HOW TO AVOID LOSING
     YOUR PANTS
    USING OAUTH
EVERYTHING YOU NEED TO KNOW TO KEEP YOUR USERS
   SAFE AND MAINTAIN YO...
A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY, THERE
     WAS A STORY OF A WISE OLD EMPEROR...

             OKAY, NOT THIS E...
THE “UNTOLD” TRUTH
     DON’T BE STUPID!
DON’T GET CAUGHT WITH YOUR PANTS DOWN!
                                                        MORAL OF THE STORY
PHOTO VI...
WHAT IS OAUTH?
WHAT IS OAUTH?




OAUTH IS OPEN
WHAT IS OAUTH?




OAUTH IS OPEN

OAUTH IS SECURE
WHAT IS OAUTH?



OAUTH IS OPEN

OAUTH IS SECURE

OAUTH IS
AUTHORIZATION
WHAT IS OAUTH?



OAUTH IS OPEN

OAUTH IS SECURE

OAUTH IS
AUTHORIZATION

OAUTH IS A STANDARD
COMPONENTS OF OAUTH
       THE USER
COMPONENTS OF OAUTH
      THE CONSUMER
COMPONENTS OF OAUTH
    THE SERVICE PROVIDER
BASIC FLOW OF AN OAUTH APP




USER VISITS
APPLICATION, CLICKS
“AUTHORIZE” BUTTON
BASIC FLOW OF AN OAUTH APP



USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON

CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER...
BASIC FLOW OF AN OAUTH APP

USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON

CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER F...
“BEHIND” THE SCENES

CONSUMER FORMATS
A REQUEST TO
PROVIDER TO GET A
REQUEST TOKEN,
APPENDS REQUEST
TOKEN TO THE
PROVIDER ...
“BEHIND” THE SCENES



USER AUTHENTICATES
WITH PROVIDER,
AUTHORIZES
CONSUMER TO MAKE
CALLS ON BEHALF OF
USER
“BEHIND” THE SCENES

PROVIDER REDIRECTS
USER BACK TO
CONSUMER’S CALLBACK
URL (SPECIFIED IN
ORIGINAL CONSUMER
TO PROVIDER R...
“BEHIND” THE SCENES

PROVIDER SENDS
CONSUMER ACCESS
TOKEN AND ACCESS
TOKEN SECRET, GIVING
CONSUMER
PERMISSION TO MAKE
API ...
CONSUMER CALL AND REDIRECT TO PROVIDER:




      REAL WORLD EXAMPLE
     (THERE’S MORE THAN ONE WAY TO DO IT!)
CONSUMER CALLBACK ON REDIRECT FROM
            PROVIDER:




    REAL WORLD EXAMPLE
    (THERE’S MORE THAN ONE WAY TO DO I...
MAKE SOME API CALLS!




REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)
OAUTH ON THE IPHONE
OAUTH FOR DESKTOP

PROVIDER ASKS USER
FOR PIN

USER ENTERS PIN IN
CONSUMER DESKTOP
APP

CONSUMER SENDS PIN
WITH REQUEST FO...
FLAWS OF OAUTH

MULTIPLE STEPS FOR
USER TO AUTHENTICATE

USER HAS TO LEAVE THE
CONSUMER SITE

NOT BUILT AS AN
AUTHENTICATI...
FACEBOOK CONNECT

AUTHENTICATION AND
AUTHORIZATION IN
ONE

USER NEVER LEAVES
SITE

MANY MORE
INTEGRATED TOOLS

CLOSED, PRO...
ANY QUESTIONS?
          HTTP://WIKI.OAUTH.NET
         HTTP://STAYNALIVE.COM
HTTP://APIWIKI.TWITTER.COM/AUTHENTICATION
Upcoming SlideShare
Loading in …5
×

How to Avoid Losing Your Pants Using oAuth

8,850 views
8,756 views

Published on

Applications have long provided ways to enable other applications to access their API. In the past this has involved naked, plain-text password storage that provided the illusion of users securely giving permission to access the API in their name. oAuth removes this illusion, "putting the clothes" back on authorization so user data remains secure in an open, standards-supported way.

