IDM OAuth Overview

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 1

What is OAuth?
• OAuth allows resource owners to delegate resource access rights
to third-parties.
• No sharing of passwords with third-party apps
• Authorize to certain limited resources
• For a limited time
• Can revoke consent given to the third-party apps

• Where as sharing passwords approach with third-party apps

• Trust issues
• Unwanted level of access
• Not able to revoke etc.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 2

 OAuth Actors

Accesses Resources Data

Client Application
(e.g. photoprinting.com)
Resource Server
(e.g. photos from “photos.com”)

Accesses Resources Issues Tokens

Delegates Authorization

Login, Gives consent

Authenticates, Authorizes
Resource Owner OAuth Server

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 3

What is OAuth?
• Classic / Core OAuth
• Allow a third party client application to solicit User Consent
Authorization and gain access to a user’s resource
• Similar to Consumer Web Experience (e.g. Facebook)

• OAuth Assertion Framework

• Support using JWT and SAML2 Assertion
• Assertion used for Client Authentication and Authorization Grant

• Mobile OAuth
• Adding Oracle’s extensions to OAuth Protocol
• Supporting Native Apps on popular Mobile OS Platforms
• Covered by another set of slides

• Common: all scenario enable a third party client application to acquire

resource access tokens without sharing actual user password

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 4

 OAuth 2.0 Grant Types
• Authorization Code – usually clients running on web server
• Implicit – clients run directly in the browser like Javascript plugins
• Resource Owner – UserId/password of the user
• Client Credentials – client credentials
• Refresh Token – to refresh/get a new access token

• Assertion Framework
• Client Assertion
• (Authorization) Assertion
• Support multiple formats: JWT and SAML

• Extended Grants
• Depends on server and deployment needs
• E.g. for Oracle to support OAM tokens

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 5

 OAuth 2 Endpoints

• Authorization Endpoint
• Front channel
• through Browser
• End-user authenticates
• User Consent Authorization Decisions

• Token Endpoint
• Back channel
• Direct HTTP request to OAuth Server, not through Browser
• Client authenticates
• Generates Tokens

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 6

 Authorization Code Flow

• The Code Flow consists of the following steps through Browser:

1. Client prepares an Authorization Request containing the
desired request parameters
(e.g. “scope” parameter to indicate intention to access which
resources)
2. Client sends a request to the Authorization Server.
3. Authorization Server authenticates the End-User.
(if not authenticated yet)
4. Authorization Server obtains the End-User Consent
Authorization.
5. Authorization Server sends the End-User back to the Client
application with Authorization Code.
6. Client sends the code to the Token Endpoint to receive an
Access Token in the response.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 7

 Authz Code Flow – Request and Responses

• Authz Code request sample:

https://server.example.com/ms_oauth/oauth2/endpoints/oauthservice/authorize?response_t
ype=code&client_id=s6BhdRkqt3&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb&sco
pe=profile&state=af0ifjsldkj

• Authz Code response sample:

HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj

• Access Token request sample:

POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

• Access Token Response

{ "access_token":"SlAV32hkKG",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA“
}

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 8

 Implicit Grant Flow

• The Implicit Flow consists of the following steps:

1. Client prepares an Authorization Request containing the
desired request parameters.
2. Client sends a request to the Authorization Server.
3. Authorization Server authenticates the End-User.
4. Authorization Server obtains the End-User
Consent/Authorization.
5. Authorization Server sends the End-User back to the Client
with an Access Token.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 9

 Implicit Grant Flow – Request and Responses

• Access Token request sample:

https://server.example.com/ms_oauth/oauth2/endpoints/oauthservice/authorize
?response_type=token&client_id=s6BhdRkqt3&redirect_uri=https%3A%2F%2Fclie
nt.example.org%2Fcb&scope=profile&state=af0ifjsldkj

• Access Token response sample:

HTTP/1.1 302 Found
Location: https://client.example.org/cb#
access_token=SlAV32hkKG
&token_type=bearer
&expires_in=3600
&state=af0ifjsldkj

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 10

 Access Token
• “access_token” – represents access to protected resources
• OAM M&S OAuth Server generates Tokens (including Access Token) in JWT
(JSON Web Token) format
• A JWT Token contains have 3 segments: Header Segment, Payload
Segment, Signature Segment

