Upload
mike-schwartz
View
453
Download
1
Embed Size (px)
Citation preview
Three profiles of OAuth2for Identity and Access
ManagementMichael Schwartz
CEO, Gluu
Why do we have OAuth?
Not good… Client can impersonate user.
Look familiar?
OAuth 2.0--not an authentication protocol.
Using chocolate to make fudge does not make (chocolate == fudge) true.
14 RFC’s, 14 Active Drafts
https://datatracker.ietf.org/wg/oauth/documents/
RFC 6749 The OAuth 2.0 Authorization Framework RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6755 An IETF URN Sub-Namespace for OAuth RFC 6819 OAuth 2.0 Threat Model and Security Considerations Errata RFC 7009 OAuth 2.0 Token Revocation RFC 7519 JSON Web Token (JWT)
RFC 7521Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7522 SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7523JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol RFC 7636 Proof Key for Code Exchange by OAuth Public Clients RFC 7662 OAuth 2.0 Token Introspection Errata RFC 7800 Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
OAuth2 Roles
Scopes
http://gluu.co/google-scopes
Tokens
Bearer: s1av32hkgJWT: header.payload.signature
HOK / Proof of PossesionToken Binding
Registration
Grants
Authorization CodeImplicit
Client CredentialResouce Owner Password Credential
Grants
Authorization CodeImplicit
Client CredentialResource Owner Password Credential
Auth Code Flow Swimlane
Implicit Flow Swimlane
RO PW Cred Flow Swimlane
Token Introspection APIAuthorization: Bearer s1av32hkg
{"active": true, "client_id": "l238j323ds-23ij4", "username": "jdoe", "scope": "read write dolphin"}
OpenID Connect
OpenID Connect Stack
Hybrid Flow
response_type
+ id_token{"iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver"}
Discoveryhttps://(host)/.well-known/openid-configuration
Dynamic Client Registration
Logout
Front ChannelBack ChannelOAuth2 Security Events WG
UMA
Example of UMA
Free Open Source?
Check out Gluu!
http://gluu.org