Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… ·...
Transcript of Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… ·...
Lightning Talk: OAuth
Andrew Davidoff
Senior Software Developer
What’s wrong with this picture?
OAuth
• Delegates access to a user ’s resources to your service or application.• Limited and controlled -- granted by the user
• Doesn’t require the user to share their password• Your app gets its own delegation credential (access token)
• Open Protocol – RFC5849, RFC6749 and RFC6750
OAuth 2.0
• Protocol Security == https
• Better support for mobile and native desktop apps
• Simplifies the authorization grant
Authentication vs. Authorization
• AuthN – proof that someone is who they claim to be.• Something you know
• Something you have
• Something you are
• AuthZ – Determination of which permissions and rights a person or system is supposed to have.• Are you allowed to do what you are trying to do?
• Q: what is OAuth, OAuthN or OAuthZ?
A: Authorization (OAuthZ)
Roles
• Resource Owner: End-user or other entity capable of granting access to the protected resources. • [email protected]
• Resource Server: Server that hosts the protected resources. • OneDrive
• Authorization Server: Server that authenticates the client and issues access tokens.• Microsoft account server
• Client: Application making protected resource requests to the Resource Server. • Microsoft Office / http://www.mybirthdayreminders.aspx
Abstract OAuth2 logical flow
1 Authorization Request
2 Authorization Grant
4 Issue access token
6 Serve Request
3 Request access token
5 Request resource
ResourceOwner
ClientAuthorization Server
ResourceServer
Grant Types
There are four grant types that the client may use to obtain the access token from the authorization server:
• Authorization Code Grant
• Implicit Grant
• Resource Owner Credentials Grant
• Client Credentials Grant
Authorization Code Grant
• Follows a redirection-based flow
• Uses an authorization code as an intermediate credential
• Optimized for private clients
• Allows renewal of access tokens
• Allows client authentication
Registering the Client
• Before using the grants, clients must be registered with the authorization server and provide:
• Client type (public/private)Private
• Allowed redirection uri’s (where to send the tokens)http://www.pandaemonium.com/callback.aspx
• Other information such as name, website, description, logos, etc.
Registering the Client
After registering, the authorization server will provide the client developer:
• Client ID
000000004C0EC707
• Client Secret
PEIpZV8eUUpGX5r2jQUw5bWlms88qUlG
Common Consent Framework in O365
• Single Authentication flow for O365• Azure AD Graph, Exchange, SharePoint, etc.
• Device apps and web apps
• Admin and end-user consent
• Secure protocol• OAuth 2.0 authorization
• No capturing of user credentials
• Fine-grained access scopes
• Supports multi-factor authentication (MFA) and federated user sign-in
• Long-term access through refresh tokens
Thank You!
AppendixAuthorization Code Grant
Authorization Code Grant
• Follows a redirection-based flow
• Uses an authorization code as an intermediate credential
• Optimized for private clients
• Allows renewal of access tokens
• Allows client authentication
Pandaemonium® Application
• Web Application Client (Private)
• Pastes pandas into pictures
• Wants to integrate with OneDrive
• Hosted at http://www.pandaemonium.com
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1a1b 1c
• Response_type=• “code”• Client_id• *Redirect_uri• *Scope• *State
1 User-agent loads the client, which redirects it to the authorization server
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
2b 2a2c 2d
Authentication Dialog
Permissions Dialog
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
2b 2a2c 2d
3a3b
• Code• *State
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
2b 2a
2c 2d
3a3b
4
• Grant_type=“authorization_code”
Code• *Redirect_uri• *Client_ID
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
2b 2a
2c 2d
3a3b
4
5
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
R-1 Client sends refresh token to the authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
Authorization Code Grant
ResourceOwner
UserAgent
Client Authorization Server
1 User-agent loads the client, which redirects it to the authorization server
1a
1b 1c
2 User authenticates into the authorization server, reviews and grants the client’s request for permissions
3 Authorization server redirects the user-agent to the redirect_uri.
4 Client sends the authorization code to the authorization server
5 Authorization server sends the access token to client
R-1 Client sends refresh token to the authorization server
2b 2a
2c 2d
3a3b
4
5
R-1
R-2 Client gets back a new access token
R-2
Accessing Resources
User’s pictures
Request for user’s pictures(includes access token)
Pandaemonium.com/pandafy
Pandafied pics!
ClientResource owner (user)
OneDrive
Thank You!