Date post: | 06-May-2015 |
Category: |
Technology |
Upload: | shiu-fun-poon |
View: | 1,545 times |
Download: | 14 times |
OAuth 2.0
Client type (application type)– Confidential– Public
Grant type (handshake/dance)– authorization code– Implicit grant– client credential– resource owner password
Token : Bearer (self contained)
Extension/Customization– Added Values
Allow you to share your resources with a third party application without sharing your credentials with the third party application
Authorization Code Grant Type
Authorization EndpointObtain authorization/consent from end user
Token EndpointExchange a temporary authorization for the actual access permission
(in the form of access_token)
AuthorizationEndpoint
TokenEndpoint
DataPower Enforcement for Resource Server
Authorization Code
4
Alice launches an application
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
authz
token
DataPower
resource
5
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.
authz
token
DataPower
resource
6
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTP 302..A temporary code is issued to the application
authz
token
DataPower
resource
7
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
HTTPAuthorization: Basic client_id:client_secret
Exchange temporary code for access permission
authz
token
DataPower
resource
8
Resource Owner(Alice)
OAuth 2.0 – Authorization Code
Access resource with access_token
authz
token
DataPower
resource
Implicit
10
Alice launches an application
Resource Owner(Alice)
OAuth 2.0 – Implicit
authz
DataPower
resource
11
Resource Owner(Alice)
OAuth 2.0 – Implicit
HTTP 302Alice is redirected to an OAuth authorization server, so user can grant access to the application.
authz
DataPower
resource
12
Resource Owner(Alice)
OAuth 2.0 – Implicit
HTTP 200..access_token is returned
authz
DataPower
resource
13
Resource Owner(Alice)
OAuth 2.0 – Implicit
authz
DataPower
resource
Resource Owner
15
Resource Owner(Alice)
OAuth 2.0 – Resource Owner
authz
DataPower
resource
requestAuthorization: Basic client_id:client_secretusername & password
responseaccess_token=xxxx
16
Resource Owner(Alice)
OAuth 2.0 – Resource Owner
authz
DataPower
resourceaccess_token=xxxx
Client Credentials
18
Resource Owner(Alice)
OAuth 2.0 – Client Credentials
authz
DataPower
resource
requestAuthorization: Basic client_id:client_secret
responseaccess_token=xxxx
19
Resource Owner(Alice)
OAuth 2.0 – Client Credentials
authz
DataPower
resource
access_token=xxxx
Customization 3 DataPower grant types
– Validation grant : urn:ibm:datapower:validate
– Client Revoke Accessgrant : urn:ibm:datapower:client:revoke
– Resource Owner Revoke Accessgrant : urn:ibm:owner:revoke
Extensibility thru different “plug points” during OAuth handshake/dance
– This provides customization to the behavior of OAuth
Use cases
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
Resource Server
DataPower
access_token
Other Authorization ServerIBM TFIM
Ping Federation ?
Access resources with access_token
Resource Server
DataPower
DataPower access_token
Authorization Server
Access resources with access_token
Resource Server
DataPower
access_token
Other Authorization ServerIBM TFIM
Ping Federation ?
Access resources with access_token
Resource ServerDataPower access_token
Authorization Server
Access resources with access_tokenPEP