Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prabath Siriwardena | Johann Nallathamby.

Published byLyndsey Smithee Modified over 10 years ago

Similar presentations

Presentation on theme: "Prabath Siriwardena | Johann Nallathamby."— Presentation transcript:

1 Prabath Siriwardena | Johann Nallathamby

2

3

4

5

6 Third-party applications are required to store the resource owner's credentials for future use, typically a password in clear-text.

7 Servers are required to support password authentication, despite the security weaknesses created by passwords.

8 Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.

9 Resource owners cannot revoke access to an individual third- party without revoking access to all third-parties, and must do so by changing their password.

10 Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.

11

12

13

14

15

16

17 Complexity in validating and generating signatures. No clear separation between Resource Server and Authorization Server. Browser based re-redirections.

18 An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.

19 The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

20 An application making protected resource requests on behalf of the resource owner and with its authorization

21 The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization

22

23 Authorization Code Implicit Resource Owner Password Credentials Client Credentials

24 OAuth Handshake Scope

25 OAuth Handshake Scope Scope is defined by the Authorization Server. Scope indicates what resource client wants access and which actions he wants to perform on that. The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings. The strings are defined by the authorization server.

26 Confidential Client Type Web Application OAuth Handshake

27 Client Authenticates to AuthZ Server BasicAuth client_id / client_secret OAuth Handshake

28 Authorization Grant Request OAuth Handshake response_type : REQUIRED. Value MUST be set to "code". client_id : REQUIRED. The client identifier. redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. scope : OPTIONAL. The scope of the access request. state : RECOMMENDED. An opaque value used by the client to maintain state between the request and callback.

29 Authorization Grant Response OAuth Handshake code: REQUIRED. The authorization code generated by the authorization server state : REQUIRED if the "state" parameter was present in the client authorization request.

30 Access Token Request OAuth Handshake grant_type : REQUIRED. Value MUST be set to "authorization_code". code : REQUIRED. The authorization code received from the Authorization Server. redirect_uri : REQUIRED, if the "redirect_uri" parameter was included in the authorization

31 Access Token Response OAuth Handshake access_token : REQUIRED. The access token issued by the authorization server. token_type : REQUIRED. The type of the token. Value is case insensitive. expires_in : RECOMMENDED. The lifetime in seconds of the access token

32 OAuth Handshake Scope

33 Public Client Type User Agent based Application OAuth Handshake

34 Anonymous Clients OAuth Handshake

35 Authorization Grant Request response_type : REQUIRED. Value MUST be set to ”token". client_id : REQUIRED. The client identifier. redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server. scope : OPTIONAL. The scope of the access request. state : RECOMMENDED. An opaque value used by the client to maintain state between the request and callback.

36 Access Token Response OAuth Handshake access_token : REQUIRED. The access token issued by the authorization server. token_type : REQUIRED. The type of the token. Value is case insensitive. expires_in : RECOMMENDED. The lifetime in seconds of the access token scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. state : REQUIRED if the "state" parameter was present in the client authorization request

37 OAuth Handshake Scope

38 Confidential Client Type OAuth Handshake

39 BasicAuth OAuth Handshake

40 Authorization Grant Request Since the client authentication is used as the authorization grant, no additional authorization request is needed.

41 OAuth Handshake Access Token Request grant_type : REQUIRED. Value MUST be set to ”client_credentials". scope: OPTIONAL. The scope of the access request. Note : The client needs to pass BasicAuth headers or authenticate to the Authorization Server in other means.

42 Access Token Response OAuth Handshake access_token : REQUIRED. The access token issued by the authorization server. token_type : REQUIRED. The type of the token. Value is case insensitive. expires_in : RECOMMENDED. The lifetime in seconds of the access token

43 OAuth Handshake Scope

44 Confidential Client Type OAuth Handshake

45 BasicAuth OAuth Handshake

46 Authorization Grant Request The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained

47 OAuth Handshake Access Token Request grant_type : REQUIRED. Value MUST be set to ”client_credentials". username : REQUIRED. The resource owner username, encoded as UTF-8. password : REQUIRED. The resource owner password, encoded as UTF-8. scope: OPTIONAL. The scope of the access request.

48 Access Token Response OAuth Handshake access_token : REQUIRED. The access token issued by the authorization server. token_type : REQUIRED. The type of the token. Value is case insensitive. expires_in : RECOMMENDED. The lifetime in seconds of the access token

49 Runtime

50 BearerMAC

51 Runtime BearerMAC Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). Bearer

52 Request with Bearer GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer “access_token_value” Runtime http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20

53 Runtime BearerMAC HTTP MAC access authentication scheme MAC

54 Request with MAC GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", ts="1336363200”, nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" Runtime http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01

55

Download ppt "Prabath Siriwardena | Johann Nallathamby."

Similar presentations

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.

The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Similar presentations

Ads by Google