SlideShare a Scribd company logo

Pushed Authorization Requests

T
Torsten Lodderstedt

Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.

Technology
1 of 15
Download to read offline
Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par Nat Sakimura, NRI Torsten Lodderstedt, yes.com
Problem Statement ● OAuth authorization code flow sends parameters as URI query parameters via redirection in the user-agent ● Challenges ○ There is no cryptographical integrity and authenticity protection ○ There is no mechanism to ensure confidentiality of the request parameters. ○ Authorization request URLs can become quite large, especially in scenarios requiring fine-grained authorization data.
Example (OpenID for ID Assurance) https://as.example.com/authorize?response_type=code& state=af0ifjsldkj& client_id=s6BhdRkqt3& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U& code_challenge_method=S256& scope=openid& claims=%7B%22userinfo%22%3A%7B%22given_name%22%3A%7B%22essential%22%3Atrue% 7D%2C%22nickname%22%3Anull%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%2 C%22email_verified%22%3A%7B%22essential%22%3Atrue%7D%2C%22picture%22%3Anull%2 C%22http%3A%2F%2Fexample.info%2Fclaims%2Fgroups%22%3Anull%2C%22verified_claims% 22%3A%7B%22verification%22%3A%7B%22evidence%22%3A%5B%7B%22type%22%3A%7B% 22value%22%3A%22id_document%22%7D%2C%22document%22%3A%7B%22type%22%3A%7 B%22values%22%3A%5B%22idcard%22%2C%22passport%22%5D%7D%7D%7D%5D%7D%2C %22claims%22%3A%7B%22given_name%22%3Anull%2C%22family_name%22%3A%7B%22val ue%22%3A%22Meier%22%7D%2C%22birthdate%22%3Anull%2C%22place_of_birth%22%3Anull %2C%22nationality%22%3Anull%2C%22address%22%3Anull%7D%7D%7D%2C%22id_token%2 2%3A%7B%22auth_time%22%3A%7B%22essential%22%3Atrue%7D%2C%22acr%22%3A%7B %22values%22%3A%5B%22urn%3Amace%3Aincommon%3Aiap%3Asilver%22%5D%7D%7D%7 D { "userinfo":{ "given_name":{ "essential":true }, "nickname":null, "email":{ "essential":true }, "email_verified":{ "essential":true }, "picture":null, "http://example.info/claims/groups":null, "verified_claims":{ "verification":{ "evidence":[ { "type":{ "value":"id_document" }, "document":{ "type":{ "values":[ "idcard", "passport" ] } } } ] }, "claims":{ "given_name":null, "family_name":{ "value":"Meier" }, "birthdate":null, "place_of_birth":null, "nationality":null, "address":null } } }, "id_token":{ "auth_time":{ "essential":true }, "acr":{ "values":[ "urn:mace:incommon:iap:silver" ] }
Example (OAuth with authorization_details) https://as.example.com/authorize?response_type=code& state=af0ifjsldkj& client_id=s6BhdRkqt3& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8 U& code_challenge_method=S256& &authorization_details=%5B%7B%22type%22%3A%22https%3A%2F %2Fwww.someorg.com%2Fpayment_initiation%22%2C%22actions%2 2%3A%5B%22initiate%22%2C%22status%22%2C%22cancel%22%5 D%2C%22locations%22%3A%5B%22https%3A%2F%2Fexample.com %2Fpayments%22%5D%2C%22instructedAmount%22%3A%7B%22c urrency%22%3A%22EUR%22%2C%22amount%22%3A%22123.50% 22%7D%2C%22debtorAccount%22%3A%7B%22iban%22%3A%22DE 40100100103307118608%22%7D%2C%22creditorName%22%3A%22 Merchant123%22%2C%22creditorAccount%22%3A%7B%22iban%22 %3A%22DE02100100109307118603%22%7D%2C%22remittanceInfo rmationUnstructured%22%3A%22Ref%20Number%20Merchant%22% 7D%5D%0A%20%20%20 [ { "type": "https://www.someorg.com/payment_initiation", "actions":[ "initiate", "status", "cancel" ], "locations":[ "https://example.com/payments" ], "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured": "Ref Number Merchant" } ]
JWT Secured Authorization Request (JAR) ● Security: Allows sending authorization requests in signed and encrypted request objects in JWT format ● Size: request_uri allows sending just a URI referring to the request object
Pushed Authorization Requests ● New draft https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00 ● Complements JAR by providing an interoperable way to push the payload of an authorization request object directly to the AS in exchange for a "request_uri". ● Provided via new pushed authorization request endpoint ● Accepts all parameters of the authorization endpoint and leverages token endpoint authentication methods ● Authors: Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt
How does it look like?
Traditional OAuth Authorization Request GET /authorize?response_type=code& client_id=s6BhdRkqt3 &state=af0ifjsldkj& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: as.example.com
Pushed Authorization Request POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code& client_id=s6BhdRkqt3& state=af0ifjsldkj& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Pushed Authorization Response HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", "expires_in": 90 }
Authorization Request (according to JAR) GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1
Pushed Request Object POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 request=eyJraWQiOiJrMmJkYyIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cH M6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNsaWVudF9pZCI6InM2Q mhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2NsaWVudC5leGFtcGxlLm9yZy9jYiIsInNjb3BlIj oiYWlzIiwic3RhdGUiOiJhZjBpZmpzbGRraiIsImNvZGVfY2hhbGxlbmdlIjoiSzItbHRjODNhY2M0aDBjOXc2R VNDX3JFTVRKM2J3dy11Q0hhb2VLMXQ4VSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6IlMyNTYifQ.O49f fUxRPdNkN3TRYDvbEYVr1CeAL64uW4FenV3n9WlaFIRHeFblzv-wlEtMm8-tusGxeE9z3ek6FxkhvvLEqE pjthXnyXqqyJfq3k9GSf5ay74ml_0D6lHE1hy-kVWg7SgoPQ-GB1xQ9NRhF3EKS7UZIrUHbFUCF0MsRLb mtIvaLYbQH_Ef3UkDLOGiU7exhVFTPeyQUTM9FF-u3K-zX-FO05_brYxNGLhVkO1G8MjqQnn2HpAzlBd 5179WTzTYhKmhTiwzH-qlBBI_9GLJmE3KOipko9TfSpa26H4JOlMyfZFl0PCJwkByS0xZFJ2sTo3Gkk488 RQohhgt1I0onw
Pushed Authorization Response HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y2LTC2", "expires_in": 90 }
Authorization Request (according to JAR) GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y2LTC2 HTTP/1.1
Advantages ● Significantly improved security ... ○ Request Integrity ○ Client authentication ● … and robustness … ● … while offering a simple migration path ● Higher security level by passing signed/encrypted request objects ● redirect_uri could be dynamically registered for confidential clients (ongoing discussion)

