Hannes Tschofenig, Blaine Cook

1

• Hannes Tschofenig, Blaine Cook
• (IETF79, Beijing)

2
Acknowledgements

• I would like to thank to Pasi Eronen. We are
  re-using some of his slides in this presentation.

3
The Problem Secure Data Sharing
4
(No Transcript)
5
Example OAuth Exchange
6
Entities
User Agent (Web Browser)
Authorization Request
User
Resource Consumer (LinkedIn)
Token request
Authorization Server (Yahoo)
Access Request (incl. Token)
Resource Server (Yahoo)
7
User navigates to Resource Client
8
User authenticated by Authorization Server
9
User authorizes Resource Consumer to access
Resource Server
10
Resource Client calls the Resource Server API
11
Remark Authentication

• Yahoo in our example may outside the
  authentication part to other providers (e.g.
  using OpenID).
• Authorization Server and Resource Server do not
  need to be operated by the same entity.

12
Remark Authorization

• Asking the user for consent prior to share
  information is considered privacy-friendly.
• User interfaces for obtaining user content may
  not always be great.

13
Remark Authorization, cont.
14
Remark Authorization, cont.
15
Remark Authorization, cont.
16
Remark Prior-Registration

• Many Resource Server require registration of
  Resource Clients prior to usage.
• Example http//developer.cliqset.com/api

17
Remark, cont.
18
History
19
History

• November 2006 Blaine Cook was looking into the
  possibility of using OpenID to accomplish the
  functionality for delegated authentication. He
  got in touch with some other folks that had a
  similar need.
• December 2006 Blaine wrote a "reference
  implementation" for Twitter based on all the
  existing OAuth-patterned APIs, which Blaine and
  Kellan Elliott-McCrea   turned into a rough
  functional draft
• April 2007 Google group was created with a small
  group of implementers to write a proposal for an
  open protocol.
• July 2007 OAuth 1.0 (with code for major
  programming languages)
• September 2007 Re-write of specification to
  focus on a single flow (instead of "web",
  "mobile", and "desktop" flows)
• Deployment of OAuth well on its way
  http//wiki.oauth.net/ServiceProviders

20
History, cont.

• 1st OAuth BOF (Minneapolis, November 2008,
  IETF73)
• BOF Chairs Sam Hartman, Mark Nottingham
• BOF went OK but a couple of charter questions
  couldnt be resolved.
• 2nd OAuth BOF (San Francisco, March 2009,
  IETF74)
• BOF Chairs Hannes Tschofenig, Blaine Cook
• Charter discussed on the mailing list and also
  during the meeting. Finalized shortly after the
  meeting
• IETF wide review of the OAuth charter text (28th
  April 2009)
• Announcement http//www.ietf.org/mail-archive/web
  /ietf-announce/current/msg06009.html
• OAuth working group was created (May 2009)
• Chairs Blaine Cook, Peter Saint Andre
• Feb 2010 'The OAuth 1.0 Protocol approved as
  Informational RFC
• http//www.ietf.org/mail-archive/web/ietf-announce
  /current/msg07047.html

21
History, cont.

• March 2010 Peter Saint Andre became Area
  Director and Hannes Tschofenig became Blaines
  co-chair.
• March 2010 IETF OAuth meeting in Anaheim
• April 2010 OAuth 2.0 ltdraft-ietf-oauth-v2-00.txtgt
  published co-authored by Eran, Dick, David.
• May 2010 First OAuth interim meeting co-located
  with IIW to discuss open issues.
• July 2010 Maastricht IETF meeting
• November 2010 Document split into abstract
  specification and separate bearer token and
  message signing specification.
• November 2010 Beijing IETF meeting no official
  OAuth working group meeting. Discussions about
  security for OAuth

22
Entities
User Agent
Authorization Request
User
Resource Consumer
Token request
Authorization Server
Access Request (incl. Token)
Resource Server
23
Scope of the OAuth WG

• Currently only one working group item
• http//tools.ietf.org/html/draft-ietf-oauth-v2
• Unlike OAuth v1.0 it does not contain signature
  mechanisms
• We have a punch of other documents as individual
  items
• Providing security related extensions
• User interface considerations
• Token formats
• Token by reference
• Use case descriptions
• Other OAuth profiles

24
Work Areas
Token Request
25
Web Server Flow
26
(No Transcript)
27
Security

• A little bit about OAuth security

28
Work Areas
Token Request
29
Bearer Token
Authorization Server
Request
Token
TLS
Token
Resource Consumer
Resource Server
TLS
30
Message Signing
Authorization Server
Request
Token,SK, SKBob
TLS
Resource Consumer
Resource Server
Token, RequestSK,SKBob
31
Conclusion

• Open Web Authentication (OAuth) is developed in
  the IETF to provide delegated authentication for
  Web-based environments.
• Usage for non-Web based applications has been
  proposed as well.
• Work is in progress and re-chartering will expand
  the work to include new features and use cases as
  well as security.
• Join the OAuth mailing list at http//datatracker.
  ietf.org/wg/oauth/charter/ to make your
  contribution.

32
Backup Slides
33
JavaScript Flow (User Agent Flow in Draft)
34
(No Transcript)
35
Native Application Flow
36
(No Transcript)
37
Autonomous Flow
38
(No Transcript)
39
Device Flow
40
(No Transcript)
41
(No Transcript)