• Like
OAuth Tokens
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


null Bangalore Chapter - March 2014 Meet

null Bangalore Chapter - March 2014 Meet

Published in Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. OAuth Tokens By Vindhya N
  • 2. Contents
  • 3. Understanding REST A Web service is a software system designed to support inter- operable, machine-to-machine interaction over a network. In layman terms they are the calls made by the application to a service present on the web to perform the specified actions. Two major web services: 1. REST compliant Web services, in which the primary purpose of the service is to manipulate XML representations of Web resources using a uniform set of stateless operations 2. Arbitrary Web services, in which the service may expose an arbitrary set of operations
  • 4. REST Web Service Rest is a stateless architecture which uses a client- server, cacheable communication protocol HTTP. It is an Application Programming Interface (API) which performs all the functions using HTTP methods.
  • 5. Why OAuth is Required? Consider a 3rd party application, like a gaming app in facebook. To login to the app, you don’t want to give your facebook password. Neither you can access the application directly So in this case, there should be an authorisation process from facebook to authorize the 3rd Party app. The authorisation is done by oAuth
  • 6. Types of authorisation 1. Open ID: De-centralized Single Sign-on for the Web 2. Basic Authentication 3. Session based 4. OAuth
  • 7. What is OAuth? OAuth is a simple and secure delegation protocol to access resources on behalf of a user without requiring them to share passwords. It is an authorization mechanism Provides a single point of authentication for multiple services Helps in integrating an application with an existing authentication service.
  • 8. OAuth Jargons Client -> 3rd Party Application Resource owner -> User (You) Authorisation Server -> Application you have logged in (Facebook, twitter) Resource Server -> Server that has data
  • 9. OAuth Mechanisms 1.Authorisation 2.Implicit Grant 3.Resource owner password credentials 4.Client Credentials Grant
  • 10. Securing OAuth 1. Should be patched for all web application security vulnerabilities 2. Encrypt all OAuth credentials 3. OAuth token should be random 4. Signed with HMAC 5. Short lived 6. Generate verifiable consumer keys
  • 11. References • https://developers.google.com/accounts/docs/OAuth2 • http://docs.oracle.com/cd/E39820_01/doc.11121/gatewa y_docs/content/oauth_flows.html • https://www.greendizer.com/docs/api/oauth/#flow_code • https://www.youtube.com/watch?v=tFYrq3d54Dc
  • 12. Thank You