Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Published byMay Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem."— Presentation transcript:

1 Hannes Tschofenig, Blaine Cook

2 6/4/2016 IETF #77, SAAG 2 The Problem

3 6/4/2016 IETF #77, SAAG 3

4 6/4/2016 IETF #77, SAAG 4 The OAuth Approach

5 6/4/2016 IETF #77, SAAG 5

6 6/4/2016 IETF #77, SAAG 6 User Authenticated by Service Provider

7 6/4/2016 IETF #77, SAAG 7 User Authorizes Consumer to access Service

8 6/4/2016 IETF #77, SAAG 8 Consumer calls the Service Provider API

9 6/4/2016 IETF #77, SAAG 9 History

10 6/4/2016 IETF #77, SAAG 10 History November 2006: Blaine Cook was looking into the possibility of using OpenID to accomplish the functionality for delegated authentication. He got in touch with some other folks that had a similar need. December 2006: Blaine wrote a "reference implementation" for Twitter based on all the existing OAuth-patterned APIs, which Blaine and Kellan Elliott-McCrea turned into a rough functional draft April 2007: Google group was created with a small group of implementers to write a proposal for an open protocol.Google group July 2007: OAuth 1.0 (with code for major programming languages) September 2007: Re-write of specification to focus on a single flow (instead of "web", "mobile", and "desktop" flows) Deployment of OAuth well on it’s way: http://wiki.oauth.net/ServiceProviders http://wiki.oauth.net/ServiceProviders

11 6/4/2016 IETF #77, SAAG 11 History, cont. 1 st OAuth BOF (Minneapolis, November 2008, IETF#73) – BOF Chairs: Sam Hartman, Mark Nottingham – BOF went OK but a couple of charter questions couldn’t be resolved. 2 nd OAuth BOF (San Francisco, March 2009, IETF#74) – BOF Chairs: Hannes Tschofenig, Blaine Cook – Charter discussed on the mailing list and also during the meeting. Finalized shortly after the meeting IETF wide review of the OAuth charter text (28 th April 2009) – Announcement: http://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.htmlhttp://www.ietf.org/mail-archive/web/ietf- announce/current/msg06009.html OAuth working group was created (May 2009) – Chairs: Blaine Cook, Peter Saint Andre Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC: – http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html

12 6/4/2016 IETF #77, SAAG 12 The Protocol * requesting a token * presenting the token

13 6/4/2016 IETF #77, SAAG 13 Presenting a Token A  B: HTTP || Token [|| {Header, …, timestamp} key ] A  B: HTTP (200 OK) Questions: – What is signed and how? – Where does the token come from? – Where does the key come from?

14 6/4/2016 IETF #77, SAAG 14 Signatures Used to show ownership of token. 'The OAuth 1.0 Protocol‘ – http://www.ietf.org/internet-drafts/draft-hammer-oauth-10.txt http://www.ietf.org/internet-drafts/draft-hammer-oauth-10.txt Signatures based on symmetric & asymmetric key supported: – HMAC-SHA1 – RSA-SHA1 No signature = “bearer token”/ PLAINTEXT Extensions exist that sign other parts of the message: – OAuth Request Body Hash: http://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00 http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html – Going beyond HTTP  OAuth over XMPP http://xmpp.org/extensions/xep-0235.html

15 6/4/2016 IETF #77, SAAG 15 The Protocol * requesting a token * presenting the token

16 6/4/2016 IETF #77, SAAG 16 Requesting a Token Different ways to get a token exist. Example: WRAP – A  KDC: HTTP (get request access token) || credentials – A  KDC: Access Token [, Expires in] (also offers the approach of using a refresh token exchange) Example: OAuth 1.0 – A  B: HTTP (get request token) || credentials – A  B: request token > – A  B: HTTP (get access token) || request token – A  B: access token Other “flows” have been specified in WRAP Various authentication mechanisms specified.

17 6/4/2016 IETF #77, SAAG 17 Token

18 6/4/2016 IETF #77, SAAG 18 Token The token format is not standardized. Out-of-scope: *which* permissions were granted, and *how* those permissions are enforced Token may be created with constraints, for example regarding lifetime – OAuth 1.0 does not specify anything with this regard – WRAP http://tools.ietf.org/id/draft-hardt-oauth-01.txt provides a expires_in parameter.http://tools.ietf.org/id/draft-hardt-oauth-01.txt

19 6/4/2016 IETF #77, SAAG 19 Summary Work on delegated authentication in the APPs area in the OAuth group. OAuth 1.0: Community version published OAuth 2.0: Fusing WRAP, initial OAuth 2.0 OAuth WG met Monday afternoon. Interim meeting will be scheduled. Participation and early feedback desired, especially from security community

Download ppt "Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem."

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.

Open Extensible Proxy Services BOF Session 49th IETF, San Diego Chairs: Michael Condry, Hilarie Orman.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig.

A SASL and GSS-API Mechanism for OAuth draft-ietf-kitten-sasl-oauth-00 draft-ietf-kitten-sasl-oauth-00 William Mills Tim Showalter Hannes Tschofenig.
Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –

Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:

Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
MANET Where are we? Where are we going? Adrian Farrel Routing AD Honolulu – November 2015 – IETF-91.

MANET Where are we? Where are we going? Adrian Farrel Routing AD Honolulu – November 2015 – IETF-91.

Similar presentations

Ads by Google