OAuth 2.0 Integration Patterns with XACML

of 58 /58
Prabath Siriwardena Senior Architect & Chair, Integration MC

description

OAuth 2.0 Integration Patterns with XACML

Transcript of OAuth 2.0 Integration Patterns with XACML

Page 1: OAuth 2.0 Integration Patterns with XACML

Prabath Siriwardena Senior Architect & Chair, Integration MC

Page 2: OAuth 2.0 Integration Patterns with XACML
Page 3: OAuth 2.0 Integration Patterns with XACML
Page 4: OAuth 2.0 Integration Patterns with XACML
Page 5: OAuth 2.0 Integration Patterns with XACML
Page 6: OAuth 2.0 Integration Patterns with XACML

Third-­‐party  applications  are  required  to  store  the  resource  owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐

text.  

Page 7: OAuth 2.0 Integration Patterns with XACML

Servers  are  required  to  support  password  authentication,  despite  the  security  weaknesses  created  by  passwords.  

Page 8: OAuth 2.0 Integration Patterns with XACML

Third-­‐party  applications  gain  overly  broad  access  to  the  resource  owner's  protected  resources,  leaving  resource  owners  without  any  ability  to  restrict  duration  or  access  to  a  limited  

subset  of  resources.  

Page 9: OAuth 2.0 Integration Patterns with XACML

Resource  owners  cannot  revoke  access  to  an  individual  third-­‐party  without  revoking  access  to  all  third-­‐parties,  and  must  do  

so  by  changing  their  password.  

Page 10: OAuth 2.0 Integration Patterns with XACML

Compromise  of  any  third-­‐party  application  results  in  compromise  of  the  end-­‐user's  password  and  all  of  the  data  

protected  by  that  password.  

Page 11: OAuth 2.0 Integration Patterns with XACML
Page 12: OAuth 2.0 Integration Patterns with XACML
Page 13: OAuth 2.0 Integration Patterns with XACML
Page 14: OAuth 2.0 Integration Patterns with XACML
Page 15: OAuth 2.0 Integration Patterns with XACML
Page 16: OAuth 2.0 Integration Patterns with XACML
Page 17: OAuth 2.0 Integration Patterns with XACML

•  Complexity  in  validating  and  generating  signatures.  •  No  clear  separation  between  Resource  Server  and  

Authorization  Server.  •  Browser  based  re-­‐redirections.  

Page 18: OAuth 2.0 Integration Patterns with XACML

•  An  entity  capable  of  granting  access  to  a  protected  resource.    

•  When  the  resource  owner  is  a  person,  it  is  referred  to  as  an  end-­‐user.  

Page 19: OAuth 2.0 Integration Patterns with XACML

•  The  server  hosting  the  protected  resources,  capable  of  accepting  and  responding  to  protected  resource  requests  using  access  tokens.  

Page 20: OAuth 2.0 Integration Patterns with XACML

•  An  application  making  protected  resource  requests  on  behalf  of  the  resource  owner  and  with  its  authorization  

Page 21: OAuth 2.0 Integration Patterns with XACML

•  The  server  issuing  access  tokens  to  the  client  after  successfully  authenticating  the  resource  owner  and  obtaining  authorization  

Page 22: OAuth 2.0 Integration Patterns with XACML
Page 23: OAuth 2.0 Integration Patterns with XACML

