Your SlideShare is downloading. ×
0
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
OAuth 2.0 - Assaf Arkin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OAuth 2.0 - Assaf Arkin

2,476

Published on

Assaf Arkin, Flowtown …

Assaf Arkin, Flowtown

You're building an API and the question comes up, how to let client applications authenticate against it? Giving username/password to 3rd party client applications is a security anti-pattern. You don't want to do that. API keys are better, but confusing for the average user. So we're going to look at solving that with OAuth 2.0.

If you used Facebook Connect to allow a non-Facebook application restricted access to your Facebook account, you've used OAuth 2.0. Let's talk about what OAuth 2.0 is, how it works, and how to add support to your application/API. We'll cover authentication flows for Web apps, mobile, desktop and even command-line tools, and talk about access control patterns that are based, not on users and roles, but client applications and requested access scopes.

This talk will cover rack-oauth2-server, an open source OAuth 2.0 Authorization Server module:

https://github.com/flowtown/rack-oauth2-server

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,476
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
81
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OAuth 2.0 Assaf ArkinWednesday, July 27, 11
  • 2. Wednesday, July 27, 11
  • 3. Wednesday, July 27, 11
  • 4. OWNED!!!Wednesday, July 27, 11
  • 5. Wednesday, July 27, 11
  • 6. Wednesday, July 27, 11
  • 7. Wednesday, July 27, 11
  • 8. Wednesday, July 27, 11
  • 9. Simple to connect new application No giving password Authorize limited permissions Revoke individual client applicationWednesday, July 27, 11
  • 10. Each access token is tied to an end-user, a client application, a resource and a scope.Wednesday, July 27, 11
  • 11. Wednesday, July 27, 11
  • 12. Wednesday, July 27, 11
  • 13. OAuth 2.0 draft 10: OAuth scheme OAuth 2.0 draft 20: two extensions Bearer Token MAC Access Authentication OAuth 1.0, similar to 2.0 + MACWednesday, July 27, 11
  • 14. Wednesday, July 27, 11
  • 15. Client Application Authorization Server Redirect user to authorization User authenticates endpoint Client ID, Redirect URI, Scope User grants authorization request Redirect user back to application Exchange access grant for access Authorization code token Grant access token Client ID, Redirect URI Store in safe place Access token (w/optional Refresh token) Access resource Protected resource Access tokenWednesday, July 27, 11
  • 16. Wednesday, July 27, 11
  • 17. 1. Authenticate 2.Verify application 3.Verify scope 4. AuthorizeWednesday, July 27, 11
  • 18. Wednesday, July 27, 11
  • 19. Wednesday, July 27, 11
  • 20. Wednesday, July 27, 11
  • 21. Wednesday, July 27, 11
  • 22. Wednesday, July 27, 11
  • 23. Wednesday, July 27, 11
  • 24. Wednesday, July 27, 11
  • 25. Wednesday, July 27, 11
  • 26. Desktop/mobile applications open in-app browser (e.g. UIWebView) Command line can open <url>, final page asks user to copy & paste access token High trust applications can exchange username/password for access tokenWednesday, July 27, 11
  • 27. Client applications should not ask users for their password OAuth provides an alternative flow that balances convenience and security It can support Web applications, desktop and mobile, even command line toolsWednesday, July 27, 11
  • 28. Not complicated or terribly hard, existing tools help a lot First time might trip and fall, some new concepts to wrap head around Almost one year in, ongoing maintenance cost has been zero for usWednesday, July 27, 11
  • 29. follow me @assaf http://labnotes.orgWednesday, July 27, 11

×