• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OAuth 2.0 - Assaf Arkin
 

OAuth 2.0 - Assaf Arkin

on

  • 2,822 views

Assaf Arkin, Flowtown...

Assaf Arkin, Flowtown

You're building an API and the question comes up, how to let client applications authenticate against it? Giving username/password to 3rd party client applications is a security anti-pattern. You don't want to do that. API keys are better, but confusing for the average user. So we're going to look at solving that with OAuth 2.0.

If you used Facebook Connect to allow a non-Facebook application restricted access to your Facebook account, you've used OAuth 2.0. Let's talk about what OAuth 2.0 is, how it works, and how to add support to your application/API. We'll cover authentication flows for Web apps, mobile, desktop and even command-line tools, and talk about access control patterns that are based, not on users and roles, but client applications and requested access scopes.

This talk will cover rack-oauth2-server, an open source OAuth 2.0 Authorization Server module:

https://github.com/flowtown/rack-oauth2-server

Statistics

Views

Total Views
2,822
Views on SlideShare
2,822
Embed Views
0

Actions

Likes
2
Downloads
70
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OAuth 2.0 - Assaf Arkin OAuth 2.0 - Assaf Arkin Presentation Transcript

    • OAuth 2.0 Assaf ArkinWednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • OWNED!!!Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Simple to connect new application No giving password Authorize limited permissions Revoke individual client applicationWednesday, July 27, 11
    • Each access token is tied to an end-user, a client application, a resource and a scope.Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • OAuth 2.0 draft 10: OAuth scheme OAuth 2.0 draft 20: two extensions Bearer Token MAC Access Authentication OAuth 1.0, similar to 2.0 + MACWednesday, July 27, 11
    • Wednesday, July 27, 11
    • Client Application Authorization Server Redirect user to authorization User authenticates endpoint Client ID, Redirect URI, Scope User grants authorization request Redirect user back to application Exchange access grant for access Authorization code token Grant access token Client ID, Redirect URI Store in safe place Access token (w/optional Refresh token) Access resource Protected resource Access tokenWednesday, July 27, 11
    • Wednesday, July 27, 11
    • 1. Authenticate 2.Verify application 3.Verify scope 4. AuthorizeWednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Wednesday, July 27, 11
    • Desktop/mobile applications open in-app browser (e.g. UIWebView) Command line can open <url>, final page asks user to copy & paste access token High trust applications can exchange username/password for access tokenWednesday, July 27, 11
    • Client applications should not ask users for their password OAuth provides an alternative flow that balances convenience and security It can support Web applications, desktop and mobile, even command line toolsWednesday, July 27, 11
    • Not complicated or terribly hard, existing tools help a lot First time might trip and fall, some new concepts to wrap head around Almost one year in, ongoing maintenance cost has been zero for usWednesday, July 27, 11
    • follow me @assaf http://labnotes.orgWednesday, July 27, 11