oauth multiple lifetime token
TRANSCRIPT
OAuth Multiple lifetime token
by Yahoo! Japan
2Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Summary
–Proposal toward OAuth v2 spec–multiple lifetime tokens
(access_token & refresh_token)–no change in process of OAuth, only
change in token,lifetime and scope parameter.
– Introduction of Yahoo! JAPAN OAuth API and security policy
3Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Yahoo! JAPAN OAuth APIs
Payment API ”Credit Card Payment”
Point API ”Award and use Y!Points”
Contacts API ”Read Contact List of Y!Mail”
Social API ”Read & Update Y!Profiles”
Attribute API ”Read User Attributes”
Auction API ”Bidding or Selling at Y!Auction”
4Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Security Level of APIs
Security LevelToken
Lifetime
Payment APIY! Point API high short
Attribute APIContacts API middle medium
Social APIs(User Status &
Updates)low long
5Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Current issue
–Moba-ge-town(http://yahoo-mbga.jp/)–Social API (security level: low)–Update Yahoo! Profile
–Contacts API (security level: middle)– Find Friends, Send Invitation to Friends
–Payment API (security level: high)– Purchase Avatar Item, Virtual coin
expires in 2w
6Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Web Server Profile
User-Agent(Web browser)
Client(Web App)
AuthZ Server(Service Provider)
Access Grant
Ask for Permission
Authorization Request w/ multiple scopes
Authorization code & multiple scopes
Authorization code & multiple scopes
Access(and refresh) Tokens with different lifetime w/ multiple
scopes
7Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
User-agent Profile
– Still needs consideration about the URL lengh
User-Agent(Web browser)
AuthZ Server(Service provider
Access Grant
Ask for Permission
Authorization Request w/ multiple scopes
multiple Access(or refresh) Token with different lifetime w/ multiple
scopes
8Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Idea of multiple liftetime access token
– Manage each access token lifetime by “expires_in”
{
“scope": “payment social"
"access_token": "SlAV32hkKG V2v5ehmLY"
"expires_in": "3600 1206900"
}
expires in 1h.
expires in 2w
9Copyright © 2010 Yahoo Japan Corporation. All Rights Reserved. 無断引用・転載禁止
Idea of multiple lifetime refresh_token
– set access token lifetimes short and set refresh_token lifetimes longer
{
“scope": “payment social"
"access_token": "SlAV32hkKG V2v5ehmLY"
"expires_in": "3600 3600"
"refresh_token": "8xLOxBtZp8 7euhZh4E"
}
expires in 1h.
expires in 2w