1 of 22

Identify and access Management (IAM)

老罗

2 of 22

Oauth2.0 Spec

3 of 22

OAuth Purpose

  • Oauth 是一种受权协议
  • 为每个第三方软件和每个用户的组合分别生成对受保护资源具有受限的访问权限的凭据,也就是访问令牌,来代替的用户名和密码。而生成访问令牌的登录操作,又是在用户跟平台之间进行的,第三方软件根本无从得知用户的任何信息。

4 of 22

DCR (Dynamic client registration)

5 of 22

6 of 22

7 of 22

8 of 22

DCR exmaple1

  • POST /register HTTP/1.1
  • Host: localhost:9001
  • Content-Type: application/json
  • Accept: application/json

  • {
  • "client_name": "OAuth Client",
  • "redirect_uris": ["http://localhost:9000/callback"],
  • "client_uri": "http://localhost:9000/",
  • "grant_types": ["authorization_code"],
  • "scope": "foo bar baz"
  • }

9 of 22

DCR example 2

  • HTTP/1.1 201 Created
  • Content-Type: application/json

  • {
  • "client_id": "1234-wejeg-0392",
  • "client_secret": "6trfvbnklp0987trew2345tgvcxcvbjkiou87y6t5r",
  • "client_id_issued_at": 2893256800,
  • "client_secret_expires_at": 0,
  • "token_endpoint_auth_method": "client_secret_basic",
  • "client_name": "OAuth Client",
  • "redirect_uris": ["http://localhost:9000/callback"],
  • "client_uri": "http://localhost:9000/",
  • "grant_types": ["authorization_code"],
  • "response_types": ["code"],
  • "scope": "foo bar baz"
  • }

10 of 22

Authorization grant type

  • Token for Client Credentials Grant Type
  • Token for Token Exchange Grant Type
  • Token for Authorization Code Grant Type
  • The implicit flow

11 of 22

Authorization endpoint request

12 of 22

13 of 22

14 of 22

PKCE Proof key for code exchange

15 of 22

Refresh token

  • { "access_token": "SPFPQ5IBLB6DPE6FKPWHMIWW4MCRICX4M4KQXFQMI6THZXIEZ6QGNWNOERD6S7655LJAFWTRIKC4KGYO5G3XROMEOTBSS53CFSB6GIA", "refresh_token": "FL4GSVQS4W5CKSFRVZBLPIVZZJ2K4VIFPLGZ45SJGUQK4SS56IWPWACZ7V2B7OVLVKZCNK5JZSSW7CIHCNQJAO3TOUE3375108HHTLY", "token_type": "Bearer", "expires_in": "120" }

16 of 22

JWKS JSON Web key Set

  • Microsoft
    • OpenID
    • JWKS

  • Google
    • JWKS

17 of 22

JSON Web Token Claims�

  • iss (issuer): Issuer of the JWT
  • sub (subject): Subject of the JWT (the user)
  • aud (audience): Recipient for which the JWT is intended
  • exp (expiration time): Time after which the JWT expires
  • nbf (not before time): Time before which the JWT must not be accepted for processing
  • iat (issued at time): Time at which the JWT was issued; can be used to determine age

of the JWT

  • jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed

(allows a token to be used only once)

18 of 22

AMR and ACR

  • Authentication Method Reference
  • Authentication Context Class Reference

19 of 22

Key storage and isolation

20 of 22

PCI Isolation

21 of 22

HSM hardware secure model

22 of 22

Thank you