Recommended

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 

Recommended

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
Torsten Lodderstedt
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
Victor Rentea
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
Wso2 API Manager Fundamentals
Wso2 API Manager FundamentalsWso2 API Manager Fundamentals
Wso2 API Manager Fundamentals
Rajith Siriwardana
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Hyperledger Indy tutorial
Hyperledger Indy tutorialHyperledger Indy tutorial
Hyperledger Indy tutorial
ssuser3993f3
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 

More Related Content

What's hot

What's hot (20)

OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Wso2 API Manager Fundamentals
Wso2 API Manager FundamentalsWso2 API Manager Fundamentals
Wso2 API Manager Fundamentals
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Hyperledger Indy tutorial
Hyperledger Indy tutorialHyperledger Indy tutorial
Hyperledger Indy tutorial
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 

Similar to Pushed Authorization Requests

The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 

Similar to Pushed Authorization Requests (20)

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Full stack security
Full stack securityFull stack security
Full stack security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 

More from Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 

More from Torsten Lodderstedt (20)

OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Pushed Authorization Requests

  • 2. Problem Statement ● OAuth authorization code flow sends parameters as URI query parameters via redirection in the user-agent ● Challenges ○ There is no cryptographical integrity and authenticity protection ○ There is no mechanism to ensure confidentiality of the request parameters. ○ Authorization request URLs can become quite large, especially in scenarios requiring fine-grained authorization data.
  • 3. Example (OpenID for ID Assurance) https://as.example.com/authorize?response_type=code& state=af0ifjsldkj& client_id=s6BhdRkqt3& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U& code_challenge_method=S256& scope=openid& claims=%7B%22userinfo%22%3A%7B%22given_name%22%3A%7B%22essential%22%3Atrue% 7D%2C%22nickname%22%3Anull%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%2 C%22email_verified%22%3A%7B%22essential%22%3Atrue%7D%2C%22picture%22%3Anull%2 C%22http%3A%2F%2Fexample.info%2Fclaims%2Fgroups%22%3Anull%2C%22verified_claims% 22%3A%7B%22verification%22%3A%7B%22evidence%22%3A%5B%7B%22type%22%3A%7B% 22value%22%3A%22id_document%22%7D%2C%22document%22%3A%7B%22type%22%3A%7 B%22values%22%3A%5B%22idcard%22%2C%22passport%22%5D%7D%7D%7D%5D%7D%2C %22claims%22%3A%7B%22given_name%22%3Anull%2C%22family_name%22%3A%7B%22val ue%22%3A%22Meier%22%7D%2C%22birthdate%22%3Anull%2C%22place_of_birth%22%3Anull %2C%22nationality%22%3Anull%2C%22address%22%3Anull%7D%7D%7D%2C%22id_token%2 2%3A%7B%22auth_time%22%3A%7B%22essential%22%3Atrue%7D%2C%22acr%22%3A%7B %22values%22%3A%5B%22urn%3Amace%3Aincommon%3Aiap%3Asilver%22%5D%7D%7D%7 D { "userinfo":{ "given_name":{ "essential":true }, "nickname":null, "email":{ "essential":true }, "email_verified":{ "essential":true }, "picture":null, "http://example.info/claims/groups":null, "verified_claims":{ "verification":{ "evidence":[ { "type":{ "value":"id_document" }, "document":{ "type":{ "values":[ "idcard", "passport" ] } } } ] }, "claims":{ "given_name":null, "family_name":{ "value":"Meier" }, "birthdate":null, "place_of_birth":null, "nationality":null, "address":null } } }, "id_token":{ "auth_time":{ "essential":true }, "acr":{ "values":[ "urn:mace:incommon:iap:silver" ] }
