Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… ·...

Lightning Talk: OAuth

Andrew Davidoff

Senior Software Developer

What’s wrong with this picture?

OAuth

• Delegates access to a user ’s resources to your service or application.• Limited and controlled -- granted by the user

• Doesn’t require the user to share their password• Your app gets its own delegation credential (access token)

• Open Protocol – RFC5849, RFC6749 and RFC6750

OAuth 2.0

• Protocol Security == https

• Better support for mobile and native desktop apps

• Simplifies the authorization grant

Authentication vs. Authorization

• AuthN – proof that someone is who they claim to be.• Something you know

• Something you have

• Something you are

• AuthZ – Determination of which permissions and rights a person or system is supposed to have.• Are you allowed to do what you are trying to do?

• Q: what is OAuth, OAuthN or OAuthZ?

A: Authorization (OAuthZ)

Roles

• Resource Owner: End-user or other entity capable of granting access to the protected resources. • [email protected]

• Resource Server: Server that hosts the protected resources. • OneDrive

• Authorization Server: Server that authenticates the client and issues access tokens.• Microsoft account server

• Client: Application making protected resource requests to the Resource Server. • Microsoft Office / http://www.mybirthdayreminders.aspx

Abstract OAuth2 logical flow

1 Authorization Request

2 Authorization Grant

4 Issue access token

6 Serve Request

3 Request access token

5 Request resource

ResourceOwner

ClientAuthorization Server

ResourceServer

Grant Types

There are four grant types that the client may use to obtain the access token from the authorization server:

• Authorization Code Grant

• Implicit Grant

• Resource Owner Credentials Grant

• Client Credentials Grant

Authorization Code Grant

• Follows a redirection-based flow

• Uses an authorization code as an intermediate credential

• Optimized for private clients

• Allows renewal of access tokens

• Allows client authentication

Registering the Client

• Before using the grants, clients must be registered with the authorization server and provide:

• Client type (public/private)Private

• Allowed redirection uri’s (where to send the tokens)http://www.pandaemonium.com/callback.aspx

• Other information such as name, website, description, logos, etc.

Registering the Client

After registering, the authorization server will provide the client developer:

• Client ID

000000004C0EC707

• Client Secret

PEIpZV8eUUpGX5r2jQUw5bWlms88qUlG

Common Consent Framework in O365

• Single Authentication flow for O365• Azure AD Graph, Exchange, SharePoint, etc.

• Device apps and web apps

• Admin and end-user consent

• Secure protocol• OAuth 2.0 authorization

• No capturing of user credentials

• Fine-grained access scopes

• Supports multi-factor authentication (MFA) and federated user sign-in

• Long-term access through refresh tokens

Thank You!

AppendixAuthorization Code Grant


• Follows a redirection-based flow

• Uses an authorization code as an intermediate credential

• Optimized for private clients

• Allows renewal of access tokens

• Allows client authentication

Pandaemonium® Application

• Web Application Client (Private)

• Pastes pandas into pictures

• Wants to integrate with OneDrive

• Hosted at http://www.pandaemonium.com

http://www.pandaemonium.com/


ResourceOwner

UserAgent

Client Authorization Server

1a1b 1c

• Response_type=• “code”• Client_id• *Redirect_uri• *Scope• *State

1 User-agent loads the client, which redirects it to the authorization server


ResourceOwner

UserAgent



1a

1b 1c

2 User authenticates into the authorization server, reviews and grants the client’s request for permissions

2b 2a2c 2d

Authentication Dialog

Permissions Dialog


ResourceOwner

UserAgent



1a

1b 1c


3 Authorization server redirects the user-agent to the redirect_uri.

2b 2a2c 2d

3a3b

• Code• *State


ResourceOwner

UserAgent



1a

1b 1c



4 Client sends the authorization code to the authorization server

2b 2a

2c 2d

3a3b

4

• Grant_type=“authorization_code”

Code• *Redirect_uri• *Client_ID


ResourceOwner

UserAgent



1a

1b 1c




5 Authorization server sends the access token to client

2b 2a

2c 2d

3a3b

4

5


ResourceOwner

UserAgent



1a

1b 1c





R-1 Client sends refresh token to the authorization server

2b 2a

2c 2d

3a3b

4

5

R-1


ResourceOwner

UserAgent



1a

1b 1c





R-1 Client sends refresh token to the authorization server

2b 2a

2c 2d

3a3b

4

5

R-1

R-2 Client gets back a new access token

R-2

Accessing Resources

User’s pictures

Request for user’s pictures(includes access token)

Pandaemonium.com/pandafy

Pandafied pics!

ClientResource owner (user)

OneDrive

Thank You!

Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… ·...

Documents

Transcript of Lightning Talk: OAuthdownload.microsoft.com/.../0/F/1/.../day2/20160420_Lightning_sessi… ·...