App Resource Server Authorization Server Token Endpoint User- Agent Authz Endpoint Out-of-protocol interaction User Authentication (e.g. username+password or federated) Consent
custom “user info resource” • E.g. GitHub • GET /user • { … “email”: “[email protected]” …} • Live ID • GET /v5.0/me 18 Client App Resource Server Token Endpoint Authz Endpoint access_token User Info resource [email protected]
custom “user info resource” • E.g. GitHub • GET /user • { … “email”: “[email protected]” …} • Live ID • GET /v5.0/me 19 Client App Resource Server Token Endpoint Authz Endpoint access_token User Info resource [email protected] Beware of using bearer access tokens for authentication! Token audience checking
Endpoint User- Agent Authz Endpoint access_token access_token access_token JWT ID token JWT ID token UserInfo resource User claims • Identity layer on top of OAuth 2.0
Endpoint User- Agent Authz Endpoint access_token access_token access_token JWT ID token JWT ID token UserInfo resource User claims in http://openid.net/connect/ ID Tokens piggybacked on the OAuth 2.0 messages Standard UserInfo endpoint Standard claims and scopes Session management (e.g. logout)
Authorization Server Token Endpoint Authz Endpoint UserInfo resource System browser code access_token or Customizable authentication and consent flows Credential usage isolated from the App Takes the User out of the App context Use of redirect URI with custom scheme
Authorization Server Token Endpoint Authz Endpoint UserInfo resource Embedded WebView code access_token or Customizable authentication and consent flows User remains in the App context Credential usage not isolated from the App Custom WebView code to detected redirect
Token Endpoint UserInfo resource Primary Token App 2 (Relying Party) Native inter-process communication and authentication E.g. based on package name and certificate
resource Client App (server side) How does server-side accesses protected resource? Namely, while user offline Get a code and exchange it for a token Resource Server
resource Client App (server side) Resource Server Play Services Get code for server’s client_id private static final String CODE_SCOPE = “oauth2:server:client_id:…”+ “:api_scope:email https://www..../tasks.readonly”;
(TA) • Device-side representative of the Authz Server (AS) • Apps request tokens to TA • TA uses code flow to obtain a primary token from AS • Includes • User authentication • User consent • TA obtains application metadata from AS • TA obtains secondary tokens, using primary token 86
NAPPS http://hg.openid.net/napps/wiki/Home • Designing Evolvable Web APIs with ASP.NET One chapter on OAuth 2.0 and OpenID Connect • https://github.com/pmhsfelix • Thank you! 88