SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

OAuth - Don’t Throw the Baby Out with the Bathwater

by on Aug 02, 2012

  • 9,740 views

 

Statistics

Views

Total Views
9,740
Views on SlideShare
5,375
Embed Views
4,365

Actions

Likes
13
Downloads
117
Comments
5

38 Embeds 4,365

http://blog.apigee.com 1916
http://apigee.com 1711
http://blog.programmableweb.com 373
http://feeds.apigee.com 90
https://blog.apigee.com 67
http://blog.sonoasystems.com 43
http://blog-dev.wearepropeople.md 20
http://mktg-dev.wearepropeople.md 14
http://blog.edit.apigee.net 11
http://blog-dev.apigee.com 11
http://feeds2.feedburner.com 9
http://jabbr.net 8
https://jabbr.net 8
http://core.traackr.com 7
http://www.caucapino4u.com 7
http://ip54.216-86-157.static.steadfast.net 6
https://twimg0-a.akamaihd.net 5
http://7971561969950620294_53bff2a1705b38e92c805355b2367b95f12655f0.blogspot.com 5
https://si0.twimg.com 5
http://newsblur.com 5
http://ip52.216-86-157.static.steadfast.net 5
http://blog.pheromonic.com 5
http://webcache.googleusercontent.com 5
http://www.tuicool.com 4
http://internettech.collected.info 4
http://www.hanrss.com 4
http://localhost 3
https://abs.twimg.com 2
http://feeds.feedburner.com 2
http://freerss.net 2
http://blogwatcher.thebaileys.name 1
http://www.one-tab.com 1
https://www.facebook.com 1
http://mktg-dev.apigee.com 1
http://www.onlydoo.com 1
http://altblog.nypirateparty.com 1
http://edit.apigee.net 1
http://www.voidstar.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 5 previous next Post a comment

  • gbrail gbrail @kalsze 'Credentials' is a more generic term. In other words, a username / password is a subset of 'credentials.'

    I don't actually remember exactly how we used the term in the webinar but it actually could make a difference.

    For instance, the 'authorization code' grant type redirects to the user to a web page, where the user is required to authenticate. It's up to the web page, so the page can choose any 'credentials' it wants to use, including username / password, SSL cert, rolling security token (like Google Authenticator or SecurID) etc.

    On the other hand, OAuth 2.0 also has the 'resource owner password credentials' grant type, which like its name implies, allows the client to make an API call to the server that includes a username and password, and returns a token.
    1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • kalsze Kal Sze On slide 15, in the column 'What You Need', what's the difference between 'End-user credentials' and 'End-user username / password'? 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • gbrail gbrail I don't think that refresh tokens add any security -- the client still has to store them securely and can use a refresh token to get an access token with no additional authentication. So it's the same as an access token on the wire, and on the client from that perspective.

    The main purpose of the refresh token was to allow OAuth implementations to have a separate tier in their architecture that validates and caches access tokens in a very dumb way, and then delegate user authentication to a separate server.

    So to accomplish this, which can make things easier for the API provider, the API users (the developers) need to track token expiration, use their refresh token to get a new token before the access token expires, and coordinate all that so that it doesn't impact the flow of API traffic from their client.

    I personally think that a better approach is to set an expiration time on access tokens that works for your security policy depending on what you're trying to do, and periodically re-authenticate the user.
    1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • apigee Apigee at Apigee <br /><iframe width="350" height="288" src="http://www.youtube.com/embed/a2Et0bAK8kE" frameborder="0"></iframe> 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
  • maartenba Maarten Balliauw, Technical Consultant at RealDolmen Quick question: why do you advise on not using refresh tokens? 1 year ago
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater Presentation Transcript