APIdays San Francisco 31 Jul 2018 https://oauth.io Describe what, why and how of OAuth2 Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types. Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side. Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth Describes the role of OAuth.io in: 1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints 2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers

1. The Many Flavors of OAuth
Khor Soon Hin - OAuth.io
APIdays San Francisco
31 Jul 2018

2. Big Picture
Difference in implementation
. . .
Standard
Implementations

3. Big Picture
Difference in adoption rate
. . .
Standard
Implementations

4. Developer and Provider Confusion

5. At the end of the talk . . .
● Understand and/or remember OAuth2 better
○ Goal, purpose, example
● The standard and yet different flavors of OAuth2
○ OAuth2 grant types
○ OAuth2 parameters/urls
● The new flavors of OAuth2 - authentication
○ Identity layers
● The evangelist - OAuth.io
○ Standardize implementation
○ Push adoption new standards

6. Understand/Remember OAuth2

7. OAuth2: Goal
Empower a user to give authorization to a service to access her resource

8. OAuth2: Purpose
Make life better!

9. OAuth2: Example
Google Home (service) shops Amazon Store with your account through voice

10. OAuth2: It is All About the Key
2-step flow:
1. Get authorization key
2. Use authorization key

11. The OAuth2 Standard

12. Spot The Difference!

13. OAuth2 Grant Type Magic Diagram

14. OAuth2 Grant Type Magic Diagram (With Labels)
Client Credential Authorization Code
Resource Owner Password Credential Implicit

15. Which Grant Type is Best?
Condition Grant Type/Flow
If user and service is the same entity Client Credential
If main logic is in backend, while front-end
is presentation only
Authorization Grant
Single-page application (SPA) or a native
app, and interacts with resource directly
Implicit
Service can be fully trusted Resource Owner Password
Credential
Security: 3
Security: 3
Security: 2
Security: 1
Ease: 1
Ease: 3
Ease: 1
Ease: 1

16. OAuth2: Grant Type Flows Has 2 Parts
Part 1:
● Get Key
Part 2:
● Use Key

17. OAuth2 Flow Part 1: Get Key
1. Service pre-register with user resource owner
2. User authenticate credentials
3. User choose permission
4. User/Agent get the code
5. Agent/Service Get the key

18. OAuth2 Flow Part 1: Get Key
Client Credential Authorization CodeResource Owner Password Credential Implicit

19. OAuth2 Flow Part 2: Use Key
I am authorized to request

20. There are Too Many OAuths
Mehdi (OAuth.io founder)
There is OAuth 1 and OAuth 2
IETF Standards

21. Big Picture
Difference in implementation
. . .
Standard
Implementations

22. OAuth2: URL Variations
Authorize
● access.line.me/oauth2/v2.1/authorize
● accounts.google.com/o/oauth2/auth
● api.login.yahoo.com/oauth2/request_auth

23. OAuth2: HTTP Header Variations
Access Token
● Authorization: Basic !BASE64{client_id}:{client_secret}!BASE64
● POST { client_id: CLIENT_ID, client_secret: CLIENT_SECRET }
Request
● Authorization: Bearer TOKEN
● Authorization: OAuth TOKEN

24. OAuth2: Scope Specification Variations
Authorize
● scope=email%20publish
● scope=email,publish
● scope=email;publish
● scope=email:publish
● scope=email|publish
● scope=read_only or scope=read_write

25. Big Picture
Difference in implementation
. . .
Standard
Implementations
OAuth connect buttons

26. OAuth2: Developer and Provider Confusion

27. OAuth.io
Standardize OAuth2 implementation
. . .
Standard
Implementations
OAuth connect buttons
OAuth.io

28. OAuth2 Simplified
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('facebook', function(provider) {
alert('Access Token:' + provider.access_token);
// Do something
}

29. OAuth2 Simplified
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('twitter', function(provider) {
alert('Access Token:' + provider.access_token);
// Do something
}

