Post on 25-Jun-2015
OAuthintroduce by 木酱
Why OAuth ?
If without OAuth?
“We want something like Flickr Auth / Google AuthSub / Yahoo! BBAuth, but published as an open standard, with
common server and client libraries”
– Blaine Cook, April 5th, 2007
April 2010
The OAuth 1.0 Protocol http://tools.ietf.org/html/rfc5849
client
server
protected
resource
client credentialstemporary credentials
verifier
temporary credentials serv
erownerclient
temporary credentials & verifiertoken
credentials
client
resource
client & token credentials
server
the resource
Problems
Sign Very Time
Server App Only
Permanent Access
Temporary Credential Request: consumer
key、 signature_method、 timestamp、 nonce、 signature
Resource Owner Authorization: temporary token
Token Request: consumer key、 signature method、 timestamp、 nonce、 signature、 temporary
token、 verifier
Resource Request: consumer key、 access token、 signature
method、 timestamp、 nonce、 signature
Temporary Credential Request: consumer
key、 signature_method、 timestamp、 nonce、 signature
Resource Owner Authorization: temporary token
Token Request: consumer key、 signature method、 timestamp、 nonce、 signature、 temporary
token、 verifier
Resource Request: consumer key、 access token、 signature
method、 timestamp、 nonce、 signature
Sign Very Time
Server App Only
Permanent Access
October 2012
The OAuth 2.0 Authorization Framework
http://tools.ietf.org/html/rfc6749
protected
resource verifi
er
client
server
client credentialstemporary credentialstemporary credentials serv
erownerclient
temporary credentials & verifiertoken
credentials
client
resource
client & token credentials
server
client_id
auth codeauth code
token & expires time & refresh token
Refresh Access Token If Expired
the resource
token
Web Server APPBrowser Based APPUsername/Password AccessApplication AccessMobile APP
authorization_codeimplicitpasswordclient_credentialsimplicit
+----------+ | resource | | owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
+----------+ | resource | | owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+
+----------+ | Resource | | Owner | | | +----------+ v | Resource Owner (A) Password Credentials | v +---------+ +---------------+ | |>--(B)---- Resource Owner ------->| | | | Password Credentials | Authorization | | Client | | Server | | |<--(C)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+
+----------+ | Resource | | Owner | | | +----------+ v | Resource Owner (A) Password Credentials | v +---------+ +---------------+ | |>--(B)---- Resource Owner ------->| | | | Password Credentials | Authorization | | Client | | Server | | |<--(C)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+
+---------+ +---------------+ | | | | | |>--(A)- Client Authentication --->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | | | +---------+ +---------------+
+---------+ +---------------+ | | | | | |>--(A)- Client Authentication --->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | | | +---------+ +---------------+
风险
Unbounded tokens无绑定 token
Bearer tokens无记名 token
Expiring tokenstoken失效
CSRF with attacker code
Q&A
You Are Welcome!