OAuthOr: „Why you don‘t have to pass credentials“
About me!Marvin Hoffmann (B.Sc.)Computer Science and MediaSemester 2       Why am I here?Security will always be a key asp...
What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusion
What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusionsemester holidays :)
History and basics
Once upon a time...                          you had to pass your username and                          password to let ap...
That of course...we don‘t want to be necessary!Pass username and password?
That of course...we don‘t want to be necessary!Pass username and password?   No thanks.   There must be another way!
What do we want then?  distinguish between different  applications (and us)  give different rights to each (scoping)  be a...
What‘s necessary?AuthenticationWho the heck are you?            Authorization            You are allowed to do            ...
OAuth
We need a standard!                           many custom build solutions                           before OAuth          ...
What‘s in the protocol?                          OAuth 1 based on „FlickrAuth“ and                          Googles „AuthS...
Facebo ok
OAuth and Facebook                                                                               lo oks                   ...
How to get there                  1register your application or websiteas Facebook-Application to getyour App credentials ...
How to get there                    2add App-ID and App-Secret to yourcodeexample:$facebook = new Facebook(array( appId =>...
How to get there                                 3define what your app needs to usee.g. „Post to Facebook as me“;„Access b...
How to get there           4                                                  App-ID                                      ...
How to get there                  5You‘re good to go!Your App/Website will know beidentified (always) and the userhas to g...
HTTP calls flowSource: https://developers.facebook.com/docs/authentication/
Little more detailsSource: https://developers.facebook.com/docs/authentication/
Little more details          Request:          https://www.facebook.com/dialog/oauth?          client_id=YOUR_APP_ID&redir...
Little more details          Request:          https://www.facebook.com/dialog/oauth?          client_id=YOUR_APP_ID&redir...
Little more details          Request:          https://www.facebook.com/dialog/oauth?          client_id=YOUR_APP_ID&redir...
Little more details          Request:          https://www.facebook.com/dialog/oauth?          client_id=YOUR_APP_ID&redir...
Little more details          Request:          https://www.facebook.com/dialog/oauth?          client_id=YOUR_APP_ID&redir...
Project Reference     no code :(
Environment                          „Online & Performance Marketing                          Agency“                     ...
Facebook and Java                           just like we learned:                                   register App with Face...
The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we ...
Conclusion
What do we want then?   distinguish between different   applications (and us)   give different rights to each (scoping)   ...
What do we want then?   distinguish between different   applications (and us)   give different rights to each (scoping)   ...
What do we want then?   distinguish between different   applications (and us)   give different rights to each (scoping)   ...
What do we want then?   distinguish between different   applications (and us)   give different rights to each (scoping)   ...
What do we want then?   distinguish between different   applications (and us)   give different rights to each (scoping)   ...
One more thing!a stolen token is not as horrible asstolen credentials!  just dedicated information or  actions can be acce...
Thanks!Questions?
Upcoming SlideShare
Loading in …5
×

OAuth Introduction

7,151 views
7,062 views

Published on

Published in: Technology, Design
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,151
On SlideShare
0
From Embeds
0
Number of Embeds
151
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • 1.0 -> 2006 / 2007\n2.0 -> 2010\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • „if the user has already authorized your app, they will not be prompted to do so again“\noffline_access -> token verliert seine gültigkeit nie!\n
  • „if the user has already authorized your app, they will not be prompted to do so again“\noffline_access -> token verliert seine gültigkeit nie!\n
  • „if the user has already authorized your app, they will not be prompted to do so again“\noffline_access -> token verliert seine gültigkeit nie!\n
  • „if the user has already authorized your app, they will not be prompted to do so again“\noffline_access -> token verliert seine gültigkeit nie!\n
  • „if the user has already authorized your app, they will not be prompted to do so again“\noffline_access -> token verliert seine gültigkeit nie!\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • OAuth Introduction

    1. 1. OAuthOr: „Why you don‘t have to pass credentials“
    2. 2. About me!Marvin Hoffmann (B.Sc.)Computer Science and MediaSemester 2 Why am I here?Security will always be a key aspectof application development
    3. 3. What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusion
    4. 4. What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusionsemester holidays :)
    5. 5. History and basics
    6. 6. Once upon a time... you had to pass your username and password to let applications use one anotherSource: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
    7. 7. That of course...we don‘t want to be necessary!Pass username and password?
    8. 8. That of course...we don‘t want to be necessary!Pass username and password? No thanks. There must be another way!
    9. 9. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    10. 10. What‘s necessary?AuthenticationWho the heck are you? Authorization You are allowed to do xyz and only xyz!
    11. 11. OAuth
    12. 12. We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 HashesSource: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
    13. 13. What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look likeSource: http://hueniverse.com/2010/05/introducing-oauth-2-0/
    14. 14. Facebo ok
    15. 15. OAuth and Facebook lo oks familiar ?Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
    16. 16. How to get there 1register your application or websiteas Facebook-Application to getyour App credentials an App ID / API Key an App Secret(tokens you get are only valid foryour Facebook-App)
    17. 17. How to get there 2add App-ID and App-Secret to yourcodeexample:$facebook = new Facebook(array( appId => YOUR_APP_KEY, secret => YOUR_APP_SECRET));your App/Website will now beidentified correctlyDomain will be checked aswell!
    18. 18. How to get there 3define what your app needs to usee.g. „Post to Facebook as me“;„Access basic information“example:<fb:login-button show-faces="true" width="500" max-rows="1" perms="user_useralbums, read_stream,publish_stream"></fb:login-button>rights? See photos, read from andwrite to stream
    19. 19. How to get there 4 App-ID App-Secret Do mainSource: https://developers.facebook.com/apps/
    20. 20. How to get there 5You‘re good to go!Your App/Website will know beidentified (always) and the userhas to grand specific rights (once)
    21. 21. HTTP calls flowSource: https://developers.facebook.com/docs/authentication/
    22. 22. Little more detailsSource: https://developers.facebook.com/docs/authentication/
    23. 23. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_streamSource: https://developers.facebook.com/docs/authentication/
    24. 24. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVERSource: https://developers.facebook.com/docs/authentication/
    25. 25. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVESource: https://developers.facebook.com/docs/authentication/
    26. 26. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expiresSource: https://developers.facebook.com/docs/authentication/
    27. 27. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expiresSource: https://developers.facebook.com/docs/authentication/
    28. 28. Project Reference no code :(
    29. 29. Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client!Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
    30. 30. Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in JavaLinks: RestFB: http://restfb.com
    31. 31. The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
    32. 32. Conclusion
    33. 33. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    34. 34. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    35. 35. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    36. 36. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    37. 37. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
    38. 38. One more thing!a stolen token is not as horrible asstolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access
    39. 39. Thanks!Questions?

    ×