OAuth FTW

  • 7,434 views
Uploaded on

The talk I gave at FOWA London about OAuth.

The talk I gave at FOWA London about OAuth.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
7,434
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
150
Comments
2
Likes
30

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. (FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
  • 2. OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
  • 3. The story of OAuth starts with OpenID.
  • 4.  factoryjoe.com
  • 5. factoryjoe.com ?! X
  • 6. ! 
  • 7. factoryjoe.com ? X Can has OpenID?
  • 8. X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
  • 9. ?
  • 10. !?!
  • 11. How much are your username and password worth?
  • 12. wayn.com
  • 13. imeem.com
  • 14.  PC Load Letter?! What the f...!
  • 15. The Password Anti-pattern!
  • 16. Passwords are not confetti.
  • 17. Please stop throwing them around.
  • 18. Especially if they’re not yours.
  • 19.  OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
  • 20. let’s take a look
  • 21. Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
  • 22. Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
  • 23. Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
  • 24. Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
  • 25. users can manage access...
  • 26. ...and change access
  • 27. or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
  • 28. ?
  • 29. discovery
  • 30. Identity -› Discovery -› Authorization
  • 31. OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
  • 32. Identity -› Discovery -› [Authentication] -› Authorization
  • 33. http://will.norris.name <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />
  • 34. OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 35. XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 36. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 37. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 38. adoption
  • 39. •OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
  • 40. code
  • 41. •C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
  • 42. the pitch
  • 43. fin. oauth.net me -› factoryjoe.com