Authorization Made Simple….Sort of

Slides:



Advertisements
Similar presentations
Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Advertisements

The How of OAuth OAuth Hackathon – Six Apart
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Authentication & Kerberos
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
‘Lord’ was a click away from £229m “They installed software on the company computers allowing them to steal [Sumitomo bank] staff user names and passwords”
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
By: Ansuya Chauhan.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.
Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Public Key Distribution and X.509 Wade Trappe. Distribution of Public Keys There are several techniques proposed for the distribution of public keys:
Single Sign-on Writ Large. What is OpenID?  Open, Decentralized single sign on standard  Allows users to use a single digital identity across multiple.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
SSL Technology Overview and Troubleshooting Tips.
Introduction to MediTract
Session 11: Security with ASP.NET
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Presentation of the Online Pre-Screening Process on EasyAppsOnline.
Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Access Account Activation and Electronic Signature Web Application.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.
OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
11 | Managing User Info Jeremy Foster Michael Palermo
Building Secure Microservices
Application Authentication using Azure AD
Access Policy - Federation March 23, 2016
GEOSS Federated Single Sign-On
NodeJS Security Using PassportJS and HelmetJS:
Earthdata Login and Open ID A Look at Federated User Identities
Federation made simple
REST/SOAP Security A Brief Introduction.
Addressing the Beast: Single Sign-On II
Multi-Factor Authentication (MFA)
Authentication Protocol
Registering on the SITE is a MULTI-STEP process:
OpenID Connect Working Group
Eat-out, put-together or cook
Homework #5 Solutions Brian A. LaMacchia
TaxSlayer Multi-Factor Authentication
Replace With Title of Your Choice
TaxSlayer Multi-Factor Authentication (MFA)
Overview The World Wide Web has changed the way that people
Overview The World Wide Web has changed the way that people
Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION
February 2007 Note: Source:.
Evaluating Websites via Google Advanced Search
Introduction to Let’s Encrypt
Plenary
Presentation transcript:

Authorization Made Simple….Sort of OAuth Authorization Made Simple….Sort of

Overview A brief history of OAuth Why does it exist? How Does it Work? Authorization versus Authentication How Does it Work? Major Versions Revision A Signatures versus SSL

A Brief History Nov. 2006: Blaine Cooke, Chris Messina, and David Recordon meet with other OpenID users to discuss existing solutions A new authorization standard was needed April 2007: The OpenAuth Google group is born Later changed to Oauth to prevent conflict with AOL’s OpenAuth protocol July 2007: The group goes public December 2007: The 1.0 spec is finalized June 2009 – Revision A is released (following a security advisory release in April)

Why does it Exist No more username and password sharing Separate authentication from authorization Standardization of authorization solutions Flikr Auth Google AuthSub Yahoo! BBAuth

Didn’t OpenID Do This? Common question on Stack Overflow and similar sites Answer: Partially *Imaged borrowed from wikipedia

Authorization v. Authentication Who is this person? Verification of user credentials Association of credentials with user data Authorization What can the person with these credentials do? By providing my password, exchange is able to verify I am tstokes. By using the user information associated with tstokes, it is able to authorize me to view my mailbox, but not someone else’s.

How Does it Work?

Request Security Signatures – OAuth 1.0 Nonce Timestamp OAuth allows dynamic determination of algorithm Nonce Unique request identifier Timestamp Allows expiration and re-use of Nonce values

References Eric Hammer-Lahav http://hueniverse.com/oauth/guide/history/ Primary reference for history of Oauth Wikipedia: OpenID vs. Oauth Psuedo-Authentication Graphic http://en.wikipedia.org/wiki/File:OpenIDvs.Pseudo-AuthenticationusingOAuth.svg OAuth Community Site http://oauth.net/ IBM – Three Legged OAuth http://www.ibm.com/developerworks/web/library/wa- oauthsupport/ThreeLeggedOAuthDance.gif

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.