0
OAuth: A Question of Trust
About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net                               2
If OAuth is the answer, what was the              question?
OAuth        username: lornajane         password: qwerty                              4
OAuth        Hi, I’m lornajane                            5
Two Kinds of OAuth •   OAuth 1      • in use on many systems      • many steps: ’the oauth dance’      • encryption overhe...
OAuth 2: Performance over Paranoia
OAuth2 Relationships                       8
OAuth2 Relationships                       9
Before We BeginRegister for an API key and capture:  • application name  • callback URL(s) to use  • descriptione.g. http:...
OAuth2 Endpoints    Application Website        API                 Client    api key registration       auth endpoint     ...
Establishing TrustWe need an authorisation grant for the assistant to be able to accessuser data                          ...
Authorisation Grants
Authorisation Grant: Many ChoicesHow we authorise a third party:  • authorisation code  • implicit  • resource owner crede...
Authorisation CodeUse for: server-side appsFlow: we send user to application to grant access, recieve a code inreturn. The...
Authorisation Code Process                  client_id                  redirect_url                  type                 ...
Authorisation Code ProcessUser must be able to visit the site and revoke later                                            ...
Authorisation Code Process                         code                     code                     state                ...
Authorisation Code Process                  client_key                  client_secret                  code               ...
Implicit GrantUse for: client-side appsFlow: we send user to application to grant access, recieve an accesstoken in return...
Implicit Process                   client_id                   redirect_url                   type                   scope...
Implicit ProcessUser must be able to visit the site and revoke later                                                      ...
Implicit Process                       access token                   access_token                   state                ...
Resource Owner CredentialsUse for: trusted consumers, such as same-provider apps or a script theuser writes themselvesFlow...
Resource Owner Credentials Process        username,          username,         password           password                ...
Resource Owner Credentials Process                       access token                                      26
Client CredentialsUse for: privileged consumersFlow: client credentials act as an authorsation grant, access token isretur...
Client Credentials Process                        hai                   access token                                  28
How to Choose Grant TypeWhat will be consuming this data?It isn’t unusual for applications to support some or all of these...
You have an access token, now what?
Using Access TokensWith the access token, include it in an Authorization header:Authorization:        OAuth db141c50adb74b...
Using Access TokensWith the access token, include it in an Authorization header:Authorization:                       OAuth...
Refresh TokensSome applications will give you two tokens   • access token (shorter expiry)   • refresh token (longer expir...
What about access control?
ScopeConsumers will request a given set of permissions, usually called scopeUsers usually only get to accept, or not      ...
HTTPS (a vital OAuth2 ingredient)
HTTPSHTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport LayerSecurity)Basically, we encrypt the pipe!              ...
OAuth 1
About OAuth 1In a nutshell:   • Had its own encryption: needed a library/extension   • Involved many steps, therefore many...
OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • S...
OAuth Today
OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decis...
Resources and Further Reading • OAuth2 Spec:   http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article...
Thanks!
Thanks         https://joind.in/6232              @lornajane         http://lornajane.net                                 44
Upcoming SlideShare
Loading in...5
×

OAuth: Trust Issues

3,345

Published on

My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completeness

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,345
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
28
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "OAuth: Trust Issues"

  1. 1. OAuth: A Question of Trust
  2. 2. About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
  3. 3. If OAuth is the answer, what was the question?
  4. 4. OAuth username: lornajane password: qwerty 4
  5. 5. OAuth Hi, I’m lornajane 5
  6. 6. Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
  7. 7. OAuth 2: Performance over Paranoia
  8. 8. OAuth2 Relationships 8
  9. 9. OAuth2 Relationships 9
  10. 10. Before We BeginRegister for an API key and capture: • application name • callback URL(s) to use • descriptione.g. http://joind.in/user/apikey 10
  11. 11. OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
  12. 12. Establishing TrustWe need an authorisation grant for the assistant to be able to accessuser data 12
  13. 13. Authorisation Grants
  14. 14. Authorisation Grant: Many ChoicesHow we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
  15. 15. Authorisation CodeUse for: server-side appsFlow: we send user to application to grant access, recieve a code inreturn. Then exchange code for access tokenFeatures: user never sees access token 15
  16. 16. Authorisation Code Process client_id redirect_url type scope state 16
  17. 17. Authorisation Code ProcessUser must be able to visit the site and revoke later 17
  18. 18. Authorisation Code Process code code state 18
  19. 19. Authorisation Code Process client_key client_secret code code access token access_token 19
  20. 20. Implicit GrantUse for: client-side appsFlow: we send user to application to grant access, recieve an accesstoken in returnFeatures: super-simple 20
  21. 21. Implicit Process client_id redirect_url type scope state 21
  22. 22. Implicit ProcessUser must be able to visit the site and revoke later 22
  23. 23. Implicit Process access token access_token state 23
  24. 24. Resource Owner CredentialsUse for: trusted consumers, such as same-provider apps or a script theuser writes themselvesFlow: user gives username and password to app, app exchanges foraccess token and does not storeFeatures: saves sending user to the main site and back 24
  25. 25. Resource Owner Credentials Process username, username, password password 25
  26. 26. Resource Owner Credentials Process access token 26
  27. 27. Client CredentialsUse for: privileged consumersFlow: client credentials act as an authorsation grant, access token isreturnedFeatures: ideal for applications with more than per-user-data accessrights 27
  28. 28. Client Credentials Process hai access token 28
  29. 29. How to Choose Grant TypeWhat will be consuming this data?It isn’t unusual for applications to support some or all of these grant types 29
  30. 30. You have an access token, now what?
  31. 31. Using Access TokensWith the access token, include it in an Authorization header:Authorization: OAuth db141c50adb74b22 31
  32. 32. Using Access TokensWith the access token, include it in an Authorization header:Authorization: OAuth db141c50adb74b22Everything you already knew about web APIs now applies as normal 31
  33. 33. Refresh TokensSome applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry)The refresh token is an authorisation grant in its own right, to be usedwhen the access token has expired 32
  34. 34. What about access control?
  35. 35. ScopeConsumers will request a given set of permissions, usually called scopeUsers usually only get to accept, or not 34
  36. 36. HTTPS (a vital OAuth2 ingredient)
  37. 37. HTTPSHTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport LayerSecurity)Basically, we encrypt the pipe! 36
  38. 38. OAuth 1
  39. 39. About OAuth 1In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
  40. 40. OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
  41. 41. OAuth Today
  42. 42. OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
  43. 43. Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
  44. 44. Thanks!
  45. 45. Thanks https://joind.in/6232 @lornajane http://lornajane.net 44
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×