Your SlideShare is downloading. ×
OAuth 2.0 101
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OAuth 2.0 101

1,074
views

Published on

Published in: Technology, Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,074
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OAuth 2.0 101Adapting to the Web Beyond the BrowserAnand SharmaIT ArchitectApril 2012© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. Beyond the Browser:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. For the successful companies, 80% of traffic will be coming from beyond the browser.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 5. The resource is some website; the user is the consumer Authorization is granted by the an Admin© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 6. The resource is owned by the user The application consumes the resource The application is given too much power© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 7. The resource is owned by the user The application consumes the resource The application is given too much power© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 8. Because, Services (APIs) and Passwords don’t mix well© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 9. OAuth 2.0:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 10. Defines Authorization & Authentication framework for RESTful services Supports variety of clients – from Servers to Mobile Apps Puts the user in control of what resources are shared – mitigates password anti-pattern© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 11. Application that calls API (Client) Software application that calls REST APIs Human User using the App (Resource Owner) End-user whose data is offered up through an API to Clients API Proxy or Host (Resource Server) Accepts access tokens on API calls in order to authenticate calling client Token Server (Authorization Server) Issues Access tokens after Authenticating the client and/or Resource Owner© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 12. Short-lived Token (Access Token) Applications authenticate to APIs using an Access Token Long-lived Token (Refresh Token) Refresh Tokens, if present, can be used to get a new Access Token© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 13. 1. Client Gets Token 2. Client Uses Token 3. Resource Server Validates Token 4. Client Refreshes Token (Optional) 95% of OAuth (and OAuth Complexity) is about: - Step #1: How to get Access Token - OAuth’s Confusing terminology© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 14. Client Identity Human User Identity Access Token© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 15. Directly exchanges Client’s credentials for an Access token For accessing client-owned resources (no Human User involvement)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  • 16. Directly exchanges Human User’s credentials for an access token Useful where the Client is well-trusted by the user and where a browser redirect would be awkward Commonly used with trusted Mobile apps© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 17. Similar to OAuth 1.0a flow - Starts with redirect to provider for authorization - After authorization, redirects back to client with code query parameter – Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  • 18. Simplified Authorization flow – After Authorization, redirects back to client with Access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by in browser JavaScript apps or widgets© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  • 19. The client sends an access token request to the authorization server that includes a SAML 2.0 Assertion The authorization server validates the Assertion per the processing rules defined in this specification and issues an access token.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 20. OAuth Challenges:© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  • 21. OAuth: What version should weuse?Standardize on OAuth 2.0 Draft 20Lack of UnderstandingBook(s), Brown-bagsLack of tools and frameworks© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  • 22. “Getting Started with OAuth 2.0” O’Reilly BookOAuth 2.0 Draft 25 (http://bit.ly/dft-oauth)Search for “OAuth 2.0” in Google© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  • 23. Backup Slides Q&A© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

×