Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Chaining with OAuth 2.0 Bearer Tokens

Published byLindsey Janes Modified over 10 years ago

Similar presentations

Presentation on theme: "Service Chaining with OAuth 2.0 Bearer Tokens"— Presentation transcript:

1 Service Chaining with OAuth 2.0 Bearer Tokens
Alan H. Karp HP Labs

2 Overview OAuth 1.0 OAuth 2.0 Sabre 2.0

3 OAuth 1.0

4 OAuth 2.0 No crypto in the protocol
Everything over HTTPS Opaque tokens represent access rights No revocation Most tokens expire in a short time, e.g., 10 min Different patterns Basic requires authentication Bearer tokens

5 Authorization Manager
OAuth 2.0 Basics Authorization Manager AM and RO agree on AG AM and RP agree on AT AM decides RT format All opaque to client AG and AT short-lived RT long-lived Access Token (AT) + Optionally Refresh Token (RT) Resource Owner Resource Provider AG Request Access AT Client Authorization Grant (AG) Resource

6 Authorization Manager
Web Redirecton Authorization Manager Resource Owner Resource Provider 6.AT 5. AG 7. AT 8 4. AG 2. Denied Client 3. Request Access 1. Request Access

7 SABRE 1.0 SABRE Developed by IBM for American Airlines
Semi-Automatic Business-Related Environment Developed by IBM for American Airlines First prototype 1960 In use today as Sabre Holdings, Inc. (Travelocity) Long past due for an upgrade HP/EDS won the contract

8 SABRE 2.0 Widely known features Less well known or unknown features
Airline/hotel reservations Less well known or unknown features Crew scheduling Airport management

9 Airport Management 200 airlines 500 airports
10,000 employees each 500 airports 5,000 employees each Federated Identity Management impractical First solution ZBAC with SOAP Switched to REST Proposed waterken Decided on OAuth

10 Gate Agent Scenario All computers at gates are shared
Want employers to authenticate their people Authorization decided by role and context Gate agent can close gate if employer’s flight TWA has contracted to use Weather, Inc. TWA gate agents may request forecasts Agents specify airport code Weather, Inc. takes latitude/longitude SABRE Convert service translates code to lat/long

11 Sign Contracts Weather, Inc. AuthZ Mgr TWA Terms and Conditions
Forecast TWA Terms and Conditions AuthN Mgr AuthZ Mgr Sabre 2.0 TWA Policy Policy Engine PM Terms and Conditions AuthZ Mgr Web Server Convert Service

12 Screen on Gate Display More

13 Setup Weather Service TWA AuthZ Mgr Forecast AuthN Mgr AuthZ Mgr
Sabre 2.0 5. Get AGs Policy Engine PM 3. Attributes AuthZ Mgr 2. Login 4. Attributes Web Server 6. Web page content + AGs Alice at a Browser Convert Service 1. Sabre Front Page

14 Request Permissions Weather Service Weather AuthZ Mgr TWA
10. AG1 for W AuthN Mgr AuthZ Mgr Sabre 2.0 9. Get AG for W AuthZ Mgr TWA Policy 8. Get AG for W 11. AG1 for W Web Server Alice at a Browser Convert Service 7. Get forecast for ORD

15 Prepare to Delegate Weather Service TWA AuthZ Mgr Weather AuthN Mgr
Sabre 2.0 AuthZ Mgr TWA Policy 13. AG2 for W 12. Get AG for Convert Web Server Alice at a Browser Convert Service

16 Prepare to Invoke Weather Service TWA AuthZ Mgr Weather AuthN Mgr
Sabre 2.0 Convert Service TWA Policy AuthZ Mgr Web Server 15. AT1 for CS Alice at a Browser 14. Exchange AG1 for AT1

17 Invoke Weather Service TWA AuthZ Mgr Weather AuthN Mgr AuthZ Mgr
Sabre 2.0 AuthZ Mgr 18. Return AT2 for W 17. Exchange AG2 for AT2 19. Invoke with AT2 TWA Policy Convert Service Web Server Alice at a Browser 16. Invoke with AT1 passing AG2

18 Optimizations Resource owner is resource provider Skip AG2
Forget about AGs, just hand out ATs Skip AG2 Alice can tell TWA AG is for Convert service

Download ppt "Service Chaining with OAuth 2.0 Bearer Tokens"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 4 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 4 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
1 Disable Pictures & Login. 2 Turn off Pop-up Blocker.

1 Disable Pictures & Login. 2 Turn off Pop-up Blocker.
Cultural Heritage in REGional NETworks REGNET Auction System.

Cultural Heritage in REGional NETworks REGNET Auction System.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
The creation of Yaolan.com A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.

The creation of "Yaolan.com" A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Similar presentations

Ads by Google