OAuth FTW

(FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England

OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.

The story of OAuth starts with OpenID.

 factoryjoe.com

factoryjoe.com ?! X

! 

factoryjoe.com ? X Can has OpenID?

X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?

How much are your username and password worth?

wayn.com

imeem.com

 PC Load Letter?! What the f...!

The Password Anti-pattern!

Passwords are not confetti.

Please stop throwing them around.

Especially if they’re not yours.

 OAuth replaces the need for usernames and passwords with tokens and a hashing signature.

let’s take a look

Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm

Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts

Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL

Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token

users can manage access...

...and change access

or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)

discovery

Identity -› Discovery -› Authorization

OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)

Identity -› Discovery -› [Authentication] -› Authorization

http://will.norris.name <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />

OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>

XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>

XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...

XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...

adoption

•OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netﬂix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders

•C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code

the pitch

fin. oauth.net me -› factoryjoe.com

http://www.slideshare.net	15
http://ezdev	15
http://deliciouslog.com	5
http://www.techbangalore.net	1
http://health.medicbd.com	1
http://www.techgig.com	1

OAuth FTW

by Chris Messina on Oct 10, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

6 Embeds 38

Statistics

OAuth FTW — Presentation Transcript