SlideShare a Scribd company logo
1CONFIDENTIAL
OAUTH2
TOKEN BASED AUTHORIZATION, JSON WEB TOKENS
NOVEMBER 23, 2017
Andrey Radzkov
2CONFIDENTIAL
AGENDAAGENDA
Token based auth1
Json Web Tokens2
OAUTH23
Live demo4
3CONFIDENTIAL
HISTORY: BASIC AUTHENTIFICATION
4CONFIDENTIAL
HISTORY: COOKIE-BASED (FORMS)
5CONFIDENTIAL
HISTORY: COOKIE-BASED (FORMS): SEQUENCE DIAGRAMM
Browser Server
Post /auth {j_username:"uName", j_password:"password"}
HTTP 200 OK. Set cookie: j_sessionId=.....
GET /api/smth Cookie: j_sessionId=.....
HTTP 200 OK. Response: {smth:....}
6CONFIDENTIAL
HISTORY: COOKIE-BASED (FORMS)
Server1
Server 2
Server 3
Load balancer
Web app
Mobile app
Shared
session
7CONFIDENTIAL
HISTORY: COOKIE-BASED (FORMS): SUMMARY
Easy, transparent
Supports by many frameworks
Possible to design forms
- No browser clients
- Distributed applications
- Cross-domain apps
8CONFIDENTIAL
TOKEN-BASED AUTHORIZATION
9CONFIDENTIAL
TOKEN BASED AUTHORIZATION
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:no-cache
Connection:keep-alive
Authorization: Bearer
MTQ5NzQ1MTAzODE4NTphZDJiODc0NTI0NmQxNmIyZDQ6dXNlckB1c2VyLmNvbTo4YW
YzYzg1NWU4OTI4YThkNjYxNGNlOTA3NzgxNGUzMTlmNDQ3YjQxZDdkNTdhMjc1YTY0
MDRmYWYyN2FjMmJiMWFkOGQ3YjY0Y2QyZGM4MWQxNGQ0ZTk0MmMwZDhhY2MyY2RjNW
Q2MjZlNTdhZTJiYTFlMzFhMzI4N2NmNmNmMA==
10CONFIDENTIAL
TOKEN BASED AUTHORIZATION – SEQUENCE DIAGRAMM
Client Server
Post /auth {j_username:"uName", j_password:"password"}
HTTP 200 OK. Response: {auth_token:”MTQ5NzQ1MTAzODE4NTphZDJi...”,
expiration_time:Wed Jun 21 2017 23:09:13}
GET /api/smth Headers: Authorization: Bearer: MTQ5NzQ1MTAzODE ...
HTTP 200 OK. Response: {smth:....}
11CONFIDENTIAL
TOKEN BASED AUTHORIZATION: SEVARAL SERVERS
Server1
Server 2
Server 3
Load balancer
Web app
Mobile app
{token:”…”}
{token:”…”}
{token:”…”}
12CONFIDENTIAL
TOKEN BASED AUTHORIZATION: TOKEN SIZE
MTQ5NzQ1MTAzODE4NTphZDJiODc0NTI0NmQxNmIyZDQ
6dXNlckB1c2VyLmNvbTo4YWYzYzg1NWU4OTI4YThkNj
YxNGNlOTA3NzgxNGUzMTlmNDQ3YjQxZDdkNTdhMjc1Y
TY0MDRmYWYyN2FjMmJiMWFkOGQ3YjY0Y2QyZGM4MWQx
NGQ0ZTk0MmMwZDhhY2MyY2RjNWQ2MjZlNTdhZTJiYTF
lMzFhMzI4N2NmNmNmMA==
13CONFIDENTIAL
TOKEN BASED AUTHORIZATION: SUMMARY
 Supports by many frameworks
 Easy implementation for distributed applications
 Good support for not-browser clients
 Flexible implementation: content, size, encryption, expiration
 Works with different domains
- Header of requests should be extended
- Not standard
- Be careful with size
14CONFIDENTIAL
JSON WEB TOKENS
15CONFIDENTIAL
JWT: STRUCTURE
Header.Payload.Signature
16CONFIDENTIAL
JWT: STRUCTURE: HEADER
{ "alg": "HS256", "typ": "JWT" }
17CONFIDENTIAL
JWT: STRUCTURE: PAYLOAD
{"sub": "1234567890", "name": "John Doe", "admin": true}
iss — address or name of auth center
sub — user id
aud — client name
exp — expiration
nbf — time from
iat — time of token creation
jti — token id
18CONFIDENTIAL
JWT: STRUCTURE: SIGNATURE
HMACSHA256(base64UrlEncode(header)
+ "." + base64UrlEncode(payload), secret)
19CONFIDENTIAL
JWT: STRUCTURE
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTc0OTg1NDUsInVzZ
XJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiLCJST0xFX0F
DVFVBVE9SIl0sImp0aSI6IjRhODIzOWRiLTBiNTEtNGJkZS1iNWVkLTMyNGFjND
c0NWE2NCIsImNsaWVudF9pZCI6ImFjbWUiLCJzY29wZSI6WyJvcGVuaWQiXX0
