SlideShare a Scribd company logo

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Download as PPTX, PDF
Brian Campbell
Brian Campbell

This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.

Technology
1 of 26
Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
If All Goes well, HTTP/1.1 200 OK
And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind

Recommended

Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2FIDO Alliance
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
FIDO in Windows10
FIDO in Windows10FIDO in Windows10
FIDO in Windows10Naohiro Fujie
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyHaniyama Wataru
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Chat Application [Full Documentation]
Chat Application [Full Documentation]Chat Application [Full Documentation]
Chat Application [Full Documentation]Rajon
 
Senior Design Resume
Senior Design ResumeSenior Design Resume
Senior Design ResumeMicah Brouwer
 

Recommended

Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2FIDO Alliance
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
FIDO in Windows10
FIDO in Windows10FIDO in Windows10
FIDO in Windows10Naohiro Fujie
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyHaniyama Wataru
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Chat Application [Full Documentation]
Chat Application [Full Documentation]Chat Application [Full Documentation]
Chat Application [Full Documentation]Rajon
 
Senior Design Resume
Senior Design ResumeSenior Design Resume
Senior Design ResumeMicah Brouwer
 
Python for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administrationPython for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administrationVictor Marcelino
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO MasterclassFIDO Alliance
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkTaswar Bhatti
 
Chat App Presentation.pptx
Chat App Presentation.pptxChat App Presentation.pptx
Chat App Presentation.pptxSHUBHAMTIWARI500
 
Presentation for soap ui
Presentation for soap uiPresentation for soap ui
Presentation for soap uiAnjali Rao
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Sanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik ModelleriSanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik Modellericaptainplus
 
Sql lite android
Sql lite androidSql lite android
Sql lite androidDushyant Nasit
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking ProjectSHAZIA JAMALI
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Alliance
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Automated Question Paper Generator Project Presentation
Automated Question Paper Generator Project PresentationAutomated Question Paper Generator Project Presentation
Automated Question Paper Generator Project PresentationAnik Chakrabortty
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Game Architecture with Scriptable Objects
Game Architecture with Scriptable ObjectsGame Architecture with Scriptable Objects
Game Architecture with Scriptable ObjectsRyan Hipple
 
AMIZONER: Final Report
AMIZONER: Final ReportAMIZONER: Final Report
AMIZONER: Final ReportNeil Mathew
 
Project report final
Project report finalProject report final
Project report finalJaya Saini
 
Mobile application testing
Mobile application testingMobile application testing
Mobile application testingSoftheme
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Social messenger introduction
Social messenger introductionSocial messenger introduction
Social messenger introductiondeepakrajput022
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 

More Related Content

What's hot

Python for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administrationPython for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administrationVictor Marcelino
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkTaswar Bhatti
 
Chat App Presentation.pptx
Chat App Presentation.pptxChat App Presentation.pptx
Chat App Presentation.pptxSHUBHAMTIWARI500
 
Presentation for soap ui
Presentation for soap uiPresentation for soap ui
Presentation for soap uiAnjali Rao
 
Sanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik ModelleriSanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik Modellericaptainplus
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking ProjectSHAZIA JAMALI
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Alliance
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Automated Question Paper Generator Project Presentation
Automated Question Paper Generator Project PresentationAutomated Question Paper Generator Project Presentation
Automated Question Paper Generator Project PresentationAnik Chakrabortty
 
Game Architecture with Scriptable Objects
Game Architecture with Scriptable ObjectsGame Architecture with Scriptable Objects
Game Architecture with Scriptable ObjectsRyan Hipple
 
AMIZONER: Final Report
AMIZONER: Final ReportAMIZONER: Final Report
AMIZONER: Final ReportNeil Mathew
 
Project report final
Project report finalProject report final
Project report finalJaya Saini
 
Mobile application testing
Mobile application testingMobile application testing
Mobile application testingSoftheme
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Social messenger introduction
Social messenger introductionSocial messenger introduction
Social messenger introductiondeepakrajput022
 

What's hot (20)

Python for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administrationPython for-unix-and-linux-system-administration
Python for-unix-and-linux-system-administration
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot Framework
 
Chat App Presentation.pptx
Chat App Presentation.pptxChat App Presentation.pptx
Chat App Presentation.pptx
 
Presentation for soap ui
Presentation for soap uiPresentation for soap ui
Presentation for soap ui
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Sanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik ModelleriSanal POS Uygulamaları ve 3D Güvenlik Modelleri
Sanal POS Uygulamaları ve 3D Güvenlik Modelleri
 
Sql lite android
Sql lite androidSql lite android
Sql lite android
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Online Movie ticket booking Project
Online Movie ticket booking ProjectOnline Movie ticket booking Project
Online Movie ticket booking Project
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Automated Question Paper Generator Project Presentation
Automated Question Paper Generator Project PresentationAutomated Question Paper Generator Project Presentation
Automated Question Paper Generator Project Presentation
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Game Architecture with Scriptable Objects
Game Architecture with Scriptable ObjectsGame Architecture with Scriptable Objects
Game Architecture with Scriptable Objects
 
AMIZONER: Final Report
AMIZONER: Final ReportAMIZONER: Final Report
AMIZONER: Final Report
 
Project report final
Project report finalProject report final
Project report final
 
Mobile application testing
Mobile application testingMobile application testing
Mobile application testing
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Social messenger introduction
Social messenger introductionSocial messenger introduction
Social messenger introduction
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 

Similar to OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me? (20)

Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Api security
Api security Api security
Api security
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 

More from Brian Campbell

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (17)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or are you just glad to see me?

