Overview[1]#

OAuth is a an open standard, scalable, Protocol for Delegation of Authorization to server resources using HTTP.

Generally, OAuth is a solution to the Password Anti-Pattern.

OAuth 2.0 is an evolution of the OAuth Protocol and is NOT backward compatible with OAuth 1.0.

OAuth 2.0 NOT an Authentication protocol#

OAuth Not for Authentication
.

Remember that OAuth 2.0 NOT an Authentication protocol.

Developer Simplicity#

OAuth 2.0 focuses on developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification and associated RFCs are being developed within the IETF OAuth WG; the main framework was published in October 2012.

Of course focuses on developer simplicity invokes the Law of Complexity by moving the complexity from the developer realm into the Authorization Server and Resource Server.

OAuth 2.0 was expected to be finalized by the end of 2010 according to Eran Hammer. However, due to discordant views about the evolution of OAuth, Hammer left the working group.

The OAuth 2.0 Framework and Bearer Token Usage were published in October 2012. Other documents were and are still being worked on within the OAuth working group.

OAuth 2.0 Roles[2]#

OAuth 2.0 Endpoints#

Typically, there are three OAuth 2.0 Endpoints:

OAuth 2.0 Tokens#

OAuth 2.0 Tokens are used in OAuth 2.0 Protocol Flows where the Bearer of the OAuth 2.0 Tokens has associated Permissions. This requires that the OAuth 2.0 Tokens be handled securely. OAuth 2.0 Tokens are issued and managed by the Authorization Server:

OAuth 2.0 Profiles#

The OAuth 2.0 specification also mentions a set of OAuth 2.0 Profiles. These profiles are concrete types of applications, that can be either confidential or public.

Grant Types or OAuth 2.0 Protocol Flows#

OAuth 2.0 by it’s nature is a very flexible standard and can be adapted to work in many different scenarios. The core specification describes four Grant Types and there are other Grant Types that have gone through, or are currently in, the IETF ratification process

OAuth 2.0 Vulnerability#

As always, there are, and will be Attackers which reveal OAuth 2.0 Vulnerabilities

What is missing in OAuth 2.0#

What is missing in OAuth 2.0.

Additional OAuth 2.0 RFCs#

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
oauth-not-auththenticaiton.jpg 112.2 kB 1 12-Jun-2016 15:53 jim Oauth Is Not Authentication
« This page (revision-67) was last changed on 18-Mar-2017 12:30 by jim