1 / 11

OAuth Security

OAuth Security. Hannes Tschofenig Derek Atkins. State-of-the-Art. Design Team work late 2012/early 2013 Results documented in Appendix 3 (Requirements) and in Appendix 4 (Use Cases) of http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05

kalin
Download Presentation

OAuth Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OAuth Security Hannes Tschofenig Derek Atkins

  2. State-of-the-Art • Design Team work late 2012/early 2013 • Results documented in Appendix 3 (Requirements) and in Appendix 4 (Use Cases) of http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 • Two solution approaches documents available in the group: • MAC Token: draft-ietf-oauth-v2-http-mac-05 • HOTK: draft-tschofenig-oauth-hotk-03

  3. I Client Authorization Server III II Resource Server

  4. I Client Authorization Server III II Resource Server

  5. I: Key Distribution AS <-> Client • Variants: • Key Distribution at Token Issuance • Key Distribution at Registration • Approaches: • Server-provided key • Client-provided key • Joint key control / key agreement • Examples: • Section 3.1.2 of HOTK for asymmetric keys • Section 4.1 of MAC Token for symmetric keys

  6. Lifetime Hierarchy

  7. I Client Authorization Server III II Resource Server

  8. II: Client <-> RS Interaction • Components: • Proof of possession of client key • Message integrity / Channel Binding • Server-to-client authentication • As part of TLS • Custom application-layer solution • Examples: • Section 5 of MAC Token for symmetric keys (encoded as HTTP header) • Section 3.2.2 of HOTK for asymmetric keys • Section 3.2.1 of HOTK for symmetric keys (encoded as JSON structure)

  9. I Client Authorization Server III II Resource Server

  10. III: Key Distribution AS <-> RS • Variants: a) Embedded key b) Token introspection c) Out-of-band • Examples: Ad a) Section 4.2 of HOTK Ad b) draft-richer-oauth-introspection Ad c) PKI

  11. Next Steps: Document Restructuring • Use Cases, Requirements and Design Rational • Currently in the appendix of MAC Token • Update to reflect new use cases • Key Distribution AS <-> Client • Cover symmetric as well as asymmetric case • Client <-> RS Communication • Section 5 of MAC Token & Section 3.2 of HOTK. • Includes keyed message digest/signature calculation algorithm. • Includes binding to transport • Includes JSON structure. • Token introspection • Encoding of PoP in JWT (symmetric & asymmetric)

More Related