Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COM
OAUTH 101
§ What if…
– You change your password?
› Token’s still valid
– That application gets hacked?
› Revoke the token
§ You are sent back to the callback URL, the Tunes Partner
website
– In the background, Tunes Partner receives a token – “You’re authorized to
charge $9.99 to this IDTel account”
§ Tunes Partner never sees your IDTel password
§ Client Secret
– A secret used by the Client to establish ownership of the
Client ID
– “Here’s proof”
IDTel
IDTel
IDTel
3) “Please ask
the user if I,
Tunes
Partner, can
charge her $1
for this song.”
IDTel
3) “Please ask
the user if I,
Tunes 4) Please log in;
Partner, can can Tunes
charge her $1 Partner charge
for this song.” you $1? If yes,
I’ll send them an
authorization
code.
1) “I want to buy this song!”
2) Okay, let me redirect you to your bank
IDTel
3) “Please ask
the user if I,
Tunes 4) Please log in;
Partner, can can Tunes
charge her $1 Partner charge
for this song.” you $1? If yes,
I’ll send them an
authorization
code.
1) “I want to buy this song!”
2) Okay, let me redirect you to your bank
Resource Owner - User 5) Authorization Code from AS: Client – Tunes Partner
“Tunes Partner can charge user $1”
Copyright © 2015 Ping Identity Corp. All rights reserved.16
JUST SO WE’RE CLEAR…
IDTel
3) “Please ask
the user if I, 6) I have an
Tunes authorization code
Partner, can 4) Please log in; that says Tunes
charge her $1 can Tunes Partner can charge
for this song.” Partner charge $1. I’m Tunes Partner
you $1? If yes, – here’s my client
I’ll send them an secret. Give me an
authorization access token.
code.
1) “I want to buy this song!”
2) Okay, let me redirect you to your bank
Resource Owner - User 5) Authorization Code from AS: Client – Tunes Partner
“Tunes Partner can charge user $1”
Copyright © 2015 Ping Identity Corp. All rights reserved.17
JUST SO WE’RE CLEAR…
IDTel
3) “Please ask
the user if I, 6) I have an 7) Hi Bank! I have
Tunes authorization code an access token
Partner, can 4) Please log in; that says Tunes saying I’m allowed
charge her $1 can Tunes Partner can charge to charge the user
for this song.” Partner charge $1. I’m Tunes Partner $1; here it is, go
you $1? If yes, – here’s my client charge her $1.
I’ll send them an secret. Give me an
authorization access token.
code.
1) “I want to buy this song!”
2) Okay, let me redirect you to your bank
Resource Owner - User 5) Authorization Code from AS: Client – Tunes Partner
“Tunes Partner can charge user ©$1”
Copyright 2015 Ping Identity Corp. All rights reserved.18
HALFWAY!
§ OAuth
– An open protocol standard for Web API authorization
– Provides a method for users to grant third-party access to
their resources without sharing their passwords
§ Tokens can be limited by:
– Scope
– Time
– Action
§ End goal:
– Client gets and uses access token
Authorization
1. Get access token Server
Client
2. Use access token API
(Resource Server)
§ Authorization Code
– Use case: Web-server apps (and native apps)
§ Implicit
– Use case: Browser-based apps
§ Resource Owner Password Credentials
– Use case: Native mobile apps (for backwards compatibility)
§ Client Credentials
– Use case: Server-Server
Authorization Server
Resource Server
Resource Owner
Copyright © 2015 Ping Identity Corp. All rights reserved. 26
IMPLICIT GRANT GENERAL FLOW
1. Browser application
redirects user to
1. Client ID, Scope authorization server
2. User Authenticates
Authorization 2. User authenticates, then
3. Access token in URL Server - IDTel (hopefully!) authorizes the
request.
1 3
(Yes, charge me $10)
3. Authorization Server
redirects user back to web
app with the access token
Client – embedded in the query
Tunes Partner string.
Widget
Native Client
Resource Server
Resource Owner
2. Authorization Server
returns access token
to mobile
2 – Access Token (w/ optional Refresh Token)
application
Client –
IDTel mobile
app
Resource Server
2. Authorization
1 – Client Credentials
Server returns
access token to
2 – Access Token
client server
Client –
Remote server
or application
1. Client application
sends its own
credentials and
Authorization refresh token to
Server - IDTel PingFederate in
request for access
token
2. PingFederate
1. Client Credentials & Refresh token
returns access token
2. Access Token
Client
(tunes partner
website or IDTel
mobile app)
Copyright © 2015 Ping Identity Corp. All rights reserved. 33
GRANT TYPES
Grant Type What You Need How You Authenticate User