OAuth2
Enterprise Security
Evolution of Enterprise Architecture using several standards, enterprise federation, formats. etc.
The mobile revolution
Not mind the Enterprise Security. No more SAML, SOAP, WS*. Welcome HTTP JSON. Change from the market makes movement to mobile platforms. Mobile enterprise apps.
OAuth2 and OpenID
OAuth2 is about Delegate authorization.
OpenID is about Delegate authentication.
JWT JSON Web Tokens
OpenID mandates the use of JWT. OAuth2 does not mandate to use it but it goes through.
Purpose of a security token: its to create a data structure with information about issuer, recipient and subject the token describes. Token must be signed in order to trust in issuer and obviously the token itself. Token contains an expiration time. The client requests the token. Issuer issues a token. A resource consumes a token (has a trust relationship with the issuer).
History. SAML Security Assertion Markup Language 1.1/2.0 (XML based, many encryption and signature options, very expressive). Simple Web Token SWT (form/URL encoded, symmetric signatures only). JSON Web Token JWT (JSON encoded, new standard, symmetric and asymmetric signatures RSA, ECDSA, SHA, and encryption RSA, AES/CGM).
JWT Structure and Format
http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
Header: Metadata, algorithms and keys used
Claims: Issuers, audience, issuedAt, expiration, subject
JWT are mandatory in OpenID Connect.
Introduction to OAuth2
It is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. The OAuth2 Framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating and approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its own behalf.
Started in 2007 and 2012 get more refined.
There is a difference between Client and Resource Owner. Resource Owner is the person what owns the backend data. Client is the software that is used to access the backend data.
Master Key and Valet Parking Key analogy: How can the Resource Owner give the Client a key to access resources on the resource's behalf without giving the client a master key? This is what does OAuth.
Generalities