• Like
The Present Future of OAuth
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

The Present Future of OAuth

  • 5,521 views
Published

An exploration into the past, present and future of the OAuth protocol.

An exploration into the past, present and future of the OAuth protocol.

Published in Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,521
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
79
Comments
0
Likes
21

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OAUTH
  • 2. MICHAEL BLEIGH PRESENTS THE PRESENT FUTURE OF OAUTH with drawings
  • 3. PROLOGUE
  • 4. MY NAME IS MICHAEL BLEIGH
  • 5. I W O R K AT INTRIDEA
  • 6. ON TWITTER @MBLEIGH
  • 7. “HEY, WOULD ANYONE BE INTERESTED IN GIVING A TALK ABOUT OAUTH AT RAILSCONF?”
  • 8. “NO WAY, I MIGHT FALL ASLEEP WHILE SPEAKING”
  • 9. “HMM...I’D BETTER ADD SOME DRAWINGS.”
  • 10. T H I S TA L K IS ABOUT OPEN WEB STANDARDS
  • 11. ACT I IN WHICH THE PROBLEM IS DESCRIBED
  • 12. IN THE BEGINNING, THERE WERE WEB APPS
  • 13. WEB APP
  • 14. WEB APP
  • 15. WEB WEB APP A APP B
  • 16. “HEY, MY USERS WANT TO ACCESS YOUR STUFF.” WEB WEB APP A APP B
  • 17. WEB WEB APP A APP B + API
  • 18. HTTP BASIC
  • 19. r d@ ... swo r :p as p: //use h tt Autho dXNlc rizatio jpwYX n: Bas Nzd29 ic yZA==
  • 20. OK, HERE’S THE KEYS. WEB WEB APP A APP B + API
  • 21. WEB WEB APP A APP B + API
  • 22. WEB WEB APP A APP B + API
  • 23. FUBAR FAILED USER BAR FOR AUTHORIZATION ROBUSTNESS *COUGH*
  • 24. THIS IS A PROBLEM
  • 25. ACT 2 IN WHICH A N E W W AY IS CREATED
  • 26. CHRIS MESSINA BLAINE COOK LARRY HALFF DAVID RECORDON
  • 27. “HEY, WOULDN’T IT BE G R E AT T O H AV E A N OPEN AUTHORIZATION STANDARD”
  • 28. “TOTALLY, LET’S MAKE ONE AND CALL IT OAUTH.”
  • 29. FOOTAGE MISSING
  • 30. WEB WEB APP A APP B
  • 31. WEB WEB APP A APP B
  • 32. “HEY, MY USER WANTS TO ACCESS YOUR STUFF.” WEB WEB APP A APP B
  • 33. WEB WEB APP A APP B
  • 34. WEB WEB APP A APP B
  • 35. “WHAT’S YOUR PASSWORD?” “PASSWORD” WEB WEB APP A APP B
  • 36. WEB WEB APP A APP B
  • 37. WEB WEB APP A APP B
  • 38. ADVAN TAGES
  • 39. 1. SECURE
  • 40. 2. RESTRICTABLE “DELETE ALL USER DATA” “UMMM....NO” WEB WEB APP A APP B
  • 41. 3. REVOCABLE K * O IN * Y WEB APP B
  • 42. 3. STANDARD WEB WEB WEB APP A APP C APP D WEB WEB APP E APP F
  • 43. NOT QUITE PERFECT
  • 44. 1. COMPLICATED “OK, SO IT’S FIST BUMP, DOUBLE-HIGH FIVE...” WEB WEB APP A “NO NO, FIRST APP B YOU REVERSE LOW FIVE...”
  • 45. 2. BROWSER- DEPENDENT ?
  • 46. 2. BROWSER- DEPENDENT
  • 47. WE CAN DO BETTER
  • 48. ACT 3 IN WHICH WE LEARN FROM OUR MISTAKES
  • 49. OAUTH 2.0
  • 50. IMPROVE MENTS
  • 51. 1. SIMPLER WEB APP A < SSL > WEB APP B
  • 52. 2. FLOWS
  • 53. WEB SERVER WEB WEB APP A APP B
  • 54. USER-AGENT WEB APP A
  • 55. DEVICE WEB APP A SET-­TOPPER
  • 56. PASSWORD WEB APP A
  • 57. PASSWORD WEB APP A
  • 58. PASSWORD WEB APP A
  • 59. PASSWORD WEB APP A
  • 60. PASSWORD WEB APP A
  • 61. CLIENT CREDENTIALS WEB WEB APP A APP B
  • 62. ASSERTION CERTIFICATE OF AUTHENTICITY WEB WEB APP A APP B
  • 63. FLEX- IBILITY
  • 64. ACT 4 IN WHICH WE GET DOWN TO BUSINESS
  • 65. WHO’S DOING IT RIGHT NOW?
  • 66. WHO WILL BE DOING IT SOON?
  • 67. WHO WILL BE DOING IT SOON? YOU
  • 68. CONSUMING OAU T H 2 . 0
  • 69. # in Gemfile gem 'oauth2' $ rails g controller oauth # in routes.rb resource :oauth, :controller => 'oauth' do get :start get :callback end
  • 70. class OauthController < ApplicationController def start redirect_to client.web_server.authorize_url( :redirect_uri => callback_oauth_url(:format => 'json'), :scope => 'user' ) end def callback access_token = client.web_server.get_access_token( params[:code], :redirect_uri => callback_oauth_url(:format => 'json') ) # you should store the access token info now. render :json => access_token.get('/api/v2/json/user/show') end protected def client @client ||= OAuth2::Client.new( '296e901b0e6ab74db167', '625fe65c7f74ee4a015d121efb011a45776d510d', :site => 'https://github.com', :authorize_path => '/login/oauth/authorize', :access_token_path => '/login/oauth/access_token' ) end end
  • 71. PROVIDING OAUTH 2.0
  • 72. READ THE SPEC http://bit.ly/oauth2-spec
  • 73. NO SERIOUSLY, READ THE SPEC http://bit.ly/oauth2-spec