OAuth Use Cases Zachary Zeltsan 31 March 2011. 2 Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

FI-WARE Testbed Access Control temporary solution.

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

Lecture 23 Internet Authentication Applications

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

Remotely authenticating against the Service Framework.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

ACCESS CONTROL MANAGEMENT By: Poonam Gupta Sowmya Sugumaran.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

SCIM Use Cases Phil Hunt, Bhumip Khasnabish, Anthony.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

NFD Tunnel Authentication Junxiao Shi,

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Kerberos Guilin Wang School of Computer Science 03 Dec

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.

SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser.

SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser.

Secure Mobile Development with NetIQ Access Manager

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

SAP Integration with Oracle 11g Muhammad Raza Fatmi.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.

Building Secure Microservices

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Consuming OAuth Services in Alfresco Share

Hannes Tschofenig, Derek Atkins

Phil Hunt, Hannes Tschofenig

Cryptography and Network Security

STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,

Office 365 Development.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

OpenID Connect Working Group

Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019

Presentation transcript:

OAuth Use Cases Zachary Zeltsan 31 March 2011

2 Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher Torsten Lodderstedt and Zachary Zeltsan )  Template for a use case  Overall list  Cases supported in OAuth 2.0  Cases not supported in OAuth 2.0 Relations to other organizations  WAC  Kantara (UMA) Proposal

3 Why use cases? The question “what is the use case?” has been mentioned on the list over 100 times since the beginning of the group. We need to understand the high-level view of the function why a certain protocol feature is there (and this is easy to forget!) the relation of the low level detail to the original concept and need We need to explain to a broader community what we want to achieve Development of a draft on the use cases was requested (suggested?) by Peter at the OAuth meeting at the IETF 77

4 Overall list Web server User-agent In-App-Payment (based on Native Application) Mobile App Device Client password credentials Assertion Content manager Access token exchange Multiple access tokens Gateway for browser-based VoIP applets Signed Messages Signature with asymmetric secret Template for a use case:  Description  Pre-conditions  Post-conditions  Requirements

5 Cases supported in OAuth 2.0 Authorization code Web server Implicit grant User-agent Mobile App (as a native application) In-App-Payment (Native app. with additional requirements) Client credentials Client password credentials Extensions Assertion Resource owner password credentials Mobile App (as a native application)

6 Cases not supported in OAuth 2.0 Content manager (requires re-delegation) Access token exchange (requires issuance of the multiple access tokens; e.g., one to the client for access to resource server 1, another to the resource server 1 for access to resource server 2) Multiple access tokens (requires issuance of the multiple access tokens for access to several resource servers by the client) Gateway for browser-based VoIP applets (requires adaptation of OAuth for SIP) Signed messages (requires signatures that allow to verify that an access token was issued by an application A to an application B with the owner’s authorization) Device (requires display of URL of the Authorization Endpoint and Authorization Code in a user-friendly format) Signature with asymmetric secret (relies on the use of asymmetric cryptography)

7 Relations to other organizations Wholesale Application Community (WAC) The In-App-Payment (based on Native Application) use case has been approved by WAC Kantara initiative, User-Managed Access (UMA) use cases The use cases have not had a significant consideration

8 Proposal (Try to) adhere to top-down design, preferably driven by use cases Maintain the use case list and publish as Informational RFC to accompany each protocol release