OAuth 2.0 andinternet Standard. Torsten Lodderstedt Deutsche Telekom AG



Similar documents
OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Axway API Gateway. Version 7.4.1

ACR Connect Authentication Service Developers Guide

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

IBM WebSphere Application Server

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Globus Auth. Steve Tuecke. The University of Chicago

OAuth 2.0. Weina Ma

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Onegini Token server / Web API Platform

Enterprise Access Control Patterns For REST and Web APIs

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

OAuth: Where are we going?

Copyright Pivotal Software Inc, of 10

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

Administering Jive Mobile Apps

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Fairsail REST API: Guide for Developers

Kerberos and Single Sign On with HTTP

Building Secure Applications. James Tedrick

Using OpenID/OAuth to access

Enabling SSO for native applications

Access Your Cisco Smart Storage Remotely Via WebDAV

Title page. Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7

OAuth Guide Release 6.0

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

Creating a generic user-password application profile

Kerberos and Single Sign-On with HTTP

EHR OAuth 2.0 Security

QUICK INSTALLATION GUIDE ACTIVATE

OAuth 2.0 Workshop. On how native (mobile) devices can use OAuth protected resources

Login with Amazon. Developer Guide for Websites

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Configuration Guide - OneDesk to SalesForce Connector

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Login with Amazon. Getting Started Guide for Websites. Version 1.0

A Standards-based Mobile Application IdM Architecture

Mashery OAuth 2.0 Implementation Guide

Lecture Notes for Advanced Web Security 2015

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single Sign On. SSO & ID Management for Web and Mobile Applications

Proxied Authentication in SSO Setups with Common OSS. Open Identity Summit 2015 Prof. Dr. René Peinl Berlin,

Comparative analysis - Web-based Identity Management Systems

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

SAML and OAUTH comparison

Mobile Security. Policies, Standards, Frameworks, Guidelines

C O N F I G U R I N G Y O U R W E B B R O W S E R TO A L L O W P O P - U P W I N D O W S

SharePoint 2013 Business Connectivity Services Hybrid Overview

UMA in Health Care: Providing Patient Control or Creating Chaos?

IceWarp Server - SSO (Single Sign-On)

The increasing popularity of mobile devices is rapidly changing how and where we

Identity Federation Broker for Service Cloud

Configuring IBM Cognos Controller 8 to use Single Sign- On

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Office365Mon Developer API

Office 365 deployment checklists

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Interwise Connect. Working with Reverse Proxy Version 7.x

Office 365 deploym. ployment checklists. Chapter 27

The Challenges of Web single sign-on

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

AIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1

Cloud Elements! Events Management BETA! API Version 2.0

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Preparatory Meeting for Phase 2 of Philippine National ENUM Trial

Can We Reconstruct How Identity is Managed on the Internet?

Authentication and Authorization for Mobile Devices

This section contains information intended to help plan for SocialMiner installation and deployment.

Lecture 11 Web Application Security (part 1)

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Joining a Meeting. Before You Join a Meeting

Flexible Identity Federation

Configuring your client to connect to your Exchange mailbox

OpenID Connect 1.0 for Enterprise

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Web Application Proxy

The Great Office 365 Adventure

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Force.com REST API Developer's Guide

Introduction to SAML

GOA365: The Great Office 365 Adventure

Defender Token Deployment System Quick Start Guide

Storage Made Easy Enterprise File Share and Sync (EFSS) Cloud Control Gateway Architecture

Single Sign-On Framework in Tizen Contributors: Alexander Kanavin, Jussi Laako, Jaska Uimonen

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle

Configuring Single Sign-on for WebVPN

DHCP Option 66 Auto Provisioning Guide

Transcription:

OAuth 2.0 andinternet Standard Protocols Torsten Lodderstedt Deutsche Telekom AG

Whatshallweaimfor? make OAuth the authorization framework of choice for any internet standard protocol, such as WebDAV, IMAP, SMTP or SIP. http://www.ietf.org/mail-archive/web/oauth/current/msg07758.html Why? Because it is Secure Easy touse Scalable General purpose(andbynomeanslimited to3rd party delegation)

OAuth 2.0 Adoption A lot of productive implementations exist Standard protocols using OAuth 2.0 OpenId Connect OpenSocial Open Mobile Alliance RESTful APIs UMA BUT perceptionofoauth seemstobe: bestsuited for protecting deployment-specific APIs Is there anything missing?

