OAuth 2.0                          Assaf ArkinWednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
OWNED!!!Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Simple to connect new application                         No giving password                         Authorize limited per...
Each access token is tied to an                         end-user, a client application, a                         resource...
Wednesday, July 27, 11
Wednesday, July 27, 11
OAuth 2.0 draft 10: OAuth scheme                         OAuth 2.0 draft 20: two extensions                            Bea...
Wednesday, July 27, 11
Client Application                                 Authorization Server                             Redirect user to      ...
Wednesday, July 27, 11
1. Authenticate                         2.Verify application                              3.Verify scope                  ...
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Desktop/mobile applications open in-app                         browser (e.g. UIWebView)                         Command l...
Client applications should not ask users for                         their password                         OAuth provides...
Not complicated or terribly hard, existing                         tools help a lot                         First time mig...
follow me @assaf                         http://labnotes.orgWednesday, July 27, 11
Upcoming SlideShare
Loading in...5
×

OAuth 2.0 - Assaf Arkin

2,514

Published on

Assaf Arkin, Flowtown

You're building an API and the question comes up, how to let client applications authenticate against it? Giving username/password to 3rd party client applications is a security anti-pattern. You don't want to do that. API keys are better, but confusing for the average user. So we're going to look at solving that with OAuth 2.0.

If you used Facebook Connect to allow a non-Facebook application restricted access to your Facebook account, you've used OAuth 2.0. Let's talk about what OAuth 2.0 is, how it works, and how to add support to your application/API. We'll cover authentication flows for Web apps, mobile, desktop and even command-line tools, and talk about access control patterns that are based, not on users and roles, but client applications and requested access scopes.

This talk will cover rack-oauth2-server, an open source OAuth 2.0 Authorization Server module:

https://github.com/flowtown/rack-oauth2-server

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,514
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
82
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OAuth 2.0 - Assaf Arkin

  1. 1. OAuth 2.0 Assaf ArkinWednesday, July 27, 11
  2. 2. Wednesday, July 27, 11
  3. 3. Wednesday, July 27, 11
  4. 4. OWNED!!!Wednesday, July 27, 11
  5. 5. Wednesday, July 27, 11
  6. 6. Wednesday, July 27, 11
  7. 7. Wednesday, July 27, 11
  8. 8. Wednesday, July 27, 11
  9. 9. Simple to connect new application No giving password Authorize limited permissions Revoke individual client applicationWednesday, July 27, 11
  10. 10. Each access token is tied to an end-user, a client application, a resource and a scope.Wednesday, July 27, 11
  11. 11. Wednesday, July 27, 11
  12. 12. Wednesday, July 27, 11
  13. 13. OAuth 2.0 draft 10: OAuth scheme OAuth 2.0 draft 20: two extensions Bearer Token MAC Access Authentication OAuth 1.0, similar to 2.0 + MACWednesday, July 27, 11
  14. 14. Wednesday, July 27, 11
  15. 15. Client Application Authorization Server Redirect user to authorization User authenticates endpoint Client ID, Redirect URI, Scope User grants authorization request Redirect user back to application Exchange access grant for access Authorization code token Grant access token Client ID, Redirect URI Store in safe place Access token (w/optional Refresh token) Access resource Protected resource Access tokenWednesday, July 27, 11
  16. 16. Wednesday, July 27, 11
  17. 17. 1. Authenticate 2.Verify application 3.Verify scope 4. AuthorizeWednesday, July 27, 11
  18. 18. Wednesday, July 27, 11
  19. 19. Wednesday, July 27, 11
  20. 20. Wednesday, July 27, 11
  21. 21. Wednesday, July 27, 11
  22. 22. Wednesday, July 27, 11
  23. 23. Wednesday, July 27, 11
  24. 24. Wednesday, July 27, 11
  25. 25. Wednesday, July 27, 11
  26. 26. Desktop/mobile applications open in-app browser (e.g. UIWebView) Command line can open <url>, final page asks user to copy & paste access token High trust applications can exchange username/password for access tokenWednesday, July 27, 11
  27. 27. Client applications should not ask users for their password OAuth provides an alternative flow that balances convenience and security It can support Web applications, desktop and mobile, even command line toolsWednesday, July 27, 11
  28. 28. Not complicated or terribly hard, existing tools help a lot First time might trip and fall, some new concepts to wrap head around Almost one year in, ongoing maintenance cost has been zero for usWednesday, July 27, 11
  29. 29. follow me @assaf http://labnotes.orgWednesday, July 27, 11
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×