OAuth: Mash-ups and Privacy Elise Huard @BarcampGhent 29/03/2007 [email_address]

Elise Huard @BarcampGhent

29/03/2007

[email_address]

Facebook contacts

Twitter contacts

LinkedIn contacts

So ... To share our list of contacts We ALSO give authorization to: Browse our mail Send mail in our name Delete mail ... Oauth is an answer to this.

To share our list of contacts

We ALSO give authorization to:

Browse our mail

Send mail in our name

Delete mail ...

Oauth is an answer to this.

OAuth Consumer site asks the service provider to give read-only access to chosen resources.

Consumer site asks the service provider to give read-only access to chosen resources.

Summary Introduction Brief History How does it work Implementation Resources Conclusion

Introduction

Brief History

How does it work

Implementation

Resources

Conclusion

History Blaine Cook (Twitter openId) & Chris Messina (open source advocate – Barcamp :-)) OAuth Core 1.0 final draft: October 2007

Blaine Cook (Twitter openId) & Chris Messina (open source advocate – Barcamp :-))

OAuth Core 1.0 final draft: October 2007

Summary Introduction Brief History How does it work Implementation Resources Conclusion

Introduction

Brief History

How does it work

Implementation

Resources

Conclusion

How does it work ? Example: Service provider: Resources : bookmarks Consumer : my app gathering bookmarks from different services

Example:

Service provider:

Resources : bookmarks

Consumer : my app gathering bookmarks from different services

Register consumer app Receive Customer secret Customer key

Receive

Customer secret

Customer key

User decides to access resource Dialog between Mag.nolia & consumer => gets Request Token (signed) http://ma.gnolia.com/oauth/get_request_token User is directed to service provider (with request token) – logs in (signed) http://ma.gnolia.com/oauth/authorize Authorized: back to consumer site

Dialog between Mag.nolia & consumer => gets Request Token (signed)

http://ma.gnolia.com/oauth/get_request_token

User is directed to service provider (with request token) – logs in (signed)

http://ma.gnolia.com/oauth/authorize

Authorized: back to consumer site

... Dialog to exchange request token for access token http://ma.gnolia.com/oauth/get_access_token Any subsequent request with access token (signed) Consumer app can use resource. Limited access – limited time !

Dialog to exchange request token for access token

http://ma.gnolia.com/oauth/get_access_token

Any subsequent request with access token (signed)

Consumer app can use resource.

Limited access – limited time !

Summary Introduction Brief History How does it work Implementation Resources Conclusion

Introduction

Brief History

How does it work

Implementation

Resources

Conclusion

Getting implemented Hopefully

Hopefully

Industry protocols Google AuthSub AOL OpenAuth Yahoo BBAuth Upcoming API Flickr API Amazon Web Services API ...

Google AuthSub

AOL OpenAuth

Yahoo BBAuth

Upcoming API

Flickr API

Amazon Web Services API

...

Summary Introduction Brief History How does it work Implementation Resources Conclusion

Introduction

Brief History

How does it work

Implementation

Resources

Conclusion

Resources Current standard : OAuth Core 1.0 http://oauth.net/ http://groups.google.com/group/oauth Other Data Portability standards http://microformats.org/ http://openid.net/ http://www.hueniverse.com/hueniverse/

Current standard : OAuth Core 1.0

http://oauth.net/

http://groups.google.com/group/oauth

Other Data Portability standards

http://microformats.org/

http://openid.net/

http://www.hueniverse.com/hueniverse/

Summary Introduction Brief History How does it work Implementation Resources Conclusion

Introduction

Brief History

How does it work

Implementation

Resources

Conclusion

Conclusion For Data portability: STANDARDS = GOOD Ask for OAuth.

For Data portability:

STANDARDS = GOOD

Ask for OAuth.