OAuth - Alex Bilbie


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good morning, today I’m going to be talking to you about Open Authorisation (or OAuth)
  • My name is Alex Bilbie, and I’m a developer working at the University of Lincoln. So can I ask who here knows anything about OAuth?
  • Okay, well for those who don’t I’ll try and explain it over with a story and its use case. I’ll also try to introduce some of the OAuth terminology
  • So I’m a user
  • So as a user how can I authorise
  • I could give my username and password to the client and then it could use direct basic or digest auth, or there could be some sort of handshake protocol
  • But what if the client was actually a nefarious application - giving your username and password to a third party is a security risk, and you’ve also got a problem when you change your password on Twitter, you have to go and change all the passwords on any clients you’ve given it to
  • So what is a better alternative?
  • OAuth =)
  • So what is OAuth, well I think the official website sums it up nicely. “ OAuth is an open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications .”
  • OAuth enables something I’ve called the love triangle to exist
  • So basically OAuth is a protocol that allows a user to authorise a client to make use of resources that the user owns on a resource server. If you’ve ever signed into Facebook or Twitter from a third party website then you will have seen a screen that says something like “Some application would like to connect to your Facebook profile and would like to know your name, your birthday and your email address”
  • OAuth is a standard that has gone through the Internet Engineering Task Force ratification process.
  • The current stable version is 1.0a which was finalised in April 2010. It’s version ‘a’ because there was a small alteration made very shortly after it was originally finalised that fixed a minor security vulnerability. Implementation was slow because at the time there were some other protocols being thrown around like OpenID. Twitter was probably the biggest proponent of OAuth.
  • Over the past year work on version 2.0 of the specification has been going on and it’s almost finished. When Facebook launched their open graph API it was the first API to make use of this version.
  • So, who is using OAuth?
  • Well, just a few small players on the Internet...
  • Most of these guys started off with v1.0a, but because version 2 is a much more simpler protocol (and despite it not yet being finished) many have already implemented it
  • I did a bit of googling and it looks like there are currently only three HEIs playing with OAuth
  • At Lincoln, we’ve invested a fair bit in it
  • OAuth - Alex Bilbie

    1. 2. Alex Bilbie University of Lincoln @alexbilbie @alexbilbie @alexbilbie @alexbilbie
    2. 3. Story time!
    3. 4. I’m a user of a web service
    4. 5. I own resources on the web service
    5. 6. For example, personal details
    6. 8. These resources 1 are stored on a resource server 2 1. personal details 2. facebook.com
    7. 9. The resource server exposes user resources over an API
    8. 10. I visit a 3rd party web application
    9. 11. The 3rd party web app is called a client
    10. 12. The client 1 wants to use my resources 2 1. 3rd party web app 2. personal details
    11. 13. But the resource server’s API requires user authorisation
    12. 14. How?
    13. 15. Give the client my password
    14. 16. Give the client my password
    15. 17. So what then?
    16. 18. OAuth
    17. 19. “ An open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications.” oauth.net oauth.net
    18. 20. ♥ ▲
    19. 21. User Client Resources Owns Accesses OWNS OWNS OWNS Authorises
    20. 22. The flow
    21. 23. User clicks “sign in” in the client application
    22. 25. The user is redirected to the resource server and asked to sign in
    23. 27. GET /authorise?response_type=code& client_id=12345 & redirect_uri=http://client.tld/redirect & scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
    24. 28. The resource server clearly tells the user the specific data the client wants to access
    25. 30. User authorises the application and is redirected back to client with a authorisation code in the query string
    26. 31. HTTP/1.1 302 Found Location: http://client.tld/redirect? code=78dsf9sudfo9s
    27. 32. Client exchanges the authorisation code for an access token
    28. 33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s & client_id=12345 & client_secret=12345 & redirect_uri= http://client.tld/redirect
    29. 34. <ul><ul><li>HTTP/1.1 200 OK </li></ul></ul><ul><ul><li>Content-type: application/json </li></ul></ul><ul><ul><li>{ </li></ul></ul><ul><ul><ul><li>access_token: “aLKJHskjhda8s13jsi9sis”, </li></ul></ul></ul><ul><ul><ul><li>valid_until: 1320759526 </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul>
    30. 35. The access token can then be used as authorisation by the client to access the specified resources for a specific length of time
    31. 36. Advantages
    32. 37. No password sharing <- Happy security conscious user
    33. 38. Developers just need to implement a redirect and a POST request <- Happy developers
    34. 39. Users can revoke access tokens for specific clients
    35. 41. Nefarious clients can have their credentials revoked and all associated access tokens destroyed immediately
    36. 44. Currently version 1.0a lncn.eu/giy lncn.eu/giy lncn.eu/giy
    37. 45. Version 2.0 is almost finished lncn.eu/bkw lncn.eu/bkw lncn.eu/bkw lncn.eu/bkw
    38. 46. OAuth 2.0 <ul><li>Simpler </li></ul><ul><li>Requires all communication over SSL </li></ul><ul><li>New flows </li></ul><ul><li>Better UX </li></ul>
    39. 47. Who’s using OAuth ?
    40. 49. v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0 (prev v1.0a) v2.0 (prev v1.0a) v2.0
    41. 50. And in HE ?
    42. 54. data.lincoln.ac.uk people energy location energy energy energy printing events calendars bibliographic documents
    43. 55. Internal and external authorisation authorisation
    44. 56. Single Sign-On
    45. 57. Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange (ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external)
    46. 58. Open source 2.0 server lncn.eu/ar6 lncn.eu/ar6
    47. 59. Any questions ?
    48. 60. Thank you @alexbilbie @alexbilbie @alexbilbie