This is the wiki home of a self-organized study group on OAuth2 and OpenID Connect (OIDC)
Our next meeting will occur on Thursday, May 4 at 2 pm Eastern, 11 am Pacific
Subscribe to mailing list, tier-oauth@internet2.edu
Agenda and Notes Online
To join via computer audio/video - https://bluejeans.com/192180354/browser
To join via Phone:
1) Dial:
- +1.408.740.7256
- +1.888.240.2560(US Toll Free)
- +1.408.317.9253(Alternate number)
- (see all numbers - http://bluejeans.com/numbers)
2) Enter Conference ID: 192180354#
References and Links
- Recommended but not required: OAuth 2 in Action, Justin Richer and Antonio Sanso
- OAuth 2 in Action book forum incl. errata: https://forums.manning.com/forums/oauth-2-in-action
- Create directory and download code for above book: https://github.com/oauthinaction/oauth-in-action-code
- Prerequisites for running examples:
- Node: https://nodejs.org
- NPM: https://www.npmjs.com/ (Bundled with Node)
Express: http://expressjs.com
Table of Contents
OAUTH2 IN ACTION, Justin Richer, Antonio Sanso
Part 1 First steps .................................................................1
1 ■ What is OAuth 2.0 and why should you care? 3
2 ■ The OAuth dance 21
Part 2 Building an OAuth 2 environment ......................41
3 ■ Building a simple OAuth client 43 (April 20)
4 ■ Building a simple OAuth protected resource 59 (May 4)
5 ■ Building a simple OAuth authorization server 75 (May 18)
6 ■ OAuth 2.0 in the real world 93 (June 1)
Part 3 OAuth 2 implementation and vulnerabilities ............................119
7 ■ Common client vulnerabilities 121
8 ■ Common protected resources vulnerabilities 138
9 ■ Common authorization server vulnerabilities 154
10 ■ Common OAuth token vulnerabilities 168
Part 4 Taking OAuth further ..........................................179
11 ■ OAuth tokens 181
12 ■ Dynamic client registration 208
13 ■ User authentication with OAuth 2.0 236
14 ■ Protocols and profiles using OAuth 2.0 262
15 ■ Beyond bearer tokens 282
16 ■ Summary and conclusions 298
- RFCs:
- https://tools.ietf.org/html/rfc6749 OAuth 2.0 framework
- https://tools.ietf.org/html/rfc7591 OAuth 2.0 Dynamic Client Registration
- https://tools.ietf.org/html/rfc7662 OAuth 2.0 Token Introspection
- https://tools.ietf.org/html/rfc6750 Bearer Token Usage
- https://tools.ietf.org/html/rfc7009 Token Revocation
- https://tools.ietf.org/html/rfc7521 Assertion Framework for Client Authentication and Authorization Grants
- https://tools.ietf.org/html/rfc7522 SAML 2.0 Profile for …
- https://tools.ietf.org/html/rfc7523 JSON Web Token (JWT) Profile for …
- https://tools.ietf.org/html/rfc7522 SAML 2.0 Profile for …
- https://tools.ietf.org/html/rfc6819 Threat Model and Security Considerations
- https://tools.ietf.org/html/rfc7636 Proof Key for Code Exchange by OAuth Public Clients
- https://tools.ietf.org/html/rfc6755 An IETF URN Sub-Namespace for OAuth
- https://tools.ietf.org/html/rfc6749 OAuth 2.0 framework
- Additional materials from the OpenID Workshop offered by Roland Hedberg and Rebecka Gulliksson in Denver, February 2016
- Workshop home page: https://meetings.internet2.edu/2016-02-24-openid-connect-workshop/
- Workshop code: https://github.com/rohe/openid_course
- Course material for a course in OAuth2, JW*, OpenID Connect and UMA: https://github.com/rohe/ojou_course
- OIDC
- Internet2 OIDC Survey Working Group
- Consultation for the OIDC Working Group Final Report
- U Chicago project to add OIDC support to the Shib IdP