shoot me a token: openam as an oauth2 provider
DESCRIPTION
Presented by Victor Ake, OpenAM Product Manager and ForgeRock Co-Founder at ForgeRock Open Stack Identity Summit. June 2013TRANSCRIPT
Open Identity Summit
Shoot me a TOKEN OpenAM OAuth2 Provider
Víctor Aké Product Manager for OpenAM ForgeRock
Open Identity Summit
New Paradigm for the Modern Web
! Converged Cloud creates new identity challenges for the enterprise
! Mobile devices proliferate new granular identity dimension
! As Big Data volumes grow, identity within high value data subsets vital
! Social moves the web identity experience from “anonymous” to “personal”
Mobile Social Cloud Enterprise Things
Open Identity Summit
ForgeRock Open Identity Stack
Open Identity Summit
The Good, The Bad and The Ugly “You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
Open Identity Summit
On-Premise vs Cloud/Social/Mobile
SOAP XML
REST JSON
Open Identity Summit
OAuth2, OpenID Connect, REST
REST Endpoints
Mobile Social Cloud Enterprise Things
OpenAM Core
HTTP(s) JSON
AuthN AuthZ Session Validation
Identity Management OAuth2 Realm
Mgmt OpenID Connect Logging
Open Identity Summit
Open Identity Summit
OAuth2 ! Authorization protocol
! Grant access to third parties
! Parties do not share sensitive user information, i.e. no credentials are shared
! Used to grant limited access during limited time to specific resources
! Developed by the IETF Working group
Open Identity Summit
Who is using OAuth2
Open Identity Summit
How does it work ! Authorization Code Flow Grant
! Implicit flow Grant
! Resource Owner Password
Use Case: For Web Applications
Use Case: For Mobile Applications
! Client Credentials Flow
! SAML2 Token Insertion
Use Case: For Application to Application
Open Identity Summit
Authorization Code Flow
2
3
4
5 6
Client
Provider
Protected Resource
1
7
Open Identity Summit
Resource Owner Password Flow
3
Client Provider
Protected Resource
1
4
2
Open Identity Summit
OAuth2 Tokens Access Token
REFRESH Token
Used to access a protected resource. Obtained through one of the grant flows Life time short !minutes, hours"
Used to obtain a new access token Obtained through one of the grant flows Life time long !days, weeks, months"
Open Identity Summit
Web App
Native App
Native App
Web App
Login App
RE
ST/
OA
uth2
/Ope
nID
Con
nect
Authentication
Authorization
Attribute Delivery
Federation
SSO
Token Persistence
Session Mgmt
OAuth2 Provider
OpenAM
Cloud
Enterprise
Open Identity Summit
“You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
Demo
Open Identity Summit
2 Applications in the iPhone
SSO Demo
Obtains an OAuth2 Refresh and Access Token using the Authorization Code Grant and then stores it locally in the iPhone keyring Access User Profile info with the Access Token Refreshes the Access Token when it expires using the refresh token
Oauth2 Demo
Retrieves the Access Token from the iPhone keyring Access User Profile info with the Access Token
Open Identity Summit
Open Identity Summit
Open Identity Summit
Open Identity Summit
Q&A