SlideShare a Scribd company logo

OAuth2 + API Security

Download as PPTX, PDF
Amila Paranawithana, profile picture
Amila Paranawithana

The document discusses OAuth 2.0 and how it provides a method for third party applications to access private resources from an API, while allowing the resource owners to authorize access without sharing credentials. It describes the four main roles in OAuth 2.0 - resource owner, client, authorization server, and resource server. It also summarizes the three main authorization flows - authorization code, implicit, and client credentials flows. The document provides details on how each flow works, including the request and response parameters.

Technology
1 of 43
Downloaded 222 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Most read
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
OAuth 2+ API Security
API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
Need A Better method
Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
OAuth 2.0
4 Roles Resource Owner Client Resource Server Authorization Server
Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena

More Related Content

ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
Implementing OAuth
leahculver
 
PDF
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
OAuth2 - Introduction
Knoldus Inc.
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Implementing OAuth
leahculver
 
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
Aaron Parecki
 
An Introduction to OAuth 2
Aaron Parecki
 

What's hot (20)

PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PDF
OAuth
Iván Fernández Perea
 
PPTX
OAuth 2
ChrisWood262
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PDF
Future-proofing Authentication with Passkeys
Nordic APIs
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PPTX
Rest API Security
Stormpath
 
PDF
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
PPTX
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Demystifying OAuth 2.0
Karl McGuinness
 
OpenID Connect: An Overview
Pat Patterson
 
OAuth
Iván Fernández Perea
 
OAuth 2
ChrisWood262
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Introduction to OpenID Connect
Nat Sakimura
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Future-proofing Authentication with Passkeys
Nordic APIs
 
OAuth2 and Spring Security
Orest Ivasiv
 
OpenId Connect Protocol
Michael Furman
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Rest API Security
Stormpath
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Ad

Similar to OAuth2 + API Security (20)

PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Learn with WSO2 - API Security
WSO2
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PPTX
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
PPTX
O auth
Ashok Kumar N
 
PPTX
O auth 2.0 authorization framework
John Temoty Roca
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PPTX
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
PDF
OAuth2
SPARK MEDIA
 
PDF
OAuth: Trust Issues
Lorna Mitchell
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PDF
O Auth 2.0 The Path to Heaven from Hell
WSO2
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
PDF
Introduction to OAuth2.0
Oracle Corporation
 
PDF
Oauth2.0
iratao
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PPTX
OAuth
Tom Elrod
 
PDF
OAuth2 primer
Manish Pandit
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Learn with WSO2 - API Security
WSO2
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
O auth
Ashok Kumar N
 
O auth 2.0 authorization framework
John Temoty Roca
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
OAuth2
SPARK MEDIA
 
OAuth: Trust Issues
Lorna Mitchell
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
O Auth 2.0 The Path to Heaven from Hell
WSO2
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Extended Security with WSO2 API Management Platform
WSO2
 
Introduction to OAuth2.0
Oracle Corporation
 
Oauth2.0
iratao
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth
Tom Elrod
 
