Wrong confirmation ID

Email
Favorite
Favorited ×
Download
Embed
Private Content
Copy and paste this code into your blog or website Copy Customize… Close
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.

Tweet

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

How to Avoid Losing Your Pants Using oAuth

by Jesse Stay on Aug 26, 2009

7,311 views

Applications have long provided ways to enable other applications to access their API. In the past this has involved naked, plain-text password storage that provided the illusion of users securely givi...

Applications have long provided ways to enable other applications to access their API. In the past this has involved naked, plain-text password storage that provided the illusion of users securely giving permission to access the API in their name. oAuth removes this illusion, "putting the clothes" back on authorization so user data remains secure in an open, standards-supported way.

Accessibility

View text version

Categories

Tags

twitter id open apis yahoo oauth simply

Upload Details

Uploaded via SlideShare as Apple Keynote

Usage Rights

© All Rights Reserved

File a copyright complaint

3 Embeds 887

http://www.uxmagic.com	884
http://www.slideshare.net	2
http://webcache.googleusercontent.com	1

Statistics

Favorites: 3
Downloads: 47
Comments: 0
Embed Views: 887
Views on SlideShare: 6,424
Total Views: 7,311

3 Favorites

Iroiso Ikpokonte at Iroiso Ikpokonte Tags simply oauth 11 months ago
Fumiaki Nagai , Software Developer, at home 2 years ago
wesley83 2 years ago

How to Avoid Losing Your Pants Using oAuth — Presentation Transcript

HOW TO AVOID LOSING YOUR PANTS USING OAUTH EVERYTHING YOU NEED TO KNOW TO KEEP YOUR USERS SAFE AND MAINTAIN YOUR SANITY WITH OAUTH JESSE STAY CEO, SOCIALTOO.COM HTTP://STAYNALIVE.COM
A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY, THERE WAS A STORY OF A WISE OLD EMPEROR... OKAY, NOT THIS EMPEROR!
THE “UNTOLD” TRUTH DON’T BE STUPID!
DON’T GET CAUGHT WITH YOUR PANTS DOWN! MORAL OF THE STORY PHOTO VIA HTTP://WWW.FLICKR.COM/PHOTOS/WIRETHREAD/175023943/
WHAT IS OAUTH?
WHAT IS OAUTH? OAUTH IS OPEN
WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE
WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE OAUTH IS AUTHORIZATION
WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE OAUTH IS AUTHORIZATION OAUTH IS A STANDARD
COMPONENTS OF OAUTH THE USER
COMPONENTS OF OAUTH THE CONSUMER
COMPONENTS OF OAUTH THE SERVICE PROVIDER
BASIC FLOW OF AN OAUTH APP USER VISITS APPLICATION, CLICKS “AUTHORIZE” BUTTON
BASIC FLOW OF AN OAUTH APP USER VISITS CONSUMER, CLICKS “AUTHORIZE” BUTTON CONSUMER REDIRECTS USER TO SERVICE PROVIDER FOR AUTH
BASIC FLOW OF AN OAUTH APP USER VISITS CONSUMER, CLICKS “AUTHORIZE” BUTTON CONSUMER REDIRECTS USER TO SERVICE PROVIDER FOR AUTH PROVIDER RETURNS USER TO CONSUMER W/ TOKEN TO ACT ON BEHALF OF PROVIDER FOR THAT USER
“BEHIND” THE SCENES CONSUMER FORMATS A REQUEST TO PROVIDER TO GET A REQUEST TOKEN, APPENDS REQUEST TOKEN TO THE PROVIDER AUTH URL CONSUMER THEN REDIRECTS USER TO PROVIDER AUTH URL W/ THE REQUEST TOKEN
“BEHIND” THE SCENES USER AUTHENTICATES WITH PROVIDER, AUTHORIZES CONSUMER TO MAKE CALLS ON BEHALF OF USER
“BEHIND” THE SCENES PROVIDER REDIRECTS USER BACK TO CONSUMER’S CALLBACK URL (SPECIFIED IN ORIGINAL CONSUMER TO PROVIDER REDIRECT OR IN APP SETTINGS) CONSUMER SENDS ORIGINAL REQUEST TOKEN, REQUESTING ACCESS TOKEN FROM PROVIDER
“BEHIND” THE SCENES PROVIDER SENDS CONSUMER ACCESS TOKEN AND ACCESS TOKEN SECRET, GIVING CONSUMER PERMISSION TO MAKE API CALLS ON BEHALF OF USER CONSUMER MAKES API CALLS FOR USER!
CONSUMER CALL AND REDIRECT TO PROVIDER: REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
CONSUMER CALLBACK ON REDIRECT FROM PROVIDER: REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
MAKE SOME API CALLS! REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
OAUTH ON THE IPHONE
OAUTH FOR DESKTOP PROVIDER ASKS USER FOR PIN USER ENTERS PIN IN CONSUMER DESKTOP APP CONSUMER SENDS PIN WITH REQUEST FOR ACCESS TOKEN
FLAWS OF OAUTH MULTIPLE STEPS FOR USER TO AUTHENTICATE USER HAS TO LEAVE THE CONSUMER SITE NOT BUILT AS AN AUTHENTICATION PLATFORM - WHEN PROVIDER IS DOWN, SO IS OAUTH FOR THAT PROVIDER
FACEBOOK CONNECT AUTHENTICATION AND AUTHORIZATION IN ONE USER NEVER LEAVES SITE MANY MORE INTEGRATED TOOLS CLOSED, PROPRIETARY
ANY QUESTIONS? HTTP://WIKI.OAUTH.NET HTTP://STAYNALIVE.COM HTTP://APIWIKI.TWITTER.COM/AUTHENTICATION