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,850
On SlideShare
0
From Embeds
0
Number of Embeds
939
Actions
Shares
0
Downloads
64
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • How to Avoid Losing Your Pants Using oAuth

    1. 1. HOW TO AVOID LOSING YOUR PANTS USING OAUTH EVERYTHING YOU NEED TO KNOW TO KEEP YOUR USERS SAFE AND MAINTAIN YOUR SANITY WITH OAUTH JESSE STAY CEO, SOCIALTOO.COM HTTP://STAYNALIVE.COM
    2. 2. A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY, THERE WAS A STORY OF A WISE OLD EMPEROR... OKAY, NOT THIS EMPEROR!
    3. 3. THE “UNTOLD” TRUTH DON’T BE STUPID!
    4. 4. DON’T GET CAUGHT WITH YOUR PANTS DOWN! MORAL OF THE STORY PHOTO VIA HTTP://WWW.FLICKR.COM/PHOTOS/WIRETHREAD/175023943/
    5. 5. WHAT IS OAUTH?
    6. 6. WHAT IS OAUTH? OAUTH IS OPEN
    7. 7. WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE
    8. 8. WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE OAUTH IS AUTHORIZATION
    9. 9. WHAT IS OAUTH? OAUTH IS OPEN OAUTH IS SECURE OAUTH IS AUTHORIZATION OAUTH IS A STANDARD
    10. 10. COMPONENTS OF OAUTH THE USER
    11. 11. COMPONENTS OF OAUTH THE CONSUMER
    12. 12. COMPONENTS OF OAUTH THE SERVICE PROVIDER
    13. 13. BASIC FLOW OF AN OAUTH APP USER VISITS APPLICATION, CLICKS “AUTHORIZE” BUTTON
    14. 14. BASIC FLOW OF AN OAUTH APP USER VISITS CONSUMER, CLICKS “AUTHORIZE” BUTTON CONSUMER REDIRECTS USER TO SERVICE PROVIDER FOR AUTH
    15. 15. BASIC FLOW OF AN OAUTH APP USER VISITS CONSUMER, CLICKS “AUTHORIZE” BUTTON CONSUMER REDIRECTS USER TO SERVICE PROVIDER FOR AUTH PROVIDER RETURNS USER TO CONSUMER W/ TOKEN TO ACT ON BEHALF OF PROVIDER FOR THAT USER
    16. 16. “BEHIND” THE SCENES CONSUMER FORMATS A REQUEST TO PROVIDER TO GET A REQUEST TOKEN, APPENDS REQUEST TOKEN TO THE PROVIDER AUTH URL CONSUMER THEN REDIRECTS USER TO PROVIDER AUTH URL W/ THE REQUEST TOKEN
    17. 17. “BEHIND” THE SCENES USER AUTHENTICATES WITH PROVIDER, AUTHORIZES CONSUMER TO MAKE CALLS ON BEHALF OF USER
    18. 18. “BEHIND” THE SCENES PROVIDER REDIRECTS USER BACK TO CONSUMER’S CALLBACK URL (SPECIFIED IN ORIGINAL CONSUMER TO PROVIDER REDIRECT OR IN APP SETTINGS) CONSUMER SENDS ORIGINAL REQUEST TOKEN, REQUESTING ACCESS TOKEN FROM PROVIDER
    19. 19. “BEHIND” THE SCENES PROVIDER SENDS CONSUMER ACCESS TOKEN AND ACCESS TOKEN SECRET, GIVING CONSUMER PERMISSION TO MAKE API CALLS ON BEHALF OF USER CONSUMER MAKES API CALLS FOR USER!
    20. 20. CONSUMER CALL AND REDIRECT TO PROVIDER: REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
    21. 21. CONSUMER CALLBACK ON REDIRECT FROM PROVIDER: REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
    22. 22. MAKE SOME API CALLS! REAL WORLD EXAMPLE (THERE’S MORE THAN ONE WAY TO DO IT!)
    23. 23. OAUTH ON THE IPHONE
    24. 24. OAUTH FOR DESKTOP PROVIDER ASKS USER FOR PIN USER ENTERS PIN IN CONSUMER DESKTOP APP CONSUMER SENDS PIN WITH REQUEST FOR ACCESS TOKEN
    25. 25. FLAWS OF OAUTH MULTIPLE STEPS FOR USER TO AUTHENTICATE USER HAS TO LEAVE THE CONSUMER SITE NOT BUILT AS AN AUTHENTICATION PLATFORM - WHEN PROVIDER IS DOWN, SO IS OAUTH FOR THAT PROVIDER
    26. 26. FACEBOOK CONNECT AUTHENTICATION AND AUTHORIZATION IN ONE USER NEVER LEAVES SITE MANY MORE INTEGRATED TOOLS CLOSED, PROPRIETARY
    27. 27. ANY QUESTIONS? HTTP://WIKI.OAUTH.NET HTTP://STAYNALIVE.COM HTTP://APIWIKI.TWITTER.COM/AUTHENTICATION

    ×