Authorization  Code  

Implicit  

Resource  Owner  Password  Credentials  

Client  Credentials  

Page 24: OAuth 2.0 Integration Patterns with XACML

OAuth  Handshake  

Scope  

Page 25: OAuth 2.0 Integration Patterns with XACML

Confidential  Client  Type    

Web  Application  

OAuth  Handshake  

Page 26: OAuth 2.0 Integration Patterns with XACML

Client  Authenticates  to  AuthZ  Server  

BasicAuth   client_id  /  client_secret  

OAuth  Handshake  

Page 27: OAuth 2.0 Integration Patterns with XACML

OAuth  Handshake  

Scope  

Page 28: OAuth 2.0 Integration Patterns with XACML

Public  Client  Type    

User  Agent  based  Application  

OAuth  Handshake  

Page 29: OAuth 2.0 Integration Patterns with XACML

Anonymous  Clients  

OAuth  Handshake  

Page 30: OAuth 2.0 Integration Patterns with XACML

OAuth  Handshake  

Scope  

Page 31: OAuth 2.0 Integration Patterns with XACML

Confidential  Client  Type    

OAuth  Handshake  

Page 32: OAuth 2.0 Integration Patterns with XACML

BasicAuth  

OAuth  Handshake  

Page 33: OAuth 2.0 Integration Patterns with XACML

OAuth  Handshake  

Scope  

Page 34: OAuth 2.0 Integration Patterns with XACML

Confidential  Client  Type    

OAuth  Handshake  

Page 35: OAuth 2.0 Integration Patterns with XACML

BasicAuth  

OAuth  Handshake  

Page 36: OAuth 2.0 Integration Patterns with XACML

Runtime  

Page 37: OAuth 2.0 Integration Patterns with XACML

Runtime  

Bearer   MAC  

Page 38: OAuth 2.0 Integration Patterns with XACML

Runtime  

Bearer   MAC  

Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use  it  to  get  access  to  the  associated  resources  (without  demonstrating  possession  of  a  cryptographic  key).  

Bearer  

Page 39: OAuth 2.0 Integration Patterns with XACML

Runtime  

Bearer   MAC  

HTTP  MAC  access  authentication  scheme  

MAC  

Page 40: OAuth 2.0 Integration Patterns with XACML

Feed   Clean  

Take  out  

Medication  

Page 41: OAuth 2.0 Integration Patterns with XACML

Feed   Clean  

Take  out  

Medication  

Page 42: OAuth 2.0 Integration Patterns with XACML

¡  The  de-­‐facto  standard  for  authorization  ¡  PAP  /  PDP  /  PEP  /  PIP  ¡  XML  based  policies  

Page 43: OAuth 2.0 Integration Patterns with XACML
Page 44: OAuth 2.0 Integration Patterns with XACML

Policy Enforcement

Point

Page 45: OAuth 2.0 Integration Patterns with XACML
Page 46: OAuth 2.0 Integration Patterns with XACML
Page 47: OAuth 2.0 Integration Patterns with XACML

OAuth   XACML  

Client   Subject  

Resource  Owner   Subject  

Scope   Action  +  Resource  

Page 48: OAuth 2.0 Integration Patterns with XACML

Client  

Resource  Owner  

Resource    

Scope  

Action  

Page 49: OAuth 2.0 Integration Patterns with XACML

Only  the  resource  owner  will  be  able  to  access  any  resource  during  weekend  and  after  9  PM  weekdays  

Authorization  Rules  

Page 50: OAuth 2.0 Integration Patterns with XACML

Client  :  Foo  

Day  :  Monday  Time  :  4  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”medication”  

Page 51: OAuth 2.0 Integration Patterns with XACML

Client  :  Foo  

Day  :  Monday  Time  :  4  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”medication”  

Page 52: OAuth 2.0 Integration Patterns with XACML

Client  :  Foo  

Day  :  Monday  Time  :  10  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”medication”  

Page 53: OAuth 2.0 Integration Patterns with XACML

Resource  Owner  :  Foo  

Day  :  Monday  Time  :  10  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”medication”  

Page 54: OAuth 2.0 Integration Patterns with XACML

Only  the  resource  owner  will  be  able  to  perform  Feed,  Take  Out  action  on  Dog  resource  

Authorization  Rules  

Page 55: OAuth 2.0 Integration Patterns with XACML

Client  :  Foo  

Day  :  Monday  Time  :  4  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”feed”  

Page 56: OAuth 2.0 Integration Patterns with XACML

Client  :  Foo  

Day  :  Monday  Time  :  4  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”feed”  

Page 57: OAuth 2.0 Integration Patterns with XACML

Resource  Owner  :  Foo  

Day  :  Monday  Time  :  10  PM  

Resource  :  Bar    

Scope  =  “Scooby”+”feed”  

Page 58: OAuth 2.0 Integration Patterns with XACML