OAuth2 primer
Manish Pandit
 
Ad

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

OAuth2 + API Security

  • 1. OAuth 2+ API Security
  • 2. API and Managing API • Private APIs , Public APIs(twitter, facebook) • Even though these APIs are public there must be a access control (e.g.: any one else can’t update your FB status on behalf of you)
  • 3. Securing APIs(before OAuth) •Basic auth – Sending user credentials in http authentication header •Mutual Authentication - based on certificates, server authenticate to client , client to server Problem ..? ONLY 2 Parties What Happens if a 3rd party (client/app) wants to call APIs on behalf of you
  • 4. Need A Better method
  • 5. Why we need a better method • Third party applications can not save password as a salted hash but in clear text as they will use user credentials later to access resources. • Resource owner can not limit the time of access or what resources to access by clients to his resources.
  • 6. Why we need a better method • Resource owners cannot revoke access to an individual third party. To revoke access resource owner has to change password which will automatically revoke all other clients. • Compromise of any third‐party application results in compromise of the end-user's password and all of the data protected by that password.
  • 7. Pre OAuth Era •Google oauth •Flicker oauth •Yahoo BB-oauth
  • 9. 4 Roles Resource Owner Client Resource Server Authorization Server
  • 10. Resource Owner • An entity capable of granting access to a protected resource • When the resource owner is a person, it is referred to as an end‐user.
  • 11. Resource Server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • 12. Client An application making protected resource requests on behalf of the resource owner and with its authorization 2 types, • Confidential clients- can securely keep client_secret and client_id(eg:Web application) • Public clients(eg: Browser based clients, mobile apps)
  • 13. Authorization Server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • 14. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner (C) Authorization Grant (D) Access Token Authorization Server Client (E) Access Token (F) Protected Resource Resource Server
  • 15. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner Car owner (D) Ok, This is accepted, here is the key Key Holder Mechanic (E) Give me car to repair, this is the key (F) Ok, have the car Car park
  • 16. OAuth 2 (A) Authorization Request (B) Authorization Grant Resource owner Client Credentials Implicit (C) Authorization Grant Authorization Code (D) Access Token Client Resource Owner Authorization Server Password Credentials (E) Access Token (F) Protected Resource Resource Server
  • 17. Authorization Code Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) (D) Authorization Code & Redirect URI (E) Access Token Client
  • 18. Scope • Scope indicates what resource client wants access and which actions he wants to perform on that. • The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings which are defined by authorization server. • The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.
  • 19. Authorization Code Resource owner (A) Client Identifier & redirect URL (B) User Agent (B) User Authenticates (C) Authorization Code (A) Authorization Server (C) Confidential Client Type (D) Authorization Code & Redirect URI (E) Access Token Web application Client
  • 20. Authorization Code Scope Resource Basic Auth owner (B) User Agent Client_ID/Client_secret (A) Client Identifier & redirect URL (B) User Authenticates (C) Authorization Code Client Authenticates to authorization server (A) (C) Authorization Server (D) Authorization Code & Redirect URI (E) Access Token Client
  • 21. Authorization Code - Benefits • Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. • Access token is given directly to the client without passing it through the resource owner's user-agent
  • 22. Authorization Code Authorization Grant Request •response_type:REQUIRED.Value MUST be set to "code". • client_id: REQUIRED. The client identifier. • redirect_url: OPTIONAL. Where to be redirected by the Authorization Server • scope: OPTIONAL. The scope of the access request. • state : RCOMMENDED. An opaque value used by the client to maintain state between the request and callback.
  • 23. Authorization Code Authorization Grant Request https://oauth2server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 24. Authorization Code Authorization Grant Response • code :REQUIRED. The authorization code generated by the authorization server • state : REQUIRED .if the "state" parameter was present in the client authorization request. https://oauth2client.com/cb?code=AUTH_CODE_HERE
  • 25. Authorization Code Access Token Request • grant_type :REQUIRED. Value MUST be set to "authorization_code" • code : REQUIRED . The authorization code received from the Authorization Server. • redirect_uri: REQUIRED,if the "redirect_uri" parameter was inclued in the authoization POST https://api.oauth2server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRET_URI&client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  • 26. Authorization Code Access Token Response •access_token : REQUIRED.The access token issued by the authorization server. •token_type : REQUIRED.The type of the token. Value is case insensitive. •expires_in : RECOMMENDED.The lifetime in seconds of the access token
  • 27. Access Token • Credentials used to access protected resources • A string representing an authorization issued to the client. • Tokens represent specific scopes and durations of access Refresh Token • Used to obtain a new access token when the current access token becomes invalid or expires. • Can use to obtain additional access tokens with identical or narrower scope
  • 28. Authorization Code Access Token Response { "access_token":"RsT5OjbzRn430zqMLgV3Ia" }
  • 29. Implicit The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
  • 30. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server (D) Redirection URI without fragment (E) Script Client Web hosted client resource
  • 31. Implicit •The authorization server does not authenticate the client. • Improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.
  • 32. Implicit Scope Resource owner (A) Client Identifier & redirect URL (B) User Agent (A) (C) (B) User Authenticates (C) Redirection URI with access token in fragment Authorization Server Public client Type (D) Redirection URI without fragment UserScript based (E) Agent Application Client Web hosted client resource
  • 33. Implicit Authorization Grant Request • response_type: REQUIRED.Value MUST be set to ”token". • client_id : REQUIRED. The client identifier. • redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. • scope : OPTIONAL. The scope of the access request. • state : RECOMMENDED.An opaque value used by the client to maintain state between the request and callback. https://oauth2server.com/auth?response_type=token&client_id=CLIE NT_ID&redirect_uri=REDIRECT_URI&scope=photos
  • 34. Implicit Access Token Response • access_token : REQUIRED.The access token issued by the authorization server. • token_type : REQUIRED. The type of the token. Value is case insensitiv. • expires_in : RECOMMENDED. The lifetime in seconds of the access token • scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. • state : REQUIRED if the "state" parameter was present in the client authorization request https://oauth2client.com/cb#token=ACCESS_TOKEN
  • 35. Client Credentials Client credentials are used as an authorization grant when the client is also the resource owner. or is requesting access to protected resources based on an authorization previously arranged with the authorization server.
  • 36. Client Credentials (A) Client Authentication (B) Access Token Client Authorization Server
  • 37. Client Credentials Confidential Client Type (A) Client Authentication (B) Access Token Client Authorization Server
  • 38. Access Token request • grant_type : REQUIRED. Value MUST be set to ”client_credentials". • scope: OPTIONAL. The scope of the access request. POST https://api.oauth2server.com/token grant_type=client_credentials client_id=CLIENT_ID&client_secret=CLIENT_SECRET
  • 39. Access Token Response •access_token : REQUIRED. The access token issued by the authorization server. •token_type : REQUIRED. The type of the token. Value is case insensitive. •expires_in : RECOMMENDED. The lifetime in seconds of the access token
  • 40. Resource owner password credentials Resource owner (A) Resource owner password credentials (B) Resource owner password credentials (C) Access token Authorization Server Client
  • 41. When to use •In mobile applications ▫Will exchange your user name password to a access token and only store this access token in mobile app. ▫It should only be used by apps created by the service itself.(eg: the native Twitter app)
  • 42. Resource owner password credentials Token Request POST https://api.oauth2server.com/token granttype=password username=USERNAME& password=PASSWOD&client_id=CLIENT_ID
  • 43. References •OAuth 2.0 Authorization Framework, specification •OAuth 2 implified , Aron Parecki •Oauth 2.0 with pet care house , Prabath Siriwardena