Andrew Davidoff
Senior Software Development Engineer (Test)
Microsoft Corporation
Introduction to OAuth
What drives the need?
Versions of OAuth
Authentication vs. Authorization
3
Limited and controlled -- granted by the user
Your app gets its own delegation credential (access token)
FlickrAuth, Google AuthSub, Yahoo BBAuth
Something you knowSomething you haveSomething you are
Are you allowed to do what you are trying to do?
Four roles in OAuth 2
Types of Clients
Logical flow
9
Resource Owner: End-user or other entity capable of granting access to the protected resources.
Resource Server: Server that hosts the protected resources.
SkyDrive
Authorization Server: Server that authenticates the client and issues access tokens.
Microsoft account server
Client: Application making protected resource requests to the Resource Server.
Microsoft Office / http://www.mybirthdayreminders.aspx
Can and must keep its credentials confidential
Can’t keep its credentials confidential
Private client
Public client
Public client
1 Authorization Request
2 Authorization Grant
4 Issue access token
6 Serve Request
3 Request access token
5 Request resource
Resource
OwnerClient
Authorization
Server
Resource
Server
14
Authorization Code Grant
Implicit Grant
Follows a redirection-based flow
Uses an authorization code as an intermediate credential
Optimized for private clients
Allows renewal of access tokens
Allows client authentication
16
http://www.pandaemonium.com
Private
http://www.pandaemonium.com/callback.aspx
000000004C0EC707
PEIpZV8eUUpGX5r2jQUw5bWlms88qUlG
Resource
Owner
User
AgentClient Authorization Server
1a
1b 1c
• Response_type=
• “code”
• Client_id
• *Redirect_uri
• *Scope
• *State
1 User-agent loads the client, which
redirects it to the authorization
server
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the
authorization server, reviews and grants
the client’s request for permissions
2b 2a2c 2d
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization
server, reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to the redirect_uri.
2b 2a
2c 2d
3a3b
• Code
• *State
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization
server, reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to the redirect_uri.
4 Client sends the authorization code to
the authorization server
2b 2a
2c 2d
3a3b
4
• Grant_type=“authorization_code”
Code
• *Redirect_uri
• *Client_ID
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization
server, reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to the redirect_uri.
4 Client sends the authorization code to the
authorization server
5 Authorization server sends the access
token to client
2b 2a
2c 2d
3a3b
4
5
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization
server, reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to the redirect_uri.
4 Client sends the authorization code to the
authorization server
5 Authorization server sends the access
token to client
R-1 Client sends refresh token to the
authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
Resource
Owner
User
AgentClient Authorization Server
1 User-agent loads the client, which
redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization
server, reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to the redirect_uri.
4 Client sends the authorization code to the
authorization server
5 Authorization server sends the access
token to client
R-1 Client sends refresh token to the
authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
R-2 Client gets back a new access token
R-2
User’s pictures
Request for user’s pictures
(includes access token)
Pandaemonium.com/pandafy
Pandafied pics!
ClientResource owner
(user)
Redirection-based flow
Does not involve intermediate credentials
Optimized for public clients
Does not support client authentication
Many native (desktop or mobile) clients use this grant
30
Resource
Owner
User
AgentClient Authorization Server
1 Client navigates the user-agent to the
authorization server
1a 1b
• Response_type=
• “token”
• Client_id
• *Redirect_uri
• *Scope
• *State
Resource
Owner
User
AgentClient Authorization Server
1 Client navigates the user-agent to the
authorization server
2 User authenticates into the authorization
server then reviews and grants the client’s
request for permissions
1a 1b
2b 2a2c 2d
Resource
Owner
User
AgentClient Authorization Server
1 Client navigates the user-agent to the
authorization server
2 User authenticates into the authorization
server then reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to (redirect_uri)#access_token
1a 1b
2b 2a
2c 2d
3
• Token
• Type
• *Expires_in
• *Scope
• *State
Resource
Owner
User
AgentClient Authorization Server
1 Client navigates the user-agent to the
authorization server
2 User authenticates into the authorization
server then reviews and grants the client’s
request for permissions
3 Authorization server redirects the user-
agent to (redirect_uri)#access_token
4 Native client detects the redirect and
extracts the access token
1a 1b
4
2b 2a
2c 2d
3
35
40
http://tools.ietf.org/html/rfc6749
http://tools.ietf.org/html/rfc6819
http://msdn.microsoft.com/en-us/library/live/hh243647.aspx
http://msdn.microsoft.com/en-us/library/fp142382(v=office.15).aspx
http://openid.net/connect/