lascon: three profiels of oauth2 for identity and access management

Report

Post on 15-Feb-2017

455 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Three profiles of OAuth2for Identity and Access

ManagementMichael Schwartz

CEO, Gluu

Why do we have OAuth?

Not good… Client can impersonate user.

Look familiar?

OAuth 2.0--not an authentication protocol.

Using chocolate to make fudge does not make (chocolate == fudge) true.

14 RFC’s, 14 Active Drafts

https://datatracker.ietf.org/wg/oauth/documents/

RFC 6749 The OAuth 2.0 Authorization Framework RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6755 An IETF URN Sub-Namespace for OAuth RFC 6819 OAuth 2.0 Threat Model and Security Considerations Errata RFC 7009 OAuth 2.0 Token Revocation RFC 7519 JSON Web Token (JWT)

RFC 7521Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

RFC 7522 SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

RFC 7523JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol RFC 7636 Proof Key for Code Exchange by OAuth Public Clients RFC 7662 OAuth 2.0 Token Introspection Errata RFC 7800 Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

OAuth2 Roles

Scopes

http://gluu.co/google-scopes

Tokens

Bearer: s1av32hkgJWT: header.payload.signature

HOK / Proof of PossesionToken Binding

Registration

Grants

Authorization CodeImplicit

Client CredentialResouce Owner Password Credential

Grants

Authorization CodeImplicit

Client CredentialResource Owner Password Credential

Auth Code Flow Swimlane

Implicit Flow Swimlane

RO PW Cred Flow Swimlane

Token Introspection APIAuthorization: Bearer s1av32hkg

{"active": true, "client_id": "l238j323ds-23ij4", "username": "jdoe", "scope": "read write dolphin"}

OpenID Connect

OpenID Connect Stack

Hybrid Flow

response_type

+ id_token{"iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver"}

Discoveryhttps://(host)/.well-known/openid-configuration

Dynamic Client Registration

Logout

Front ChannelBack ChannelOAuth2 Security Events WG

UMA

Example of UMA

Free Open Source?

Check out Gluu!

http://gluu.org

top related

lascon 2015
Technology
the state of oauth2
Technology
pingdatagovernance server administration...
Documents
oauth2 and identityserver3
Software
oauth2 - the swiss army framework
Technology
oauth2 + api security
Technology
tracking changes in hybrid identity environments with...
Documents
oauth2 et openid connect
Internet
oauth2lib · introduction oauth2lib is a library based on...
Documents
oauth2, openid connect et la mobilité - mathrice ·...
Documents
5 proven success strategies for your software security...
Business
federated identity for iot with oauth2
Technology
ember and oauth2
Software
data modelling and identity management with oauth2
Technology
oauth2 simplified
Internet
build intelligent mail, contacts and calendar apps using...
Documents
apiskeletons-oauth2-doctrine documentation
Documents
csrf e oauth2
Technology
oauth2 - api 인증을 위한 만능도구상자
Technology
httpillage lascon-2015
Technology