OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
9 likes12,065 views
1. The document discusses OAuth 2.0 and OpenID Connect for API access control and authorization. It provides a brief history of OAuth and describes the core specification and response types. 2. The core specification defines two response types - code and token. The code response type uses authorization codes to obtain access tokens in a two-step process, while the token response type returns access tokens directly. 3. The document also covers token types, notably the bearer token which transmits no signature or secret and is commonly used for API access. It notes that some providers may not follow the latest OAuth draft specifications strictly.
![Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
[NOTE] Facebook API returns access token in x-www-form-urlencoded
Code
Access Token
OpenSource Conference 2011](https://image.slidesharecdn.com/oauth2andopenidconnect-111118021439-phpapp02/85/OAuth-2-0-OpenID-Connect-OpenSource-Conference-2011-Tokyo-osc11tk-34-320.jpg)
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
- 1. OAuth 2.0 & OpenID Connect
- 2. @nov OpenID Foundation Japan Evangelist OAuth.jp Ruby Libraries rack-oauth2 openid_connect fb_graph OpenSource Conference 2011
- 4. Current Trend Mobile Game Social OpenID TechNight #7
- 5. Platform 3rd-party Developers OpenSource Conference 2011
- 6. API Integration Access Control for APIs OpenID TechNight #7
- 8. Using same password on 10+ services?? OpenID TechNight #7
- 9. OAuth No password sharing Limited access lifetime Expire a*er N weeks Limited access scope Status Update : OK Read Inbox : NG OpenID TechNight #7
- 10. B2B is slow though.. OpenID TechNight #7
- 11. Rough History OpenID TechNight #7
- 12. 2007.12 OAuth 1.0 OpenID TechNight #7
- 13. Twitter API OpenID TechNight #7
- 14. 2010.04 OAuth 2.0 (dra* 0) OpenID TechNight #7
- 15. Facebook Graph API OpenID TechNight #7
- 16. 2010.07 dra* 10 OpenID TechNight #7
- 17. mixi Graph API OpenID TechNight #7
- 19. 2011.09 dra* 22 OpenID TechNight #7
- 20. OAuth 1.0 OAuth 2.0 OpenSource Conference 2011
- 21. OAuth 1.0 in Japanese ju.mp/oauth1_ja OAuth 2.0 in Japanese ju.mp/oauth2_ja OpenSource Conference 2011
- 23. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
- 24. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
- 25. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
- 26. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access Token Type Spec OpenID TechNight #7
- 27. Core Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
- 28. Core Response Type 2 Response Types in Core Code Token Extensions Code + Token and more.. OpenSource Conference 2011
- 29. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenID TechNight #7
- 30. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=code&Code redirect_uri=https://...& scope=... Code Access Token OpenSource Conference 2011
- 31. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenSource Conference 2011
- 32. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code Code Access Token OpenSource Conference 2011
- 33. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approvalcode=...& client_id=...& Approve client_secret=...& grant_type=authorization_code& redirect_uri=https://... Code Code Access Token OpenSource Conference 2011
- 34. Core response_type = code Resource Owner Client Authorization Server Initiate Require Approval Approve Code [NOTE] Facebook API returns access token in x-www-form-urlencoded Code Access Token OpenSource Conference 2011
- 35. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
- 36. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=token& redirect_uri=https://...& Access Token scope=... OpenID TechNight #7
- 37. Core response_type = token Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
- 38. Core Response Type Code Token Secure Efficient 2 HTTP request 1 HTTP request Require Approval Both at once Get Access Token + extensions OpenID TechNight #7
- 39. Token Type Spec Authorization Server Authorize Client Access Access Token Resource Server Resource Owner Client API Access OpenID TechNight #7
- 40. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 + extensions OpenID TechNight #7
- 41. Token Token Type Spec Bearer MAC No signature Signature No token secret Token secret Mainstream Similar to OAuth 1.0 In most cases, you use this. + extensions OpenID TechNight #7
- 42. Token Bearer Token Access Token Response OpenID TechNight #7
- 43. Token API Access (Bearer) OpenID TechNight #7
- 44. BUT OpenSource Conference 2011
- 45. Not all API providers follow the latest dra*.. OpenSource Conference 2011
- 46. NO “token_type” Access Token Response OpenID TechNight #7
- 47. Different Scheme/Parameter OAuth oauth_token OpenID TechNight #7
- 48. #MA7 Mashup Caravan & Meetup in Kyoto
- 50. OpenID is dead!? Poor UX? URL as identifier? OpenSource Conference 2011
- 51. Lack of API access!? You need “stream access”, don’t you? OpenSource Conference 2011
- 52. OpenID Connect ~ OpenID based on OAuth 2.0 ~ OpenSource Conference 2011
- 53. ref.) slideshare.net/oid;/openidconnect-nat OpenSource Conference 2011
- 54. Authorization Server Authorize Client Access Access Token Resource Server Resource Owner API Client Access OpenID TechNight #7
- 55. Basic Flow Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
- 56. Basic Flow Resource Owner Client Authorization Server Initiate Require Approval Approve client_id=...& response_type=token+id_token& redirect_uri=https://...& Access Token scope=openid OpenID TechNight #7
- 57. Basic Flow Resource Owner Client Authorization Server Initiate Require Approval Approve Access Token OpenID TechNight #7
- 58. OAuth 2.0 + “ID Token” OpenSource Conference 2011
- 59. connect-rp.heroku.com OpenSource Conference 2011
- 60. ID Token Represent Session Information JWT-encoded JSON Object Singed using JWS Encrypted using JWE OpenSource Conference 2011
- 63. UserInfo OAuth 2.0 Protected Resource REQUIRED “profile” scope OPTIONAL “email” and “address” scopes Standardized JSON Format PoCo (Portable Contacts) + Facebook Graph API OpenSource Conference 2011
- 67. So, why these matters? OpenSource Conference 2011
- 68. Social OpenSource Conference 2011
- 69. Cloud OpenSource Conference 2011
- 70. Living in the Web OpenSource Conference 2011
- 71. Applications People Streams Access Control Identity Discovery OpenSource Conference 2011
- 72. OpenID Summit Tokyo in Tokyo, Japan December 1, 2011 OpenSource Conference 2011
- 73. twitter.com/nov slideshare.net/matake github.com/nov openid-foundation-japan.github.com OpenSource Conference 2011