Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hannes Tschofenig, Derek Atkins

Published bySamuel Jacobs Modified over 6 years ago

Similar presentations

Presentation on theme: "Hannes Tschofenig, Derek Atkins"— Presentation transcript:

1 Hannes Tschofenig, Derek Atkins
OAuth Roadmap Hannes Tschofenig, Derek Atkins

2 Good Progress with Our Documents

3 Specifications We are making progress in the working group.
Where do we go next? Luckily we have various proposals sitting around.

4 UX http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00
By David Recordon et al, Expired 1/2011 Extensions to allow client to request particular user experience at authorization endpoint Partially incorporated into OIDC Display (page, popup, etc) Prompt (added by OIDC) Preferred Locale (was “language”), in Request Object

5 JSON Based Request Object
Authorization Request currently is done only by HTTP query parameters. Use of “request” param to send JWS version of the parameters. Use of “request_uri” param to send the reference to the JWS. This is useful when complex authorization query is being issued. Make it possible to sign/sign+encrypt the request. Used in OpenID Connect and has been very stable for couple of years now. draft-sakimura-oauth-requrl-03

6 Hyperlinked OAuth Insert JSON Hyperlink to OAuth responses
Provides metadata about resources where the token can be used { "_links": { "self": { "href": "/tokens?code=asdfasdf" }, "userinfo": { "href": "/userinfo{?id_token,scope,access_token,schema}", "Authorize": "{token_type} {access_token}", "templated": true } "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJ0...NiJ9.eyJ1c...I6IjIifX0.DeWt4Qu...ZXso" Rely on the client to enforce this, just like we do today already

7 Chained Tokens http://tools.ietf.org/html/draft-richer-oauth-chain-00
In the wild implementations by DT, MITRE, AOL (sortof) Resource Server presents Access Token to Authorization Server in exchange for another Access Token to access a second Resource Server With potentially reduced scope

8 Alternate Serialization
Serialization of Token Endpoint response in XML and Form Parameters <oauth type="object"> <access_token type="string">2YotnFZFEjr1zCsicMWpAA</access_token> <token_type type="string">example</token_type> <expires_in type="number">3600</expires_in> <refresh_token type="string">tGzv3JOkF0XG5Qx2TlKWIA</refresh_token> <example_parameter type="string">example_value</example_paramter> </oauth>

9 Client Instance Expired 5/2011 Human-readable instance-specific client meta information presented at Authorization Endpoint One client_id, many instances Could be extended to machine-readable instance_id

10 Device Flow Expired 1/2011 Method for limited-input devices to get an access token & refresh token Was carved out of OAuth2 Core Relies on backend polling and out-of-band secret conveyance Torsten says this reestablishes the session fixation problem in OAuth 1.0

11 Multiple Tokens Don’t want the client to send the same access token to multiple resource servers, still want single access grant, reduce network round trips Method of getting multiple access tokens because different resource servers require different access tokens Not method to get different types of tokens Method to get distinct instances of one type of token Possible solutions: Uber refresh token w/downscoped access tokens Scope syntax to indicate need for different tokens Multiple authorization codes (implemented by DT) Token translation by OIDC UMA’s permissions/scope stuff OIDC uses distributed claims from UIE Not: access_token: foo, other_token: bar Is: access_token: [ foo, bar, baz ] { token_type: Multi refresh_token: Uber tokens: [{ token_type: Bearer access_token: fooo, _link_stuff: {} },{ token_tpe: Bear, }] }

12 Token Introspection Method for token holder to fetch information about token from the AS Usually the RS talking to the AS Usually protected by extra client credentials Existing implementations by Ping, MITRE, AOL

13 RS->AS connection Generic methods for RS know what a token is good for Token introspection, structured tokens Methods for connecting an RS to an AS (and vice versa)

14 UMA https://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/
UMA is fundamentally a use case Technology could be broken/distilled into multiple using components Introduce the RS to the AS Have to tell the AS which RS the Client wants to use User has to authorize it

15 Implementations lists implementations for OAuth 1.0, and OAuth 2.0. It does, however, not aim to verify whether the implementations actually relate to the OAuth 2.0 specifications (and how much). Is there value in listing open source reference implementations?

16 Interoperability Testing Events
OpenID Connect does perform interop tests (see but the scope is about OpenID Connect rather than OAuth itself. Other forms of tests are also possible. SCIM has also set-up test servers Would further interoperability tests improve the quality of OAuth 2.0 implementations?

17 Best Current Practices
Various IIW discussions help to share best current practices but those do not get documented properly and reviewed. Examples: ID tokens vs. Access Tokens Embedded browser vs. custom URI schemes Various security practices

18 Education and Information Sharing
There is an increased interest to hear more about OAuth. Information sharing in form of presentations or articles. For examples: Presentation to NIST related to their GreenButton initiative: Article in German computer magazine by Torsten: Does it make sense to collect slides and other presentation material at a single place?

19 Next Steps Chairs will work with volunteers to prepare an interop event. We will work with volunteers to collect Slides, papers, and other resources that will be linked via the main working group page. Update WG Wiki page to list available open source implementations. We are going to encourage more dissemination efforts and will help to review.

Download ppt "Hannes Tschofenig, Derek Atkins"

Similar presentations

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)

TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)
OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)

OAuth Security Hannes Tschofenig Derek Atkins. State-of-the-Art Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements)
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Web Services An introduction for eWiSACWIS May 2008.

Web Services An introduction for eWiSACWIS May 2008.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Openid Connect https://store.theartofservice.com/the-openid-connect-toolkit.html.

Openid Connect
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
Access and Query Task Force Status at F2F1 Simon Miles.

Access and Query Task Force Status at F2F1 Simon Miles.
OAuth Use Cases Zachary Zeltsan 31 March 2011. 2 Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Similar presentations

Ads by Google