  • 1. Is that a token in your phone in your pocket or are you just glad to see me? (the presentation formerly known as Securing Your Pocket to the Cloud) OAuth 2.0 and Mobile Devices Brian Campbell @weeUnquietMind
  • 2. Agenda  Intro  Quick overview of OAuth  Social logins, mobile apps, the problem and how OAuth can help  An abstract OAuth exchange and some terminology  A detailed OAuth flow with a mobile client  HTTP exchanges  Code and configuration snippets for Android and iOS  Q&A
  • 3. Who the hell is this guy anyway? @weeUnquietMind As Senior Architect for Ping Identity, Brian Campbell aspires to one day know what a Senior Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping‟s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 and JOSE within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
  • 4. Disclaimer & Credits  I primarily do server side development  Some content and jokes were “borrowed” from my esteemed colleague, Dr. Paul Madsen  Because “plagiarism” is such a nasty word  Quick Reference  Any content you find humorous or insightful is mine  If you think something‟s dumb and/or you‟re offended by it, it‟s Paul‟s  Hate mail to @paulmadsen  Also thanks to Scott Tomilson for many examples  He needs more followers @scotttomilson  As do I…
  • 5. Bad Idea Jeans  ESPN and Facebook are offering to import your friends' email addresses from your web email provider. How nice! And all you have to give them is your username and password. •What could possibly go wrong?
  • 6. Why so bad? (The Password Sharing Anti-Pattern)  Requesting sites and apps store the passwords  Hosting sites get locked into password authentication  Users get trained to be indiscriminate with their passwords  The hosting site is not involved in the authorization step  No support for granular permissions  No easy way to revoke access  Changing password (good security hygiene) revokes access to all
  • 7. Enter OAuth  Delegated authorization protocol  Mitigates password anti-pattern  Web and Native  OAuth is your valet key to the Interwebs  (Anyone actually drive a car with a valet key?)  Standard way to provide a „key‟ to a third-party which allows only limited access to perform specific functions  Without divulging credentials to the third-party  Access grant is revocable  Scope of the access grant can be constrained  An open protocol to allow secure API authorization in a simple and standard method from desktop, mobile and web applications.  An authorization & authentication framework for RESTful APIs (& more)
  • 8. Some Historical Context  Proprietary Solutions  Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, AWS API, and more  OAuth 1.0 in late 2007  Informational RFC 5849 in mid 2010  OAuth WRAP (Web Resource Authorization Profiles) also in 2010  OAuth 2.0 in the final stages of IETF standardization
  • 9. Premise: All the Cool Sites are Doing It • Social Logins • Less friction • Better conversion rates • Outsources authentication and (some) security • Starting to become a user expectation • Mobile Apps • You‟re at Gluecon so you may have already gotten the memo that mobility is a thing • Anyone heard of this Instagram thing? • Damn kids today! • No distinction: computing is mobile • BYMODD
  • 10. Social & Mobile - So What?  Back in the day, your mobile app could collect a username and password and then access protected APIs using HTTP Basic Authentication  But what if you‟re relying on Facebook, Twitter, Google, Yahoo, etc. to authenticate your users?  You could…  or not…
  • 11. OAuth Can Help  OAuth offers a standard way to use social logins with mobile applications  Leverage existing (and future) investment in browser based authentication for use with mobile applications
  • 12. Aside: Mobile Application Continuum Web Applications Native Applications Web Server Web Server Web App HTML/JS/CSS Hybrid Approaches JSON/XML Mobile Device Mobile Device Mobile Web Page Native App Browser
  • 13. Skinning the Cat  Open source libraries  Commercial solutions  Android Account Manager  Do It Yourself  Examples herein are DIY and native  Completeness, timeliness, neutrality  One stated design goal for OAuth v2.0 was simplification of the client
  • 14. Basic Abstract Flow  client: An application Authorization obtaining authorization and Server making protected resource Client requests. Resource  Native app on mobile device Server  resource server (RS): A server capable of accepting and responding to protected A few other protocol terms resource requests. • Access token (AT) – Presented by client when accessed protected resources at the RS  Protected APIs • Refresh token (RT) - Allows clients to obtain a fresh  authorization server (AS): A access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined server capable of issuing by the AS/RS tokens after successfully • Authorization endpoint – used by the client to obtain authenticating the resource authorization from the resource owner via user-agent owner and obtaining redirection • Token endpoint – used for direct client to AS authorization. communication • Authorization Code – One time code issued by an AS to be exchanged for an AT.
  • 15. Concrete Flow ① Client app initiates Cloud! authorization request Authorization ② End-user authenticates Token Endpoint Endpoint and approves the requested access ③ Server returns control to the app and includes an authorization code 3 ④ The authorization code is 1 2 traded for access token 4 (and refresh token) 5 Device ⑤ Protected APIs invoked using the access token Browser Native 1 App 3
  • 16. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and 1 sends user to the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
  • 17. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native App
  • 18. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native App
  • 19. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP Browser redirection and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIA
  • 20. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > <intent-filter> Browser Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");
  • 21. Cloud! Handle Callback (cont‟d) Token Authorization Endpoint Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...
  • 22. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Browser Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }
  • 23. Cloud! Using an Access Token Token Endpoint Authorization Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);
  • 24. If All Goes well, HTTP/1.1 200 OK
  • 25. And If not,  HTTP 401/403  Use refresh token to get a new access token POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=refresh_token&refresh_token=uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8 HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":”G8RTS98dQ9CpLoaH7P3V41MzW1q0”, }  And if that doesn‟t work, initiate the authorization request flow again
  • 26. Thanks! (and time permitting) Questions? (there are no stupid questions, only stupid answers and I‟m tremendously qualified to deliver such answers) Brian Campbell @weeUnquietMind