OAuth Presentation

OAuthAPI Access Delegation Protocol

Contents
What is OAuth
Terminologies used for OAuth
Working of OAuth protocol
Use-cases of OAuth
Available implementations of OAuth
Other similar Vendor specific protocols
Loopholes and drawbacks of OAuth

What is OAuth
History
OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.
In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.
In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
What is OAuth
Protocol that allows to share private data hosted on x web site with y web site
Its just a skeleton, Implementation can be vendor specific

Terminologies used for OAuth
Consumer
Application trying to access protected resource
Service Provider
website or web-service hosting protected resource
User
Owner of the protected data
Protected Resource
Images, Videos or documents hosted on web site or web-service which are protected by the user
Tokens
Random string of letters and numbers which is unique. Request Token, Access Token
Scope
Set of data hosted on service provider that user wants to share with consumer

Working of OAuth protocol
Site Y is the consumer and site X is service provider
Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers
User accesses site Y and wants to share private data hosted on site X
Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token
Site X returns Request Token to site Y
Site Y redirects user to site X Login service with the request token
User enters username/password or OpenID credentials to login to site X
Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token
Site Y sends the request token to site X asking for Access token
Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)

Use-cases of OAuth
User wants to order prints of the protected photos shared on some photo sharing site see details
Will be very useful for Mash-up
Will help in Data Portability

Available Implementations of OAuth
Google has released open source API to implement OAuth
Yahoo has come up with Yahoo status application which supports OAuth
Tripit is the first implementation of OAuth

Other Similar vendor specific protocols
Google AuthSub
Yahoo BBAuth (Browser Based Authentication)
AOL Open Authentication
Upcoming API
Flickr API
Amazon Web Services API

Loopholes and drawbacks of OAuth
Trust on Consumer is key
Consumer redirects user to the correct service provider
Consumer uses the private only for the specific time period
OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider
OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support

Thank you
Kiran Thakkar kiran_thakkar@persistent.co.in

OAuth Presentation

by Kiran Thakkar on Jul 07, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 2

Statistics

OAuth Presentation — Presentation Transcript