This is the wiki home of a self-organized study group on OAuth2 and OpenID Connect (OIDC)
Info | ||
---|---|---|
| ||
Subscribe to mailing list, tier-oauth@internet2.edu Agenda and Notes OnlineTo join via computer audio/video - https://bluejeans.com/6084694523678543210/browser To join via Phone: 1) Dial:
2) Enter Conference ID: 6084694523#678543210# |
References and Links
Recommended but not required: OAuth 2 in Action, Justin Richer and Antonio Sanso
OAUTH2 IN ACTION, Justin Richer, Antonio Sanso
Part 1 First steps .................................................................1
1 ■ What is OAuth 2.0 and why should you care? 3
2 ■ The OAuth dance 21
Part 2 Building an OAuth 2 environment ......................41
3 ■ Building a simple OAuth client 43
4 ■ Building a simple OAuth protected resource 59
5 ■ Building a simple OAuth authorization server 75
6 ■ OAuth 2.0 in the real world 93
Part 3 OAuth 2 implementation and vulnerabilities ............................119
7 ■ Common client vulnerabilities 121
8 ■ Common protected resources vulnerabilities 138
9 ■ Common authorization server vulnerabilities 154
10 ■ Common OAuth token vulnerabilities 168
Part 4 Taking OAuth further ..........................................179
11 ■ OAuth tokens 181
12 ■ Dynamic client registration 208
13 ■ User authentication with OAuth 2.0 236
14 ■ Protocols and profiles using OAuth 2.0 262
15 ■ Beyond bearer tokens 282
...
OAuth 2 in Action book forum incl. errata
...
Clone the repository with the code for all the exercises in the book
...
Prerequisites for running examples:
- Node: https://nodejs.org
- NPM: https://www.npmjs.com/ (Bundled with Node)
Express: http://expressjs.com
RFCs:
https://tools.ietf.org/html/rfc6749 OAuth 2.0 framework
https://tools.ietf.org/html/rfc7591 OAuth 2.0 Dynamic Client Registration
https://tools.ietf.org/html/rfc7662 OAuth 2.0 Token Introspection
https://tools.ietf.org/html/rfc6750 Bearer Token Usage
https://tools.ietf.org/html/rfc7009 Token Revocation
https://tools.ietf.org/html/rfc7521 Assertion Framework for Client Authentication and Authorization Grants
https://tools.ietf.org/html/rfc7522 SAML 2.0 Profile
for …https://tools.ietf.org/html/rfc7523 JSON Web Token (JWT) Profile for …
https://tools.ietf.org/html/rfc6819 Threat Model and Security Considerations
https://tools.ietf.org/html/rfc7636 Proof Key for Code Exchange by OAuth Public Clients
https://tools.ietf.org/html/rfc6755 An IETF URN Sub-Namespace for OAuth
Additional materials from the OpenID Workshop offered by Roland Hedberg and Rebecka Gulliksson in Denver, February 2016
- Workshop home page: https://meetings.internet2.edu/2016-02-24-openid-connect-workshop/
- Workshop code: https://github.com/rohe/openid_course
- Course material for a course in OAuth2, JW*, OpenID Connect and UMA: https://github.com/rohe/ojou_course
OIDC
Internet2 OIDC Survey Working Group
- Consultation on
U Chicago project to add OIDC support to the Shib IdP