page 36: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/36.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise
REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization
request
![Page 37: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/37.jpg)
OAuth Handshake
Scope
![Page 38: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/38.jpg)
Confidential Client Type
OAuth Handshake
![Page 39: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/39.jpg)
BasicAuth
OAuth Handshake
![Page 40: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/40.jpg)
OAuth Handshake
Authorization Grant Request
Since the client authentication is used as the authorization grant, no additional authorization request is needed.
![Page 41: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/41.jpg)
OAuth Handshake
Access Token Request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request.
Note : The client needs to pass BasicAuth headers or authenticate to the Authorization Server in other means.
![Page 42: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/42.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 43: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/43.jpg)
OAuth Handshake
Scope
![Page 44: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/44.jpg)
Confidential Client Type
OAuth Handshake
![Page 45: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/45.jpg)
BasicAuth
OAuth Handshake
![Page 46: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/46.jpg)
OAuth Handshake
Authorization Grant Request
The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client
MUST discard the credentials once an access token has been obtained
![Page 47: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/47.jpg)
OAuth Handshake
Access Token Request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials". • username : REQUIRED. The resource owner username, encoded as UTF-‐8. • password : REQUIRED. The resource owner password, encoded as UTF-‐8. • scope: OPTIONAL. The scope of the access request.
![Page 48: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/48.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitive. • expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 49: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/49.jpg)
Runtime
![Page 50: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/50.jpg)
Runtime
Bearer MAC
![Page 51: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/51.jpg)
Runtime
Bearer MAC
Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
Bearer
![Page 52: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/52.jpg)
Request with Bearer
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer “access_token_value”
Runtime
http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐bearer-‐20
![Page 53: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/53.jpg)
Runtime
Bearer MAC
HTTP MAC access authentication scheme
MAC
![Page 54: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/54.jpg)
Request with MAC
GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
Runtime
http://tools.ietf.org/html/draft-‐ietf-‐oauth-‐v2-‐http-‐mac-‐01
![Page 55: OAuth 2.0 with Pet Care House](https://reader033.vdocument.in/reader033/viewer/2022052523/5565de04d8b42ae8258b51ba/html5/thumbnails/55.jpg)