Header Segment:
{ "typ":"JWT","alg":"HS256" }

Payload Segment: containing various claims

{
"iss" : "https://oamms.example.com",
"aud" : "753560681145-2ik2j3snsvbs80ijdi8",
"exp" : 1311281970,
"iat" : 1311201970,
…
}

Signature Segment: cryptographic signature value

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 11

 Refresh Token
• In addition to “access_token”, OAuth server may decide (based on server
configuration and request context) to generate an additional token -
“refresh_token”
• A Refresh Token can be used by an authenticated Client application to
acquire a new Access Token, typically when the original “access_token” got
expired
• The new Access Token would typically share the same security properties of
the original Access Token. E.g. it can be used to access the same set of
resources
• A sample HTTP request: a Confidential Client using a Refresh Token to
request a new Access Token

POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1

Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

• Note: no scope parameter is used

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 12

 Client Credential
• When a client application requests resources of its own (not human end-
user’s resources), then OAuth Access Token request does NOT involve any
end-user credential / grant (e.g. authenticated user assertion, authorization
code from an authenticated user, etc)
• Example of client’s own resource: HTTP download / upload of Cloud-
based simple file storage
• A sample HTTP request:
POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=cloud.storage.read

• 3 forms of Client Credential: [1] HTTP Basic Authorization Header, [2]

client_id and client_secret HTTP parameters [3] Client Assertion (see later
slides)
• OAM M&S OAuth server also leverages this “client_credentials” grant type to
allow confidential clients to acquire a client assertion token with client
secrets (see later slides)

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 13

 Resource Owner Password
• For supporting client applications developed in a Pre-OAuth era, which do
not want to participate the protocols of Authorization Endpoint, Resource
Owner Password is introduced to ease their migration.
• A sample HTTP request:
POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=johndoe&password=A3ddj3w&scope=social.photo.
read

• Considered as an anti-pattern / a Pre-OAuth practice should be discouraged

• However, OAM M&S OAuth server re-purposes this “password” grant type to
allow an authenticated client to acquire a user assertion token with end-user
passwords (see later slides)

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 14

 OAuth 2.0 Assertion Framework (1)
• OAuth Authorization Code protocol flow facilitates User Consent
authorization among Third-Party Client application, Resource Server,
Resource-Owner (human end-user) through Browser HTTP redirection
• Typically, Client applications and Resource Servers are run by the
different organizations
• A.K.A. 3-legged scenario

• How about 2-legged scenario?

• Where Client applications and Resource Servers are run by the same
organization?
• Where explicit User Consent seem to be optional?
• How about environment where Web Browser may be absent?
• How to leverage existing security token management infrastructure in an
Enterprise?

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 15

 OAuth 2.0 Assertion Framework (2)
• Industry has been working additional public standard specifications:
“Assertion Framework” to address all these additional requirements
• More targeting:
• 2-legged scenario; user consent may not be needed
• Web Browser use is optional
• Consuming existing tokens / assertions based industry standards: JWT
Assertion and SAML2 Assertion

• Two kinds of Assertions:

• Client Assertion: carrying an authenticated client application identity
• Authorization Grant Assertion: In addition to authenticated client identity,
some Access Token acquisition requires additional security assertion
claims. One major use case is: authenticated user identity
• When an assertion / token carries an authenticated user identity as
its principal / subject claim, this assertion is termed “User Assertion”
under OAM M&S OAuth server for simplicity.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 16

 Consuming JWT Assertions (1)
• JWT Client Assertion Type URI:
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
• JWT Assertion Grant Type URI:
urn:ietf:params:oauth:grant-type:jwt-bearer

• HTTP Sample Request #1: Using JWT-Based Client Assertion to request an

access token for a client’s own resource:

POST /token HTTP/1.1

Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=cloud.storage.read&client_i
d=xxxClientIdxxx&client_assertion=xxxClientAssertionxxx&client_
assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-
type%3Ajwt-bearer

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 17

 Consuming JWT Assertions (2)
• HTTP Sample Request #2: Using JWT-Based Client Assertion and JWT
Assertion (a User Assertion) to request an access token for a user’s
resource:

