Oauth
-
Upload
- -
Category
Technology
-
view
38 -
download
1
Transcript of Oauth
![Page 1: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/1.jpg)
OAuthintroduce by 木酱
![Page 2: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/2.jpg)
Why OAuth ?
![Page 3: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/3.jpg)
If without OAuth?
![Page 4: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/4.jpg)
“We want something like Flickr Auth / Google AuthSub / Yahoo! BBAuth, but published as an open standard, with
common server and client libraries”
– Blaine Cook, April 5th, 2007
![Page 5: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/5.jpg)
April 2010
The OAuth 1.0 Protocol http://tools.ietf.org/html/rfc5849
![Page 6: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/6.jpg)
client
server
protected
resource
client credentialstemporary credentials
verifier
temporary credentials serv
erownerclient
temporary credentials & verifiertoken
credentials
client
resource
client & token credentials
server
the resource
![Page 7: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/7.jpg)
Problems
![Page 8: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/8.jpg)
Sign Very Time
Server App Only
Permanent Access
![Page 9: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/9.jpg)
Temporary Credential Request: consumer
key、 signature_method、 timestamp、 nonce、 signature
Resource Owner Authorization: temporary token
Token Request: consumer key、 signature method、 timestamp、 nonce、 signature、 temporary
token、 verifier
Resource Request: consumer key、 access token、 signature
method、 timestamp、 nonce、 signature
![Page 10: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/10.jpg)
Temporary Credential Request: consumer
key、 signature_method、 timestamp、 nonce、 signature
Resource Owner Authorization: temporary token
Token Request: consumer key、 signature method、 timestamp、 nonce、 signature、 temporary
token、 verifier
Resource Request: consumer key、 access token、 signature
method、 timestamp、 nonce、 signature
![Page 11: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/11.jpg)
Sign Very Time
Server App Only
Permanent Access
![Page 12: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/12.jpg)
October 2012
The OAuth 2.0 Authorization Framework
http://tools.ietf.org/html/rfc6749
![Page 13: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/13.jpg)
protected
resource verifi
er
client
server
client credentialstemporary credentialstemporary credentials serv
erownerclient
temporary credentials & verifiertoken
credentials
client
resource
client & token credentials
server
client_id
auth codeauth code
token & expires time & refresh token
Refresh Access Token If Expired
the resource
token
![Page 14: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/14.jpg)
Web Server APPBrowser Based APPUsername/Password AccessApplication AccessMobile APP
authorization_codeimplicitpasswordclient_credentialsimplicit
![Page 15: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/15.jpg)
+----------+ | resource | | owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
+----------+ | resource | | owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
![Page 16: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/16.jpg)
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI --->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)--- Redirection URI ----<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)--- Redirection URI ---->| Web-Hosted | | | without Fragment | Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+
![Page 17: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/17.jpg)
+----------+ | Resource | | Owner | | | +----------+ v | Resource Owner (A) Password Credentials | v +---------+ +---------------+ | |>--(B)---- Resource Owner ------->| | | | Password Credentials | Authorization | | Client | | Server | | |<--(C)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+
+----------+ | Resource | | Owner | | | +----------+ v | Resource Owner (A) Password Credentials | v +---------+ +---------------+ | |>--(B)---- Resource Owner ------->| | | | Password Credentials | Authorization | | Client | | Server | | |<--(C)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+
![Page 18: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/18.jpg)
+---------+ +---------------+ | | | | | |>--(A)- Client Authentication --->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | | | +---------+ +---------------+
+---------+ +---------------+ | | | | | |>--(A)- Client Authentication --->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | | | +---------+ +---------------+
![Page 19: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/19.jpg)
风险
![Page 20: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/20.jpg)
Unbounded tokens无绑定 token
![Page 21: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/21.jpg)
Bearer tokens无记名 token
![Page 22: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/22.jpg)
Expiring tokenstoken失效
![Page 23: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/23.jpg)
CSRF with attacker code
![Page 24: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/24.jpg)
Q&A
![Page 25: Oauth](https://reader033.fdocuments.net/reader033/viewer/2022042816/558c044fd8b42a52788b4642/html5/thumbnails/25.jpg)
You Are Welcome!