30. OAuth2 Simplified
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('google', function(provider) {
alert('Access Token:' + provider.access_token);
// Do something
}

31. OAuth.io To the Rescue!
Value for developers
● Standardized OAuth 1/2
Value for providers
● Reduced customer support calls

32. New Flavors of OAuth2: Authentication

33. OAuth: Open Authorization

34. OAuth2: Identity Layers For Authentication
● Abuse of OAuth2 for authentication
○ OpenID Connect (OIDC)
● The evolution of decentralized identity
○ IndieAuth

35. The Identity Layers on OAuth2

36. Abuse of OAuth2 for Authentication

37. OAuth2 Works Great for Authorization
Like spoon for drinking soup!

38. Why not use it for Authentication too?
Like spoon for spaghetti
● Convenient
● But messy!

39. OAuth2: For Authorization
Authorized to act as user
Buy on Amazon
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

40. OAuth2: For Authentication
DB
Authenticated as owner
Get purchase history

41. OAuth2: For Authentication Mess!
DBDB
Key Used For
Authentication Elsewhere
Authenticated as owner
Get purchase history
Authorized to act as user
Stream Amazon music on TV

42. OAuth2: Intended Recipient For Authentication
Key CANNOT Be Used
Elsewhere
Authorized to act as user
DBDB
Key with intended recipient
Stream Amazon music on TV

43. OAuth2: OpenID Connect
id_token
● JWT (JSON Web Token) containing recipient of key
● Returned and tied to access token

44. OAuth.io
Promoting adoption of new standards
. . .
Standard
Implementations
OAuth connect buttons
OAuth.io

45. OAuth.io To the Rescue!
Value for developers
● Use the latest standards whenever ready
Value for providers
● Shim to implement latest standards on their behalf

46. The Evolution of Decentralized Identity

47. IndieWeb
https://indieweb.org
● What you post is yours [setup required]
● Nobody controls what you post [setup required]
● You are better connected [integration required]
○ Post to any silos (FB, twitter, etc.) - POSSE
○ All interactions goes back to you and not siloed (FB, twitter, etc.) - webmention
You already have an identity on this server
Why not use it for every service on the web

48. IndieAuth
https://indieweb.org/indieauth
● Take back control of your identity
○ Determine what type of authentication: password, fingerprint, etc.
○ Determine what you want to share about yourself, and revoke as required
■ Right-to-be-forgotten (GDPR)

49. Identity: NASCAR Problem
But millions of time worse with ‘Login as You’

50. IndieAuth: OpenID All Over Again

51. OAuth2 Flow Part 1: Get Key
Pre-register required

52. IndieAuth: Dynamic Discovery & No Registration
https://indieauth.spec.indieweb.org/#discovery-1 (Editor’s draft - 7 July 2018)
example.org
https://example.org
/
/auth
/token
client_id=service-url
redirect_url=subdomain-service-url
client_id=service-url
code=xxxxxx
redirect_url=subdomain-service-url
auth & token endpoints
code
access token
No Pre-registration Required
● Derived client_id,
redirect_uri
● No client_secret

53. OpenId Connect: Dynamic Discovery & Registration
https://openid.net/specs/openid-connect-discovery-1_0.html (Final - 8 Nov 2014)
example.org
https://example.org
openid-discovery-server
auth, token, registration endpoints
/.well-known/webfinger
/.well-known/openid-configuration
openid.example.org
/register
client_id, client_secret
OAuth2/OpenId Connect Flow
Derive webfinger server name
redirect_urls

54. At the end of the talk . . .
● Understand and/or remember OAuth2 better
○ Goal, purpose, example
● The standard and yet different flavors of OAuth2
○ OAuth2 grant types
○ OAuth2 parameters/urls
● The new flavors of OAuth2 - authentication
○ Identity layers
● The evangelist - OAuth.io
○ Standardize implementation
○ Push adoption new standards

55. Thank You For Listening!
@neth_6, @oauth_io
https://oauth.io