.Tp7xPQozlI-
01IyPD4tW7F0nb7oYIEgsxHStgcoJT8IBexYcLfcY6j3jNqbKse4aOIrwB8EWVsY
bGFvLfL07Nh6rpPKTbDesih99b2fmGApf9ECQlwSeElV9uGy6I2vhkgJbVuxf8Y
JNmVr7lbPyZ-yA7FdwyiigWS-
HSRMOP41konsR3Kj04glZpW0aD5BjvcJNFz5F4tiSeMOFLw2lGVQ8PXfoU9VKt
N1eLFgV--
JYJmH8tD7OAF6usITQeYPa7gmIIJb49B4J4JDnkPBcMVfCeLfjK9TXyOe5M0w
GL615WG8Cc5dl23j1Qin-K7RJTXts1lHe4jriG3TObEfcJg
20CONFIDENTIAL
JWT: SUMMARY
 Specification for tokens
 Self-contained token
 Token signature
- Rather big size
- Content not encrypted
! Use HTTPS
21CONFIDENTIAL
OAUTH 2
22CONFIDENTIAL
OAUTH2: WHAT IS IT?
Server1
Server 2
Server 3
Web app
Mobile app
23CONFIDENTIAL
OAUTH2: ABSTRACT FLOW
Query Resource
Request Token
Resource
server
Auth Server
Client Application
Validate Token
24CONFIDENTIAL
OAUTH2: GRANT TYPES
Authorization code(backend)1
Implicit (frontend)2
Username/password (deprecated)3
Grant for credentials editing4
25CONFIDENTIAL
OAUTH2: AUTHORIZATION CODE - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Request Token
Validate Token
Client side
Server side
Enter credentials
Auth code
Provide code
Client Application
https://oauth.example.com/aut
horize?response_type=code&cli
ent_id=CLIENT_ID&redirect_uri
=CALLBACK_URL&scope=read
https://yourapp.com/callback?
code=AUTHORIZATION_CODEhttps:/oauth.exapmle.com/token?
client_id=CLIENT_ID&client_secret=
CLIENT_SECRET&grant_type=authoriza
tion_code&code=AUTHORIZATION_CODE&
redirect_uri=CALLBACK_URL
{ "access_token" : "...",
"token_type" : "...",
"expires_in" : "...",
"refresh_token“ : "...“ }
26CONFIDENTIAL
OAUTH2: GRANT TYPE IMPLICIT - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Auth token in
redirect
Validate Token
Client side
Server side
Enter credentials
Client Application
https://oauth.example.com/aut
horize?response_type=token&cl
ient_id=CLIENT_ID&redirect_ur
i=CALLBACK_URL&scope=read
https://yourapp.com/callback#
token=ACCESS_TOKEN
27CONFIDENTIAL
OAUTH2: GRANT TYPE – USER PASSWORD - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Auth token in
response
Client side
Server side
Send credentials
Validate Token
https://oauth.example.com/autho
rize?password=PASSWORD&username
=USERNAME&client_id=CLIENT_ID
28CONFIDENTIAL
OAUTH2: GRANT TYPE – CLIENT CREDENTIALS
https://oauth.example.com/token?grant_type=client_c
redentials&client_id=CLIENT_ID&client_secret=CLIENT
_SECRET
29CONFIDENTIAL
OAUTH2: APP REGISTRATION (ON VK EXAMPLE)
30CONFIDENTIAL
OAUTH2: APP REGISTRATION (ON VK EXAMPLE)
31CONFIDENTIAL
OAUTH2: SUMMARY
 Ability to authorize user for other application
 Separated login and business
 Application can`t steal user info
 Based on tokens
- Gaps in specification
- Different implementations in popular services
- High complexity
- Possible performance issues
! Use HTTPS
32CONFIDENTIAL
OAUTH2: SUMMARY
33CONFIDENTIAL
QUESTIONS?
34CONFIDENTIAL
LINKS
HTTP Authentication: Basic and Digest Access Authentication
link to oauth2 spec https://tools.ietf.org/html/rfc6749
JWT spec https://tools.ietf.org/html/rfc7519
https://vk.com/editapp?act=create
https://vk.com/dev/mobile_apps
https://vk.com/dev/android_sdk
https://jwt.io/introduction/
https://oauth2.thephpleague.com/requirements/ - good description
https://github.com/andrey-radzkov/tech-talk-oauth2-demo - demo