Life ofa client A Walkthrough

Example Access documentson a Website https://www.example.com/ using CURL and Web Browser BEARER authentication scheme

(1) discovertheenvironment 1. End-user runs curl with some URL referring to his documents curl https://www.example.com/documents/ 2. Web server answers HTTP/1.1 401 Authorization Required WWW-Authenticate: BEARER realm="https://www.example.com/documents" What snext? How does the client(gets to) know the authorization servers endpoint URLs? How does the client learn the authorization server s capabilities?

(1) discovertheenvironment(contd.) Discover the authorization server(options) 1. Resource s HTTP response may directly carry information 2. Application protocol specific discovery 3. Domain-specific discovery protocols 4. Full-fledged, generic discovery protocol Discover the authorization server s capabilities endpoint URLs supported extensions(e.g. revocation or registration) supported grant types

(1) discovertheenvironment(contd.) Assumptions: authorization:https://as.example.com/authz token:https://as.example.com/tokens grant types: resource owner password credentials grant types: resource owner password credentials and authorization code

What smissing? Discover authorization server

(2) Introduceclienttoserver Anonymous client is the only available option currently acceptable for resource owner password credentials (CURL) but what about authorization code or implicit typically used by native and browser apps? Assumingtheusernowtriestoaccessthe documents using a browser, the user consent would look like Some anonymous client is asking for permission to access your files at https://www.example.com/documents/?

(2) Introduceclienttoserver(contd.) User must be supported in co-relating applicationusageandauthorizationprocess, e.g. Firefox is asking for permission to access your files at https://www.example.com/documents/

(2) Introduceclienttoserver(contd.) Requireddata: name, URL, Howtopublishthisdata? Someoptions: 1. Dynamic client registration wouldalso allowtosetupclientidandsecret(or other credential) 2. Authorization request parameters 3. comparable to user agent header

What smissing? Discover authorization server Publish client meta data

(3) requestauthorization GET /authz?response_type=code&client_id=abc& state=xyz&redirect_uri=cust://oauth&scope=??? Host: as.example.com Whatwouldbean appropriatescopevalue? scope= GET or scope= HTTP_GET or scope= WebDAV_GET? Wouldbeconsistentwithtoday sstandardpractice! Most implementationshandle resourcesimplictly, scopesrepresentapi types, permissions, and/or operations Viableoptionforsingleserviceprovidersandenvironmentsoperatinga single service per API/protocol type But what about web servers? (or mail servers, file servers, ) Moreover, itdoesnot allowtocontrolaccessto(sub)setsofresources, such as directories

(3) requestauthorization(contd.) What about this? scope= https://www.example.com/documents/#get Respective authorization request: GET /authz?response_type=code&client_id=abc& state=xyz&redirect_uri=cust://oauth&scope=https%3a%2f%2 Fwww.example.com%2Fdocuments%2F%23GET Host: as.example.com

(3) requestauthorization(contd.) Need tocomeupwitha sustainableconcept ofhowtousescopes(options) 1. Best practices document 2. Design guideline 3. Standard track document defining scope scheme for HTTP-based resources 4.

What smissing? Discover authorization server Publish client meta data Scope design guideline

(4) Access resources Let sgonow but wait, cantheclientreally trust in www.example.com? Howdoesitknowthisserveristhelegitimate consumer of the access token? Whatifitisa counterfeit resourceserver? http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.6.4 Threat prevention through well-known addresses and HTTPS server authentication no longer viable

(4) Access resources(contd.) Alternative threat prevention needed (Options) 1. Put actual resource server s URL into token and validate on legitimate server 2. Proof of possession(e.g. MAC) 3. AuthservermightverifyresourceserverURL and, if required, refuse request 4. Authzservermightannouncetotheclientthe valid resource server endpoints 5.

What smissing? Discover authorization server Publish client meta data Scope design guideline Countermeasure against counterfeit resource Countermeasure against counterfeit resource servers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information