More Related Content Similar to OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk Similar to OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk (20) More from Nov Matake (20) OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk5. Platform 3rd-party Developers
OpenSource Conference 2011
20. OAuth 1.0 OAuth 2.0
OpenSource Conference 2011
21. OAuth 1.0 in Japanese
ju.mp/oauth1_ja
OAuth 2.0 in Japanese
ju.mp/oauth2_ja
OpenSource Conference 2011
23. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
24. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
25. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
26. Core Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
Token Type Spec OpenID TechNight #7
27. Core Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
28. Core Response Type
2 Response Types in Core
Code
Token
Extensions
Code + Token
and more..
OpenSource Conference 2011
29. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
OpenID TechNight #7
30. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
client_id=...&
response_type=code&Code
redirect_uri=https://...&
scope=... Code
Access Token
OpenSource Conference 2011
31. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
OpenSource Conference 2011
32. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
Code
Access Token
OpenSource Conference 2011
33. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approvalcode=...&
client_id=...&
Approve client_secret=...&
grant_type=authorization_code&
redirect_uri=https://...
Code
Code
Access Token
OpenSource Conference 2011
34. Core response_type = code
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Code
[NOTE] Facebook API returns access token in x-www-form-urlencoded
Code
Access Token
OpenSource Conference 2011
35. Core response_type = token
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
OpenID TechNight #7
36. Core response_type = token
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
client_id=...&
response_type=token&
redirect_uri=https://...&
Access Token
scope=...
OpenID TechNight #7
37. Core response_type = token
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
Access Token
OpenID TechNight #7
38. Core Response Type
Code Token
Secure Efficient
2 HTTP request 1 HTTP request
Require Approval Both at once
Get Access Token
+ extensions
OpenID TechNight #7
39. Token Type Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
40. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
+ extensions
OpenID TechNight #7
41. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
In most cases, you use this.
+ extensions
OpenID TechNight #7
42. Token Bearer Token
Access Token Response
OpenID TechNight #7
43. Token API Access (Bearer)
OpenID TechNight #7
45. Not all API providers
follow the latest dra*..
OpenSource Conference 2011
51. Lack of API access!?
You need “stream access”, don’t you?
OpenSource Conference 2011
54. Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner API
Client
Access
OpenID TechNight #7
56. Basic Flow
Resource Owner Client Authorization Server
Initiate
Require Approval
Approve
client_id=...&
response_type=token+id_token&
redirect_uri=https://...&
Access Token
scope=openid
OpenID TechNight #7
60. ID Token
Represent Session Information
JWT-encoded JSON Object
Singed using JWS
Encrypted using JWE
OpenSource Conference 2011
63. UserInfo
OAuth 2.0 Protected Resource
REQUIRED “profile” scope
OPTIONAL “email” and “address” scopes
Standardized JSON Format
PoCo (Portable Contacts) + Facebook Graph API
OpenSource Conference 2011
68. Social
OpenSource Conference 2011
69. Cloud
OpenSource Conference 2011