OAuth 2.0

Authorization Framework



Philipp Marien | 02.08.2016

Contents

  • Introduction
  • Roles
  • Tokens
  • Endpoints
  • Flows
  • Scopes
  • Extensions

Introduction

  • Authorisation-Framework
  • Standard: RFC 6749
  • No Authentication!
  • Application to Application
  • Obtain access to HTTP service
  • Central user and rights management

Roles

  • Resource
  • Resource Owner
  • Resource Server
  • Client
  • Authorization Server
Roles Created with Sketch. Resource Server Authorization Server Client User

Tokens

  • Access Token
    • access_token
    • refresh_token (optional)
    • expires_in
  • Refresh Token

Endpoints

  • Authorization Server
    • Authorize Endpoint (/oauth/authorize)
    • Token Endpoint (/oauth/token)
  • Client
    • Redirection Endpoint

Flows

Authorization Code

Resource Server Authorization Server Client User /api/test /api/test Authorization: Bearer ACCESS Access Token Access Token { "access_token": "ACCESS", "refresh_token": "REFRESH", "expires_in": 300 } /oauth/token /oauth/token Authorization: Basic base64(id:secret) grant_type=authorization_code code=TESTCODE Authorization Code Authorization Code Redirect: http://example.com?code= TESTCODE&state=1234 Login Username Password Login /oauth/authorize /oauth/authorize response_type=code client_id=test redirect_uri=http://example.com state=1234

Implicit

Resource Server Authorization Server Client User /api/test /api/test Authorization: Bearer ACCESS Access Token Access Token Redirect: http://example.com?token= ACCESS&state=1234 Login Username Password Login /oauth/authorize /oauth/authorize response_type=token client_id=test redirect_uri=http://example.com state=1234

Resource Owner Password

Resource Server Authorization Server Client User /api/test /api/test Authorization: Bearer ACCESS Access Token Access Token { "access_token": "ACCESS", "refresh_token": "REFRESH", "expires_in": 300 } /oauth/token /oauth/token Authorization: Basic base64(id:secret) grant_type=password username=enm password=test56 Password Password Login Username Password Login

Refresh

Resource Server Authorization Server Client User /api/test /api/test Authorization: Bearer ACCESS Access Token Access Token { "access_token": "ACCESS", "refresh_token": "REFRESH", "expires_in": 300 } /oauth/token /oauth/token Authorization: Basic base64(id:secret) grant_type=refresh refresh_token=REFRESH

Client Credentials

Resource Server Authorization Server Client User /api/test /api/test Authorization: Bearer ACCESS Access Token Access Token { "access_token": "ACCESS", "expires_in": 300 } /oauth/token /oauth/token Authorization: Basic base64(id:secret) grant_type=client_credentials

Scopes

Extensions

  • Bearer Token Usage
  • Token Introspection (Validation)
  • OpenId Connect (Authentication)

Questions?

Confluence: OAuth 2.0

OAuth 2.0
Philipp Marien - 02.08.2016