Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

CCAMP Working Group Milestone Discussion IETF 84 84th IETF CCAMP Working Group 1.
IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Open Pluggable Edge Services (opes) 62 nd IETF Meeting Minneapolis, MN, USA.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
MANET Where are we? Where are we going? Adrian Farrel Routing AD Honolulu – November 2015 – IETF-91.
IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd
Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
NMI End-to-End Diagnostic Advisory Group BoF Fall 2003 Internet2 Member Meeting.
Open Pluggable Edge Services (opes) 61st IETF Meeting Washington, D.C., USA.
ECRIT Virtual Interim Meeting 3rd June 2009, 1PM EDT (New York) Marc Linsner Hannes Tschofenig.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:
Web Authorization Protocol (oauth) Hannes Tschofenig.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
November 20, 2002IETF 55 - Atlanta1 VPIM Voice Profile for Internet Mail Mailing list: To subscribe: send.
IETF55 Internet FAX and VPIM WG IETF 55 Internet FAX and Voice Profile for Internet Mail WG joint meeting Atlanta, November 20th 2002 Agenda.
RObust Header Compression WG (ROHC) 66 th IETF Montreal, Canada, July 11, 2006 Meeting Chair: Carsten Bormann WG Chair: Lars-Erik Jonsson.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.
68th IETF Prague March 2007 Agenda and WG Status On-line Agenda and Slides at:
Emergency Context Resolution with Internet Technologies (ecrit) Hannes Tschofenig, Marc Linsner IETF 65.
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:
SIP Working Group IETF Chairs -- Rohan MAHY Dean WILLIS.
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
Access Policy - Federation March 23, 2016
Dr. Michael B. Jones Identity Standards Architect at Microsoft
Identity Events IIW April 2016.
Hannes Tschofenig, Derek Atkins
OGSA-WG Basic Profile Session #1 Security
Phil Hunt, Hannes Tschofenig
Chairs: Derek Atkins and Hannes Tschofenig
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Agenda and Status SIP Working Group
OAuth Assertion Documents
OAuth2 SCIM Client Registration & Software Statement Exchange
IETF57 Vienna July 2003 Bob Hinden & Margaret Wasserman Chairs
Agenda OAuth WG IETF 87 July, 2013.
OpenID Enhanced Authentication Profile (EAP) Working Group
Device Flow <draft-ietf-oauth-device-flow-03>
IETF101 London Web Authorization Protocol (OAuth)
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Connect Working Group
Protocol for Carrying Authentication for Network Access - PANA -
PLUG-N-HARVEST ID: H2020-EU
draft-ipdvb-sec-01.txt ULE Security Requirements
Web Authorization Protocol (oauth)
STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.
Web Authorization Protocol (oauth)
OpenID Connect Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
IETF102 Montreal Web Authorization Protocol (OAuth)
Software Updates for Internet of Things (SUIT) WG
IETF-104 (Prague) DHC WG Next steps
Software Updates for Internet of Things (SUIT) WG
IETF 87 DHC WG Berlin, Germany Thursday, 1 August, 2013
Web Authorization Protocol (OAuth)
OpenID Enhanced Authentication Profile (EAP) Working Group
Presentation transcript:

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins

Agenda 1. Agenda Bashing, WG Status (+ Welcome Derek and Thank You Barry) 2. OAuth Threats Document (Torsten) 3. OAuth Assertions (Mike) MAC Token (TBD) 5. Re-charter finalization (all) See mail sent separately to the mailing list.

Charter Proposal Description of Working Group The Web Authorization (OAuth) protocol allows a user to grant a third-party Web site or application access to the user's protected resources, without necessarily revealing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing Web site to print their private pictures, without allowing the printing site to gain full control of the user's account and without having the user sharing his or her photo-sharing sites' long-term credential with the printing site.

Charter Proposal, cont. The OAuth protocol suite encompasses – a procedure for allowing a client to discover a resource server, – a protocol for obtaining authorization tokens from an authorization server with the resource owner's consent, – protocols for presenting these authorization tokens to protected resources for access to a resource, and – consequently for sharing data in a security and privacy respective way. In April 2010 the OAuth 1.0 specification, documenting pre-IETF work, was published as an informational document (RFC 5849). With the completion of OAuth 1.0 the working group started their work on OAuth 2.0 to incorporate implementation experience with version 1.0, additional use cases, and various other security, readability, and interoperability improvements. An extensive security analysis was conducted and the result is available as a stand-alone document offering guidance for audiences beyond the community of protocol implementers.

Charter Proposal, cont. The working group also developed security schemes for presenting authorization tokens to access a protected resource. This led to the publication of the bearer token as well as the message authentication code (MAC) access authentication specification. OAuth 2.0 added the ability to trade a SAML assertion against an OAUTH token with the SAML 2.0 bearer assertion profile. This offers interworking with existing identity management solutions, in particular SAML based deployments. OAuth has enjoyed widespread adoption by the Internet application service provider community. To build on this success we aim for nothing more than to make OAuth the authorization framework of choice for any Internet protocol. Consequently, the ongoing standardization effort within the OAuth working group is focused on enhancing interoperability of OAuth deployments. While the core OAuth specification truly is an important building block it relies on other specifications in order to claim completeness. Luckily, these components already exist and have been deployed on the Internet. Through the IETF standards process they will be improved in quality and will undergo a rigorous review process.

Goals and Milestones [Editor's Note: Here are the completed items.] Done Submit 'OAuth 2.0 Threat Model and Security Considerations' as a working group item Done Submit 'HTTP Authentication: MAC Authentication' as a working group item Done Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for consideration as a Proposed Standard Done Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for consideration as a Proposed Standard [Editor's Note: Finishing existing work. Double-check the proposed dates - are they realistic?] Jun Submit 'HTTP Authentication: MAC Authentication' to the IESG for consideration as a Proposed Standard Apr Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard Apr Submit 'OAuth 2.0 Assertion Profile' to the IESG for consideration as a Proposed Standard Apr Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for consideration as a Proposed Standard May 2012 Submit 'OAuth 2.0 Threat Model and Security Considerations' to the IESG for consideration as an Informational RFC

New Milestones Aug Submit 'Token Revocation' to the IESG for consideration as a Proposed Standard [Starting point for the work will be Nov Submit 'JSON Web Token (JWT)' to the IESG for consideration as a Proposed Standard [Starting point for the work will be Nov Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0' to the IESG for consideration as a Proposed Standard [Starting point for the work will be Jan Submit 'OAuth Dynamic Client Registration Protocol' to the IESG for consideration as a Proposed Standard [Starting point for the work will be Sep Submit 'OAuth Use Cases' to the IESG for consideration as an Informational RFC [Starting point for the work will be

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.