POST /token HTTP/1.1

Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-
bearer&assertion=xxxUserAssertionxxx&client_id=xxxClientIdxxx&c
lient_assertion=xxxClientAssertionxxx&client_assertion_type=urn
%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-
bearer&scope=user.photo.write

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 18

 Consuming SAML2 Assertions (1)
• SAML2 Client Assertion Type URI:
urn:ietf:params:oauth:client-assertion-type:saml2-bearer
• SAML2 Assertion Grant Type URI:
urn:ietf:params:oauth:grant-type:saml2-bearer

• HTTP Sample Request #1: Using SAML2-Based Client Assertion to

request an access token for a client’s own resource:

POST /ms_oauth/oauth2/endpoints/oauthservice/tokens
HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=cloud.storage.read&c
lient_id=xxxClientIdxxx&client_assertion=xxxClientAssert
ionxxx&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth
%3Aclient-assertion-type%3Asaml2-bearer

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 19

 Consuming SAML2 Assertions (2)
• HTTP Sample Request #2: Using SAML2-Based Client Assertion
and JWT Assertion (a User Assertion) to request an access token for
a user’s resource:

POST /ms_oauth/oauth2/endpoints/oauthservice/tokens
HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-
type%3Asaml2-
bearer&assertion=xxxUserAssertionxxx&client_id=xxxClient
Idxxx&client_assertion=xxxClientAssertionxxx&client_asse
rtion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-
assertion-type%3Asaml2-bearer&scope=user.photo.write

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 20

 Producing JWT Client and User Assertions (1)
• While people would use other IDM products to issue SAML2 assertion (e.g.
Oracle STS or OWSM), OAM M&S OAuth server does support issuing JWT-
based Client Assertion and User Assertion by itself

• HTTP Sample Request: a Confidential Client using Client ID and Secret in

Authorization to request a JWT Client Assertion:
POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1
Host: server.example.com
Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

• HTTP Sample Request: a Confidential Client using Resource Owner

Password to request a JWT User Assertion:
POST /ms_oauth/oauth2/endpoints/oauthservice/tokens HTTP/1.1
Host: server.example.com
Authorization: Basic NTQzMjFpZDp3ZWxjb21lMQ==
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=john&password=welcome1

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 21

 Producing JWT Client and User Assertions (2)
• Client Assertion and User Assertion will be returned under field of
“access_token”, as they may be used directly to access resources as an
authenticated client or an authenticated user directly

• Sample response of JWT Client Assertion

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Date: Fri, 21 Jun 2013 01:15:04 GMT
Pragma: no-cache
Content-Length: 1629
Content-Type: application/json;charset=UTF-8

{
"oracle_client_assertion_type":"urn:ietf:params:oauth:client-assertion-
type:jwt-bearer",
"expires_in":28800,"token_type":"Bearer",
"oracle_tk_context":"client_assertion",
"refresh_token":"...Refresh Token for Client Assertion ...",
"access_token":"...Client Assertion..."
}

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 22

 Producing JWT Client and User Assertions (3)
• Sample response of JWT User Assertion
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Date: Fri, 21 Jun 2013 01:11:10 GMT
Pragma: no-cache
Content-Length: 954
Content-Type: application/json;charset=UTF-8

{
"expires_in":28800,
"token_type":"Bearer",
"oracle_tk_context":"user_assertion",
"oracle_grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer",
"access_token":"...JWT User Assertion..."
}

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 23

 References
• OAuth 2.0 Spec (Core/Classic) - http://tools.ietf.org/html/rfc6749
• OAuth 2.0 Assertion Framework Spec - http://tools.ietf.org/html/draft-ietf-
oauth-assertions-11
• OAuth 2.0 JWT Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf-
oauth-jwt-bearer-05
• OAuth 2.0 SAML2 Assertion Profile Spec - http://tools.ietf.org/html/draft-ietf-
oauth-saml2-bearer-16
• JSON Web Token (JWT) Main Spec - http://tools.ietf.org/html/draft-ietf-oauth-
json-web-token-08
• Javascript Object Signing & Encryption (JWT Related) -
http://datatracker.ietf.org/wg/jose/

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 24