OAuth Core 1.0 http://oauth.net/core/1.0/ --------------------------- Contents: 3. Definitions -- relevant ones culled from the oauth spec at URL above. Fig 1: out-of-band consumer setup/config Fig 2: "Web-based consumer" Fig 3: "desktop-based consumer" Appendicies -- for comparison... OpenId - Dest site first, "associate" operational mode: OpenId - Requesting Authentication, assoc_hdl!=null, openid.mode = checkid_setup OpenId - Requesting Authentication, assoc_hdl==null, openid.mode = checkid_setup OpenId - Requesting Authentication, unsolicited response, assoc_hdl!=null, openid.mode = n/a SAML Web Browser SSO Profile ---------------------------- 3. Definitions Service Provider: A web application that allows access via OAuth. User: An individual who has an account with the Service Provider. Consumer: A website or application that uses OAuth to access the Service Provider on behalf of the User. Protected Resource(s): Data controlled by the Service Provider, which the Consumer can access through authentication. Consumer Developer: An individual or organization that implements a Consumer. Consumer Key: A value used by the Consumer to identify itself to the Service Provider. [ essentially a "consumer identifier". ] Consumer Secret: A secret used by the Consumer to establish ownership of the Consumer Key. Request Token: A value used by the Consumer to obtain authorization from the User, and exchanged for an Access Token. Access Token: A value used by the Consumer to gain access to the Protected Resources on behalf of the User, instead of using the User\u2019s Service Provider credentials. Token Secret: A secret used by the Consumer to establish ownership of a given Token. OAuth Protocol Parameters: Parameters with names beginning with oauth_. ------------------ OAuth figures: Fig 1: out-of-band consumer setup/config ---------------------------------------- photos.example.net +----------+ | | | OAuth | | service | printer.example.com | provider | +---------+ | | |developer| | Sys | | of | | Admin | | OAuth | | | |consumer | | | | | | [SP] | +----+----+ +----+-----+ | | | obtain Consumer Key | | and Consumer Secret | | [details unspec'd, | | performed out-of- | | band.] | |--------------------->| |<-------------------- | | | | | Fig 2: "Web-based consumer" --------------------------- The "consumer" is a website or other application that accesses the Service Provider on behalf of the wielder (user) of the user agent (UA is typically a browser, but could be some other app). Steps 1.n. "Obtain Unauthorized Request Token" 2.n. "User Authorizes Request Token" 3.n. "Exchange Request Token for Access token" 4.n. UA accessing protected resources at SP photos.example.net +----------+ | | | OAuth | printer.example.com | Service | +--------+ | Provider | | | | | | OAuth | |[protected| |Consumer| |resources]| +----+ | | | | | UA | | [RP] | | [SP] | +-+--+ +---+----+ +----+-----+ | | | | 1.0. User Agent inter-| | | acts with Consumer | | | site [optional] | | |<--------------------->| | | | | | | | | | | | 1.1. UA informs/directs | | Consumer to do something | | with a resource (e.g. | | | a photo) at SP | | |---------------------->| | | | | | | | | | | | | 1.2. Consumer attempts | | accessing photo at SP| | |--------------------->| | | | | | | | | 1.3. SP replies with | | | a HTTP 401 containing| | | a "OAuth" www-authn | | | header field | | |<---------------------| | | | | | | | | 1.4. Consumer replies| | | with a request for | | | "unauthorized Request| | | Token" (uRT) via POST| | | to SP's "request token | | URL" | | |--------------------->| | | | | | | | | 1.5. SP issues uRT & | | | token secret to | | | Consumer. | | |<---------------------| | | | | | | | | | | 2.0. Consumer redirects | | UA to SP "User Author-| | | ization URL" including| | | the uRT. | | +<- - - - - - - - - - - - | | . | (indirected via UA) | | . | | | +-------------------------+--------------------->| | | | | | | | | | | | | | 2.2. User authenticates with the Service | | Provider (optional, methods vary, realization| | is out of scope) | |<============================================>| | 2.3. User grants or declines permission | | for the Service Provider allow Consumer | | access to the resource (e.g. photo). | | | | | | | | | | | | | | 2.4. If permision granted, UA redirected back| | to Consumer's "Callback URL", conveying the | | uRT. | | +<- - - - - - - - - - - - - - - - - - - - - - - -| . | (indirected via UA) | | . | | | . | | | +------------------------>| | | | | | | | | |3.0. Consumer requests| | |Access token, supplies| | |uRT. | | |--------------------->| | | | | | | | | | | |3.1. SP grants Access | | | Token. | | |<---------------------| | | | | | | | |4.x. Consumer uses the| | |Access Token, Access | | |Token Secret, Consumer| | |Key, and Consumer Secret | |to make authenticated | | |request(s) to the Service | |Provider. | | |=====================>| | | . | | | . | | | . | | | | Fig 3: "desktop-based consumer" ------------------------------- this is case where user is wielding some app that is both a UA and a Consumer. +----------+ | | | OAuth | | service | +--------+ | provider | | | | | |Desktop-| |[protected| |based | |resources]| |Consumer| | | | | | | | UA | | [SP] | +-+------+ +----+-----+ | | | 1. Consumer requests "unauthorized Request | | Token (uRT)" with POST to SP's "request token" | URL. | |--------------------------------------------->| | | | | | 1.1. SP issues uRT and Token Secret to | | consumer. | |<---------------------------------------------| | | | | | | | 1.2. User authenticates with the Service | | Provider (optional, methods vary, realization| | is out of scope) | |<============================================>| | 3. User grants or declines permission | | for the Service Provider to issue Access | | Token. | | | | | | | | | | 4. Service Provider authorizes the uRT to be | | exchanged for an Access Token and secret. | |<---------------------------------------------| | | | | | | | 5. Consumer exchanges the uRT and secret | | for an Access Token and Secret. | |--------------------------------------------->| |<---------------------------------------------| | | | | | | | 6. Consumer uses the Access Token, Access | | Secret, Consumer Key, and Consumer Secret | | to make authenticated request(s) to the Service | Provider | |<============================================>| | . | | . | | . | | . | | . | | . | | | ========================================================================== Appendicies -- for comparison... ========================================================================== OpenId - Dest site first, "associate" operational mode: +-------------+ | Principal's | | Site | | ..or.. | +----+ +----+ +--------+ | XRI | | UA | | RP | | OP/IDP | | Authority | +-+--+ +-+--+ +---+----+ +-----+-------+ | | | | | | | | | 1. User Agent access | | | | RP Site, typcially via| | | | GET | | | |---------------------->| | | | | | | | | | | | | | | | 2. RP returns a page | | | | with prompt for Princ | | | | to use to enter OpenId| | | |<----------------------| | | | | | | | 3. UA typically POSTs | | | | Princ's OpenId string | | | | to RP | | | |---------------------->| 4. RP resolves OpenId| | | | string via Yadis, | | | | XRI, or HTTP GET res-| | | | Olution, yielding URL| | | | of Princ's OP/IDP | | | |<--------------------------------->| | | | | | | | | | | | | | | 5. POST DH params, | | | | openid.mode = assoc. | | | |--------------------->| | | | | | | | | | | | 6. OP/IDP returns | | | | shared secret and | | | | assoc_handle | | | |<---------------------| | | | | | OpenId - Requesting Authentication, assoc_hdl!=null, openid.mode = checkid_setup +----+ +----+ +--------+ | UA | | RP | | OP/IDP | +-+--+ +-+--+ +---+----+ | | | | 1. Authentication Req | | | and assoc_handle!=null| | +<- - - - - - - - - - - - | | . | (indirected via UA) | | . | | | +-------------------------+--------------------->| | | | | | | | | |<-+ | 2. OP/IDP authenticates Principal | | Step (2) | (methods vary, realization is out of scope) | | is absent if |<============================================>| | opoenid.mode is | | | | check_immediate | | |<-+ | | | | 3. Authentication Resp| | +<- - - - - - - - - - - - - - - - - - - - - - - -| . | (indirected via UA) | | . | | | +------------------------>| | | | | | | | | | | | 4. Princ is signed-on | | | or some form of | | | error msg is displayed| | |<----------------------| | | | | | | | | | | | | | OpenId - Requesting Authentication, assoc_hdl==null, openid.mode = checkid_setup +----+ +----+ +--------+ | UA | | RP | | OP/IDP | +-+--+ +-+--+ +---+----+ | | | | 1. Authentication Req | | | and assoc_handle!=null| | +<- - - - - - - - - - - - | | . | (indirected via UA) | | . | | | +-------------------------+--------------------->| | | | | | | | | |<-+ | 2. OP/IDP authenticates Principal | | Step (2) | (methods vary, realization is out of scope) | | is absent if |<============================================>| | opoenid.mode is | | | | check_immediate | | |<-+ | | | | 3. Authentication Resp| | +<- - - - - - - - - - - - - - - - - - - - - - - -| . | (indirected via UA) | | . | | | +------------------------>| | | | | | | | | | 4. check_authn plus | | | resp params from (3) | | |--------------------->| | | | | | | | | 5. sig verif'n result| | | plus invalid_handle | | |<---------------------| | | | | 6. Princ is signed-on | | | or some form of | | | error msg is displayed| | |<----------------------| | | | | | | | | | | | | | OpenId - Requesting Authentication, unsolicited response, assoc_hdl!=null, openid.mode = n/a +----+ +----+ +--------+ | UA | | RP | | OP/IDP | +-+--+ +-+--+ +---+----+ | | | | | |<-+ | 1. OP/IDP authenticates Principal | | OP/IDP may | (methods vary, realization is out of scope) | | assist in |<============================================>| | selecting | | | | identifier(s) | | |<-+ | | | | 2. Authentication Resp| | +<- - - - - - - - - - - - - - - - - - - - - - - -| . | (indirected via UA) | | . | | | +------------------------>| | | | | | | | | | | | 3. Princ is signed-on | | | or some form of | | | error msg is displayed| | |<----------------------| | | | | | | | =========== S A M L ================== SAML Web Browser SSO Profile +----------+ +----------------+ +-------------------+ |User Agent| |Service Provider| | Identity Provider | +----+-----+ +-------+--------+ +--------+----------+ | | | | | | | 1. User Agent attempts| | | to access some resource | | at the Service Provider [Do I have a | | | security context | |---------------------->| for this UA? Hm, | | | no, so I'm going | | | to establish one..] | | | | | | 2.Service Provider | | | determines | | | Identity Provider | | | to use (methods | | | vary, details not | | | shown) | | | | | 3. msg | | | issued by Service Pro-| | | vider to Identity Pro-| | | vider | | +<- - - - - - - - - - - - | | . | (redirect to IDP) | | . | | | +-------------------------+--------------------->| | | | | | | | | | | | | | 4. Identity Provider identifies Principal | | (methods vary, details not shown) | |<============================================>| | | | | | | | | | | 5. message | | | issued by Identity | | | Provider to Service | | | Provider | | +<- - - - - - - - - - - - - - - - - - - - - - - -| . | (redirect to SP) | | . | | | +------------------------>| | | | | | | | | | | | 6. Based on the Iden- | | | tity Provider identify- | | ing (or not) the Prin-| | | cipal, the Service Pro- | | vider either returns | | | the resource or an | | | (HTTP) error | | |<----------------------| | | | | | | | | | | | | | --- end