More Related Content

What's hot (6)

PDF
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
PPTX
Do .egg à web
HardDiskD
 
PDF
Couchdb w Ruby'm
Stanisław Wasiutyński
 
PDF
apidays LIVE New York - WT* is JWT? by Maciej Treder
apidays
 
PDF
Malcon2017
Andriy Brukhovetskyy
 
PPTX
EuroPython 2016 : A Deep Dive into the Pymongo Driver
Joe Drumgoole
 
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
Do .egg à web
HardDiskD
 
Couchdb w Ruby'm
Stanisław Wasiutyński
 
apidays LIVE New York - WT* is JWT? by Maciej Treder
apidays
 
EuroPython 2016 : A Deep Dive into the Pymongo Driver
Joe Drumgoole
 

Similar to Token based-oauth2 (20)

PDF
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
Luciano Mammino
 
PDF
Jwt Security
Seid Yassin
 
PPTX
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
Dace Barone
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Luciano Mammino
 
PPTX
The Burden of Proof
Brian Campbell
 
PDF
Luciano Mammino - Cracking JWT tokens: a tale of magic, Node.JS and parallel...
Codemotion
 
PDF
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing
Luciano Mammino
 
PDF
移动端 Web 开发技术交流
Ximing Dai
 
PPTX
The bitcoin blockchain
Salah Hawila
 
PDF
mDevCamp 2016 - Zingly, or how to design multi-banking app
Petr Dvorak
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PDF
Common Browser Hijacking Methods
David Barroso
 
PPTX
ql.io: Consuming HTTP at Scale
Subbu Allamaraju
 
PPTX
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
PPTX
How to use shodan more powerful
National Cheng Kung University
 
KEY
Node worshop Realtime - Socket.io
Caesar Chi
 
PDF
Blockchain - Una tecnologia destinata a restare
Giancarlo Valente
 
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
Luciano Mammino
 
Jwt Security
Seid Yassin
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
Dace Barone
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Luciano Mammino
 
The Burden of Proof
Brian Campbell
 
Luciano Mammino - Cracking JWT tokens: a tale of magic, Node.JS and parallel...
Codemotion
 
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing
Luciano Mammino
 
移动端 Web 开发技术交流
Ximing Dai
 
The bitcoin blockchain
Salah Hawila
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
Petr Dvorak
 
2016 pycontw web api authentication
Micron Technology
 
Common Browser Hijacking Methods
David Barroso
 
ql.io: Consuming HTTP at Scale
Subbu Allamaraju
 
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
How to use shodan more powerful
National Cheng Kung University
 
Node worshop Realtime - Socket.io
Caesar Chi
 
Blockchain - Una tecnologia destinata a restare
Giancarlo Valente
 
Ad

Recently uploaded (20)

PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PPTX
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PPTX
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
Ad

Token based-oauth2

Editor's Notes

  • #3: You all see this window in your browser. This is the first version of web – authentification/authorization
  • #4: We want to have integrated to app desing, we don`t want to share username/password in network.
  • #5: Cookie based, sometimes called forms. We have integrated design
  • #6: Transfer login/pass only one time via https. Than we receive cookie with session id and use it. Simple implementation. A lot of frameworks support it by default Minuses – we don`t control this session id generation. Someone can steal cookie and make fake ip in ip packet
  • #7: What if app client is not a browser?
  • #10: Reincarnation of digest. You can control cpntent, encryption, live - time
  • #11: Reincarnation of digest. You can control cpntent, encryption, live - time
  • #12: Now with token based it`s easier to do authentication between several nodes and with several client types
  • #13: Example of token. See for weight . No username-pass. Just encrypted string. Go through header.
  • #17: Then, this JSON is Base64Url encoded to form the first part of the JWT.
  • #18: Payload The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: reserved, public, and private claims. Reserved claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others. Notice that the claim names are only three characters long as JWT is meant to be compact. Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace. Private claims: These are the custom claims created to share information between parties that agree on using them.
  • #19: Question: what is wrong? The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
  • #20: Can`t align(
  • #23: What is it? Why? Purposes It`s protocol about authorization. It doesn`t handle authentication. It describes flow of data between appplications to stay secure
  • #24: Question: what is wrong? The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
  • #25: Simple sceme -auth request -get grant by user -give grant to auth server -Take token -use token for resource Code access sceme -access resource -decline -go to auth server with redirect url -Auth server shows form -redirect to url -grab token by code
  • #26: If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
  • #27: If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
  • #28: If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
  • #29: ALLOWS USER TOEDIT INFO ON AUTH SERVER
  • #30: PAGE FOR CREATION
  • #31: OPTIONS
  • #33: Dear listeners, our lection goes to end. We learned a little bit about oauth2 and I hope now we understand that it`s flexible way of authorization your application. Easy to add SSO, mobile clients, other resources, No needs to completely rewrite it or create “system” users. Starting you app with OAUTH2 you will quarantee that during grow(scaling) of your app, increasing of users amount security will still be actual modern and durable. Questions?
  • #35: OPTIONS