README.zxid-oauth-uma

README.zxid-oauth
#################

This file is for now just a todo list and OAuth related
specs study sheet. Eventually most information will
be merged to main documentation.

For UMA, see also notes-uma-2014

Adaptation to SAML2 Metadata
============================

authorization endpoint is expressed in SAML2 metadata as
IDPSSODescriptor/SingleSignOnService with
Binding="urn:zxid:OAUTH:2.0:bindings:HTTP-Redirect" (OAUTH2_REDIR)

redirect_uri is expressed in SAML2 metadata as
SPSSODescriptor/AssertionConsumerService with
Binding="urn:zxid:OAUTH:2.0:bindings:HTTP-Redirect" (OAUTH2_REDIR)

OAuth 2.0
=========

http://tools.ietf.org/html/draft-ietf-oauth-v2-22 (September 22, 2011)


1.2.  Protocol Flow


     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+


                     Figure 1: Abstract Protocol Flow



Hammer-Lahav, et al.     Expires March 25, 2012                 [Page 6]

 
Internet-Draft                  OAuth 2.0                 September 2011


   The abstract flow illustrated in Figure 1 describes the interaction
   between the four roles and includes the following steps:

   (A)  The client requests authorization from the resource owner.  The
        authorization request can be made directly to the resource owner
        (as shown), or preferably indirectly via the authorization
        server as an intermediary.
   (B)  The client receives an authorization grant which is a credential
        representing the resource owner's authorization, expressed using
        one of four grant types defined in this specification or using
        an extension grant type.  The authorization grant type depends
        on the method used by the client to request authorization and
        the types supported by the authorization server.
   (C)  The client requests an access token by authenticating with the
        authorization server and presenting the authorization grant.
   (D)  The authorization server authenticates the client and validates
        the authorization grant, and if valid issues an access token.
   (E)  The client requests the protected resource from the resource
        server and authenticates by presenting the access token.
   (F)  The resource server validates the access token, and if valid,
        serves the request.


  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+


               Figure 2: Refreshing an Expired Access Token

   The flow illustrated in Figure 2 includes the following steps:

   (A)  The client requests an access token by authenticating with the
        authorization server, and presenting an authorization grant.
   (B)  The authorization server authenticates the client and validates
        the authorization grant, and if valid issues an access token and
        a refresh token.
   (C)  The client makes a protected resource request to the resource
        server by presenting the access token.
   (D)  The resource server validates the access token, and if valid,
        serves the request.
   (E)  Steps (C) and (D) repeat until the access token expires.  If the
        client knows the access token expired, it skips to step (G),
        otherwise it makes another protected resource request.
   (F)  Since the access token is invalid, the resource server returns
        an invalid token error.
   (G)  The client requests a new access token by authenticating with
        the authorization server and presenting the refresh token.  The
        client authentication requirements are based on the client type
        and on the authorization server policies.
   (H)  The authorization server authenticates the client and validates
        the refresh token, and if valid issues a new access token (and
        optionally, a new refresh token).

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier     +---------------+
     |         -+----(A)-- & Redirection URI --->|               |
     |  User-   |                                | Authorization |
     |  Agent  -|----(B)-- User authenticates -->|     Server    |
     |          |                                |               |
     |          |<---(C)--- Redirection URI ----<|               |
     |          |          with Access Token     +---------------+
     |          |            in Fragment
     |          |                                +---------------+
     |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
     |          |          without Fragment      |     Client    |
     |          |                                |    Resource   |
     |     (F)  |<---(E)------- Script ---------<|               |
     |          |                                +---------------+
     +-|--------+
       |    |
      (A)  (G) Access Token
       |    |
       ^    v
     +---------+
     |         |
     |  Client |
     |         |
     +---------+
                       Figure 4: Implicit Grant Flow

   The flow illustrated in Figure 4 includes the following steps:

   (A)  The client initiates the flow by directing the resource owner's
        user-agent to the authorization endpoint.  The client includes
        its client identifier, requested scope, local state, and a
        redirection URI to which the authorization server will send the
        user-agent back once access is granted (or denied).
   (B)  The authorization server authenticates the resource owner (via
        the user-agent) and establishes whether the resource owner
        grants or denies the client's access request.
   (C)  Assuming the resource owner grants access, the authorization
        server redirects the user-agent back to the client using the
        redirection URI provided earlier.  The redirection URI includes
        the access token in the URI fragment.
   (D)  The user-agent follows the redirection instructions by making a
        request to the web-hosted client resource (which does not
        include the fragment).  The user-agent retains the fragment
        information locally.
   (E)  The web-hosted client resource returns a web page (typically an
        HTML document with an embedded script) capable of accessing the
        full redirection URI including the fragment retained by the
        user-agent, and extracting the access token (and other
        parameters) contained in the fragment.
   (F)  The user-agent executes the script provided by the web-hosted
        client resource locally, which extracts the access token and
        passes it to the client.



OpenID Connect 1.0 Support
==========================

http://openid.net/connect/

http://openid.net/specs/openid-connect-basic-1_0.html

OpenID Connect Basic Client 1.0 - draft 143.2.  Implicit Flow

The implicit flow consists of the following steps:

1. Client Prepares an Authorization Request containing the desired request parameters.
2. Client sends a request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server Obtains the End-User Consent/Authorization.
5. Authorization Server Sends the End-User back to the Client with an Access Token and ID Token.

ZXID Adaptation Plan (todo)
===========================

1.  Add to metadata possibility of specifying Authorization Endpoint (pr_ix=6)
2.  Add to IdP button generation this possibility
3.  Add to zxid_simple() interpretation of pr_ix=6


UMA Resource Access

--Sampo