  • 4. Example (OAuth with authorization_details) https://as.example.com/authorize?response_type=code& state=af0ifjsldkj& client_id=s6BhdRkqt3& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8 U& code_challenge_method=S256& &authorization_details=%5B%7B%22type%22%3A%22https%3A%2F %2Fwww.someorg.com%2Fpayment_initiation%22%2C%22actions%2 2%3A%5B%22initiate%22%2C%22status%22%2C%22cancel%22%5 D%2C%22locations%22%3A%5B%22https%3A%2F%2Fexample.com %2Fpayments%22%5D%2C%22instructedAmount%22%3A%7B%22c urrency%22%3A%22EUR%22%2C%22amount%22%3A%22123.50% 22%7D%2C%22debtorAccount%22%3A%7B%22iban%22%3A%22DE 40100100103307118608%22%7D%2C%22creditorName%22%3A%22 Merchant123%22%2C%22creditorAccount%22%3A%7B%22iban%22 %3A%22DE02100100109307118603%22%7D%2C%22remittanceInfo rmationUnstructured%22%3A%22Ref%20Number%20Merchant%22% 7D%5D%0A%20%20%20 [ { "type": "https://www.someorg.com/payment_initiation", "actions":[ "initiate", "status", "cancel" ], "locations":[ "https://example.com/payments" ], "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured": "Ref Number Merchant" } ]
  • 5. JWT Secured Authorization Request (JAR) ● Security: Allows sending authorization requests in signed and encrypted request objects in JWT format ● Size: request_uri allows sending just a URI referring to the request object
  • 6. Pushed Authorization Requests ● New draft https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00 ● Complements JAR by providing an interoperable way to push the payload of an authorization request object directly to the AS in exchange for a "request_uri". ● Provided via new pushed authorization request endpoint ● Accepts all parameters of the authorization endpoint and leverages token endpoint authentication methods ● Authors: Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt
  • 7. How does it look like?
  • 8. Traditional OAuth Authorization Request GET /authorize?response_type=code& client_id=s6BhdRkqt3 &state=af0ifjsldkj& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: as.example.com
  • 9. Pushed Authorization Request POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code& client_id=s6BhdRkqt3& state=af0ifjsldkj& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
  • 10. Pushed Authorization Response HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", "expires_in": 90 }
  • 11. Authorization Request (according to JAR) GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1
  • 12. Pushed Request Object POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 request=eyJraWQiOiJrMmJkYyIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR0cH M6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNsaWVudF9pZCI6InM2Q mhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2NsaWVudC5leGFtcGxlLm9yZy9jYiIsInNjb3BlIj oiYWlzIiwic3RhdGUiOiJhZjBpZmpzbGRraiIsImNvZGVfY2hhbGxlbmdlIjoiSzItbHRjODNhY2M0aDBjOXc2R VNDX3JFTVRKM2J3dy11Q0hhb2VLMXQ4VSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6IlMyNTYifQ.O49f fUxRPdNkN3TRYDvbEYVr1CeAL64uW4FenV3n9WlaFIRHeFblzv-wlEtMm8-tusGxeE9z3ek6FxkhvvLEqE pjthXnyXqqyJfq3k9GSf5ay74ml_0D6lHE1hy-kVWg7SgoPQ-GB1xQ9NRhF3EKS7UZIrUHbFUCF0MsRLb mtIvaLYbQH_Ef3UkDLOGiU7exhVFTPeyQUTM9FF-u3K-zX-FO05_brYxNGLhVkO1G8MjqQnn2HpAzlBd 5179WTzTYhKmhTiwzH-qlBBI_9GLJmE3KOipko9TfSpa26H4JOlMyfZFl0PCJwkByS0xZFJ2sTo3Gkk488 RQohhgt1I0onw
  • 13. Pushed Authorization Response HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y2LTC2", "expires_in": 90 }
  • 14. Authorization Request (according to JAR) GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y2LTC2 HTTP/1.1
  • 15. Advantages ● Significantly improved security ... ○ Request Integrity ○ Client authentication ● … and robustness … ● … while offering a simple migration path ● Higher security level by passing signed/encrypted request objects ● redirect_uri could be dynamically registered for confidential clients (ongoing discussion)