Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Slides:



Advertisements
Similar presentations
71 th IETF meeting Experience of implementing NETCONF over SOAP ( draft-iijima-netconf-soap-implementation-06) Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu.
Advertisements

Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
IPv6 WORKING GROUP (IPNGWG) March 2001 Minneapolis IETF Bob Hinden / Nokia Steve Deering / Cisco Systems Co-Chairs.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd
DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Web Syndication Leon Wu Columbia University April 10, 2007.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
Open Pluggable Edge Services (opes) 61st IETF Meeting Washington, D.C., USA.
OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:
Web Authorization Protocol (oauth) Hannes Tschofenig.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Diameter Maintenance and Extensions (dime) IETF 68, March 2007, Prague David Frascone, Hannes Tschofenig.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.
SCTP as a transport for Diameter draft-pascual-dime-sctp-00 IETF 79 - DIME WG November 2010,
HTTPbis BOF IETF 69, Chicago BOF Chairs: Mark Nottingham Alexey Melnikov Mailing List: Jabber:
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
Secure Mobile Development with NetIQ Access Manager
Today’s Applications Web API Browser Native app Web API Web API
WREC Working Group IETF 49, San Diego Co-Chairs: Mark Nottingham Ian Cooper WREC Working Group.
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
DIME Virtual Interim Meeting 19th February, 8PM PST Dave Frascone Hannes Tschofenig.
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
Phil Hunt, Hannes Tschofenig
Identity Federations - Overview
Chairs: Derek Atkins and Hannes Tschofenig
All about social networking
OAuth2 SCIM Client Registration & Software Statement Exchange
Agenda OAuth WG IETF 87 July, 2013.
Device Flow <draft-ietf-oauth-device-flow-03>
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Connect Working Group
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
Web Authorization Protocol (oauth)
1 Guidelines for Autonomic Service Agents draft-carpenter-anima-asa-guidelines-00 Brian Carpenter Sheng Jiang IETF 97 November
Web Authorization Protocol (oauth)
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019
IETF102 Montreal Web Authorization Protocol (OAuth)
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
Web Authorization Protocol (OAuth) WG Chairs: Hannes Tschofenig, Rifaat Shekh-Yusef, Security AD: Roman.
IETF Liaison Report January 2004 Dorothy Stanley – Agere Systems
IETF-104 (Prague) DHC WG Next steps
Authentication and Authorization for Constrained Environments (ACE)
Web Authorization Protocol (OAuth)
OpenID Enhanced Authentication Profile (EAP) Working Group
Presentation transcript:

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)

Acknowledgements I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 5/17/2015IETF #79, OAuth Tutorial Beijing2

5/17/2015IETF #79, OAuth Tutorial Beijing3 The Problem: Secure Data Sharing

5/17/2015IETF #79, OAuth Tutorial Beijing4

5/17/2015IETF #79, OAuth Tutorial Beijing5 Example OAuth Exchange

Entities User Agent (Web Browser) Authorization Server (Yahoo) User Resource Server (Yahoo) Resource Consumer (LinkedIn) Access Request (incl. Token) Token request Authorization Request 5/17/20156IETF #79, OAuth Tutorial Beijing

5/17/2015IETF #79, OAuth Tutorial Beijing7 User navigates to Resource Client

5/17/2015IETF #79, OAuth Tutorial Beijing8 User authenticated by Authorization Server

5/17/20159 User authorizes Resource Consumer to access Resource Server IETF #79, OAuth Tutorial Beijing

5/17/2015IETF #79, OAuth Tutorial Beijing10 Resource Client calls the Resource Server API

Remark: Authentication Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). Authorization Server and Resource Server do not need to be operated by the same entity. 5/17/2015IETF #79, OAuth Tutorial Beijing11

Remark: Authorization Asking the user for consent prior to share information is considered privacy-friendly. User interfaces for obtaining user content may not always be great. 5/17/2015IETF #79, OAuth Tutorial Beijing12

Remark: Authorization, cont. 5/17/2015IETF #79, OAuth Tutorial Beijing13

Remark: Authorization, cont.

5/17/2015IETF #79, OAuth Tutorial Beijing15

Remark: Prior-Registration Many Resource Server require registration of Resource Client’s prior to usage. Example: 5/17/2015IETF #79, OAuth Tutorial Beijing16

Remark, cont. 5/17/2015IETF #79, OAuth Tutorial Beijing17

5/17/2015IETF #79, OAuth Tutorial Beijing18 History

5/17/2015IETF #79, OAuth Tutorial Beijing19 History November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.Google group July 2007: OAuth 1.0 (with code for major programming languages) September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) Deployment of OAuth well on it’s way:

5/17/2015IETF #79, OAuth Tutorial Beijing20 History, cont. 1 st OAuth BOF (Minneapolis, November 2008, IETF#73) –BOF Chairs: Sam Hartman, Mark Nottingham –BOF went OK but a couple of charter questions couldn’t be resolved. 2 nd OAuth BOF (San Francisco, March 2009, IETF#74) –BOF Chairs: Hannes Tschofenig, Blaine Cook –Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting IETF wide review of the OAuth charter text (28 th April 2009) –Announcement: announce/current/msg06009.htmlhttp:// announce/current/msg06009.html OAuth working group was created (May 2009) –Chairs: Blaine Cook, Peter Saint Andre Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: –

History, cont. March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. March 2010: IETF OAuth meeting in Anaheim April 2010: OAuth 2.0 published co-authored by Eran, Dick, David.draft-ietf-oauth-v2-00.txt May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. July 2010: Maastricht IETF meeting November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 5/17/2015IETF #79, OAuth Tutorial Beijing21

Entities User Agent Authorization Server User Resource Server Resource Consumer Access Request (incl. Token) Token request Authorization Request 5/17/201522IETF #79, OAuth Tutorial Beijing

Scope of the OAuth WG Currently only one working group item: – –Unlike OAuth v1.0 it does not contain signature mechanisms We have a punch of other documents as individual items –Providing security related extensions –User interface considerations –Token formats –Token by reference –Use case descriptions –Other OAuth profiles 5/17/2015IETF #79, OAuth Tutorial Beijing23

OAuth Profiles Token Request Work Areas User User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request 5/17/ IETF #79, OAuth Tutorial Beijing User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security

Web Server Flow

5/17/201526IETF #79, OAuth Tutorial Beijing

Security A little bit about OAuth security…

OAuth Profiles Token Request Work Areas User User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request 5/17/ IETF #79, OAuth Tutorial Beijing User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security

“Bearer Token” TLS Resource Consumer Resource Server Authorization Server Request Token

“Message Signing” Request Token, {Request}SK,{SK} Bob Token,SK, {SK}Bob TLS Resource Consumer Resource Server Authorization Server

Conclusion Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. –Usage for non-Web based applications has been proposed as well. Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. Join the OAuth mailing list at to make your contribution. 5/17/2015IETF #79, OAuth Tutorial Beijing31

Backup Slides 5/17/2015IETF #79, OAuth Tutorial Beijing32

JavaScript Flow (User Agent Flow in Draft)

5/17/201534IETF #79, OAuth Tutorial Beijing

Native Application Flow

5/17/201536IETF #79, OAuth Tutorial Beijing

Autonomous Flow

5/17/201538IETF #79, OAuth Tutorial Beijing

Device Flow

5/17/201540IETF #79, OAuth Tutorial Beijing

5/17/201541IETF #79, OAuth Tutorial Beijing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.