The modern OAuth

1. The modern OAuth 2.0 Hsiaoming Yang
2. 0 About Me
3. The Pallets Projects https://github.com/lepture https://lepture.com/about
4. AD Welcome to contribute to Flask, Werkzeug & other Pallets Projects.
7. https://authlib.org/
8. 1 The MODERN OAuth 2.0
9. WHAT IS OAUTH
10. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
12. WHAT IS MODERN
13. A little bit of the History ★ November 2006, Blaine Cook was working on the Twitter OpenID implementation. ★ April 2007, a Google group was created. ★ July 2007, the team drafted an initial specification. ★ December 2007, OAuth Core 1.0 was released.
14. 2010.4 2009 RFC5849 IETF OAuth Working Group 2012.12 RFC6749 RFC6750
15. enable clients to obtain limited access to resources
16. 2 Protocol vs Framework
17. RFC6749 RFC6750 RFC6755 RFC6749 RFC7009 RFC7519 RFC7522 RFC7523 RFC7592 RFC……
18. JWT is created by OAuth Working Group
19. JWT based on JWS header payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19y b290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEjXk signature
20. https://tools.ietf.org/wg/oauth/
21. grant types client auth methods token endpoints
22. 3 Python Libraries
23. OAuth 1.0 ★ https://pypi.org/project/oauth/ OAuth 1.0 ★ https://pypi.org/project/oauth2/ ★ https://github.com/oauthlib/oauthlib ★ https://authlib.org
24. OAuthLib • requests-oauthlib • Flask-OAuthlib • django-oauth-toolkit
25. Authlib • built-in clients (requests, Flask, Django) • Flask OAuth 1 & 2 providers • Django OAuth 1 provider (TODO: OAuth 2)
26. Authlib vs OAuthlib • Commercial Driven vs Community Driven • Monolithic vs Core Code • Flexible Clean Code vs Mixed Code
27. Authlib
28. OAuthLib
30. 4 Grant Types
31. Basic Grant Types • Authorization Code • Implicit • Client Credentials • Password
32. Authorization Code
33. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
34. RFC7636 Proof Key for Code Exchange by OAuth Public Clients
35. RFC7636 https://server/authorize? response_type=code&client_id= s6BhdRkqt3&state=xyz& code_challenge=E9Melhoa2OwvFr EMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256
36. POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_challenge=S256(code_verifier)
37. Only available in Authlib client = oauth.register( 'example', client_id='Example Client ID', client_secret='Example Client Secret', access_token_url='https://example.com/oauth/access_token', authorize_url='https://example.com/oauth/authorize', api_base_url=‘https://api.example.com/', code_challenge_method='S256', ) authorization_server\ .register_grant( AuthorizationCodeGrant, [CodeChallenge(required=True)] )
38. RFC7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
39. POST /token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agranttype%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] JWT
40. Google Service Accounts
43. 5 Client Auth Methods Token Endpoint Authentication Methods
44. client auth methods
45. client_secret_basic POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
46. ★ none ★ client_secret_basic ★ client_secret_post
47. POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb& client_id=sBj&client_secret=Sh8Vxd client_secret_post
48. RFC7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ★ client_secret_jwt ★ private_key_jwt RFC8414
50. 6 Token Endpoints
51. token endpoints
52. RFC7009 ★ token revocation endpoint ★ token introspection endpoint RFC7662
53. https://tools.ietf.org/wg/oauth/
54. OpenID Connect is built upon OAuth 2.0
55. https://github.com/authlib/ example-oauth2-server
56. Stay tuned for v0.10
57. Thanks