Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Published byPeregrine Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)."— Presentation transcript:

1 Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)

2 Acknowledgements I would like to thank to Pasi Eronen. We are re-using some of his slides in this presentation. 5/17/2015IETF #79, OAuth Tutorial Beijing2

3 5/17/2015IETF #79, OAuth Tutorial Beijing3 The Problem: Secure Data Sharing

4 5/17/2015IETF #79, OAuth Tutorial Beijing4

5 5/17/2015IETF #79, OAuth Tutorial Beijing5 Example OAuth Exchange

6 Entities User Agent (Web Browser) Authorization Server (Yahoo) User Resource Server (Yahoo) Resource Consumer (LinkedIn) Access Request (incl. Token) Token request Authorization Request 5/17/20156IETF #79, OAuth Tutorial Beijing

7 5/17/2015IETF #79, OAuth Tutorial Beijing7 User navigates to Resource Client

8 5/17/2015IETF #79, OAuth Tutorial Beijing8 User authenticated by Authorization Server

9 5/17/20159 User authorizes Resource Consumer to access Resource Server IETF #79, OAuth Tutorial Beijing

10 5/17/2015IETF #79, OAuth Tutorial Beijing10 Resource Client calls the Resource Server API

11 Remark: Authentication Yahoo in our example may outside the authentication part to other providers (e.g. using OpenID). Authorization Server and Resource Server do not need to be operated by the same entity. 5/17/2015IETF #79, OAuth Tutorial Beijing11

12 Remark: Authorization Asking the user for consent prior to share information is considered privacy-friendly. User interfaces for obtaining user content may not always be great. 5/17/2015IETF #79, OAuth Tutorial Beijing12

13 Remark: Authorization, cont. 5/17/2015IETF #79, OAuth Tutorial Beijing13

14 Remark: Authorization, cont.

15 5/17/2015IETF #79, OAuth Tutorial Beijing15

16 Remark: Prior-Registration Many Resource Server require registration of Resource Client’s prior to usage. Example: http://developer.cliqset.com/apihttp://developer.cliqset.com/api 5/17/2015IETF #79, OAuth Tutorial Beijing16

17 Remark, cont. 5/17/2015IETF #79, OAuth Tutorial Beijing17

18 5/17/2015IETF #79, OAuth Tutorial Beijing18 History

19 5/17/2015IETF #79, OAuth Tutorial Beijing19 History November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.Google group July 2007: OAuth 1.0 (with code for major programming languages) September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders http://wiki.oauth.net/ServiceProviders

20 5/17/2015IETF #79, OAuth Tutorial Beijing20 History, cont. 1 st OAuth BOF (Minneapolis, November 2008, IETF#73) –BOF Chairs: Sam Hartman, Mark Nottingham –BOF went OK but a couple of charter questions couldn’t be resolved. 2 nd OAuth BOF (San Francisco, March 2009, IETF#74) –BOF Chairs: Hannes Tschofenig, Blaine Cook –Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting IETF wide review of the OAuth charter text (28 th April 2009) –Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.htmlhttp://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html OAuth working group was created (May 2009) –Chairs: Blaine Cook, Peter Saint Andre Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: –http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.htmlhttp://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html

21 History, cont. March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig became Blaine’s co-chair. March 2010: IETF OAuth meeting in Anaheim April 2010: OAuth 2.0 published co-authored by Eran, Dick, David.draft-ietf-oauth-v2-00.txt May 2010: First OAuth interim meeting co-located with IIW to discuss open issues. July 2010: Maastricht IETF meeting November 2010: Document split into “abstract” specification and separate bearer token and message signing specification. November 2010: Beijing IETF meeting – no official OAuth working group meeting. Discussions about security for OAuth 5/17/2015IETF #79, OAuth Tutorial Beijing21

22 Entities User Agent Authorization Server User Resource Server Resource Consumer Access Request (incl. Token) Token request Authorization Request 5/17/201522IETF #79, OAuth Tutorial Beijing

23 Scope of the OAuth WG Currently only one working group item: –http://tools.ietf.org/html/draft-ietf-oauth-v2http://tools.ietf.org/html/draft-ietf-oauth-v2 –Unlike OAuth v1.0 it does not contain signature mechanisms We have a punch of other documents as individual items –Providing security related extensions –User interface considerations –Token formats –Token by reference –Use case descriptions –Other OAuth profiles 5/17/2015IETF #79, OAuth Tutorial Beijing23

24 OAuth Profiles Token Request Work Areas User User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request 5/17/201524 IETF #79, OAuth Tutorial Beijing User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security

25 Web Server Flow

26 5/17/201526IETF #79, OAuth Tutorial Beijing

27 Security A little bit about OAuth security…

28 OAuth Profiles Token Request Work Areas User User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request 5/17/201528 IETF #79, OAuth Tutorial Beijing User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security

29 “Bearer Token” TLS Resource Consumer Resource Server Authorization Server Request Token

30 “Message Signing” Request Token, {Request}SK,{SK} Bob Token,SK, {SK}Bob TLS Resource Consumer Resource Server Authorization Server

31 Conclusion Open Web Authentication (OAuth) is developed in the IETF to provide delegated authentication for Web-based environments. –Usage for non-Web based applications has been proposed as well. Work is in progress and re-chartering will expand the work to include new features and use cases as well as security. Join the OAuth mailing list at http://datatracker.ietf.org/wg/oauth/charter/ to make your contribution. http://datatracker.ietf.org/wg/oauth/charter/ 5/17/2015IETF #79, OAuth Tutorial Beijing31

32 Backup Slides 5/17/2015IETF #79, OAuth Tutorial Beijing32

33 JavaScript Flow (User Agent Flow in Draft)

34 5/17/201534IETF #79, OAuth Tutorial Beijing

35 Native Application Flow

36 5/17/201536IETF #79, OAuth Tutorial Beijing

37 Autonomous Flow

38 5/17/201538IETF #79, OAuth Tutorial Beijing

39 Device Flow

40 5/17/201540IETF #79, OAuth Tutorial Beijing

41 5/17/201541IETF #79, OAuth Tutorial Beijing

Download ppt "Hannes Tschofenig, Blaine Cook (IETF#79, Beijing)."

Similar presentations

71 th IETF meeting Experience of implementing NETCONF over SOAP ( draft-iijima-netconf-soap-implementation-06) Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu.

71 th IETF meeting Experience of implementing NETCONF over SOAP ( draft-iijima-netconf-soap-implementation-06) Tomoyuki Iijima, Yoshifumi Atarashi, Hiroyasu.
Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.

Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.

ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Doc: 11-03-0763-00-0000 Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
IPv6 WORKING GROUP (IPNGWG) March 2001 Minneapolis IETF Bob Hinden / Nokia Steve Deering / Cisco Systems Co-Chairs.

IPv6 WORKING GROUP (IPNGWG) March 2001 Minneapolis IETF Bob Hinden / Nokia Steve Deering / Cisco Systems Co-Chairs.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.
IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd

IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd
DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

Similar presentations

Ads by Google