OAuth 2.0 in Depth      By Rohit Ghatol   Director @ SynerzipPassionate about TechNext
Why study about OAuth?
Do you care about these or                    Similar Sites?Reference - http://rainbowseo.com/wp-content/uploads/2012/06/s...
Http Access                                      Facebook Browser                   LinkedIn                              ...
7155 APIs listed onhttp://ProgrammableWeb.com
390 APIs on http://ProgrammableWeb.com              support OAuth
Security                      Closed              ClosedAuthentication                 Authorization
OAuth In a Nut Shell          Can I have your        Debit Card and ATM                Pin?
OAuth In a Nut Shell         Can I have your          Credit Card?
OAuth Practical ExampleDisclaimer before you read ahead:All product names and people names used inthe following slides are...
Without OAuth
Without OAuth
Without OAuth
Lets Start Again
With OAuth
With OAuth    URL changed to             http://picasa.com
URL isWith OAuth   http://picasa.com
URL changed toWith OAuth   http://picasa.com with                code parameter
With OAuth
OAuth 2.0 Flow in Depth
Scenario             Wants to integrate with Google  BOB                  Services e.g Picasa Owns                        ...
Authorization                                   Roles                  Server                      Wants to integrate with...
Authorization                                   Roles                  Server                      Wants to integrate with...
Authorization                      Client Registration               Server                         Client Registers with ...
OAuth Flows/Grant Types•   Authorization Code Grant•   Implicit Grant•   Resource Owner Password Credentials Grant•   Clie...
Step 1 – Get Authorization Grant
Authorization Request                          Authorization GrantURL used ishttp://picasa.com/?client_id=photo-fast &scop...
Authorization GrantAuthorization Grant      Code = ase34
Authorization Request             Client_Id=print-fast             Redirect_url = http://print-fast.com             Scope=...
Step 2 – Exchange for Access            Token
Authorization               Client                                Code = ase34              Server                        ...
Resource                                       Owner              Authorization Grant                   David             ...
Step 3 – Access Protected        Resources
Authorization               Client                        Code = ase34                     Server                        C...
Resource                                                              Owner                                               ...
Complete Flow at Once
Authorization Request                                   Resource          Authorization Grant       Owner          Authori...
With Refresh Token
Access Grant & Client Credentials              Access Token & Refresh Token            Access Token         Protected Reso...
OAuth Flows/Grant Types•   Authorization Code Grant•   Implicit Grant•   Resource Owner Password Credentials Grant•   Clie...
Step 1 – Get Access Token
Implicit Grant Request                            Implicit GrantURL used ishttp://picasa.com/?client_id=photo-fast &scope=...
Access token = x3e4Implicit Grant
Implicit Grant Request             Client_Id=print-fast             Redirect_url = http://print-fast.com             Scope...
Step 2 – Access Protected        Resources
http://picasa.com/..../usr133/photosaccess_token = x3e4 *“http://…/DSC34.jpg”,   Picasa “http://…/DSC44.jpg”, “http://…/DS...
Resource                                                        Owner                                                     ...
Complete Flow at Once
Authorization Request                                 Resource             Access Token         OwnerClient             Ac...
OAuth Flows/Grant Types•   Authorization Code Grant•   Implicit Grant•   Resource Owner Password Credentials Grant•   Clie...
Davi               dResource Owner      Username/Pas          sword                     Resource Owner Credentials & Clien...
Use Cases• Strong Trust between Resource Owner and  Client e.g Operating System or Privileged App• Client is not supposed ...
Grant Types•   Authorization Code Grant•   Implicit Grant•   Resource Owner Password Credentials Grant•   Client Credentia...
Client Credentials         Access Token with Optional Refresh Token   Authorization                                       ...
Use case• The Data accessed is not owned by Resource  Owner, but by the Client• Say Skype showing statistics of uptime of ...
Use case• There is contract already set between the  Client and the Authorization Server• E.g Google Apps Marketspace• An ...
OAuth from Mobile Device
Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
Disclaimer• Following slides are extracted from  http://www.slideshare.net/briandavidcampbe  ll/is-that-a-token-in-your-ph...
Cloud!              Request Authorization                                                                                T...
Cloud!  Authenticate and Approve                                                                                         T...
Cloud!              Approve                                                                                              T...
Cloud!              Handle Callback                                                                                       ...
Cloud!              Handle Callback (cont’d)                                                                              ...
Cloud!                    Handle Callback (cont’d)                                                                        ...
Cloud!              Trade Code for Token(s)                                                                              T...
Cloud!              Using an Access Token                                                                                T...
Pros and Cons• Pros                          • Cons  – User may be already           – Complicated Custom URI    logged in...
Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
Pros and Cons• Pros                        • Cons  – Easier to monitor pages     – May not appeal since    and extract    ...
Reference•   Book – Getting Started with OAuth 2.0•   Facebook Documentation•   Google Documentation•   Brian David Campbe...
OAuth 2.0  Simplified
OAuth 2.0  Simplified
Upcoming SlideShare
Loading in...5
×

OAuth 2.0 Simplified

20,473

Published on

OAuth 2.0 Flows explained with mock examples

Published in: Technology
2 Comments
48 Likes
Statistics
Notes
  • Slide 18 should say 'changed back to printfast.com'...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Many thanks Rohit! The way you had explained the concept is nice. Thanks for all the sketches!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
20,473
On Slideshare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
643
Comments
2
Likes
48
Embeds 0
No embeds

No notes for slide

Transcript of "OAuth 2.0 Simplified"

  1. 1. OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipPassionate about TechNext
  2. 2. Why study about OAuth?
  3. 3. Do you care about these or Similar Sites?Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
  4. 4. Http Access Facebook Browser LinkedIn Foursquare Twitter Api AccessMashups
  5. 5. 7155 APIs listed onhttp://ProgrammableWeb.com
  6. 6. 390 APIs on http://ProgrammableWeb.com support OAuth
  7. 7. Security Closed ClosedAuthentication Authorization
  8. 8. OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?
  9. 9. OAuth In a Nut Shell Can I have your Credit Card?
  10. 10. OAuth Practical ExampleDisclaimer before you read ahead:All product names and people names used inthe following slides are not entirely accurate.They are only placeholders to explain theconcept. None of that information shouldassumed to be correct or incorrect.
  11. 11. Without OAuth
  12. 12. Without OAuth
  13. 13. Without OAuth
  14. 14. Lets Start Again
  15. 15. With OAuth
  16. 16. With OAuth URL changed to http://picasa.com
  17. 17. URL isWith OAuth http://picasa.com
  18. 18. URL changed toWith OAuth http://picasa.com with code parameter
  19. 19. With OAuth
  20. 20. OAuth 2.0 Flow in Depth
  21. 21. Scenario Wants to integrate with Google BOB Services e.g Picasa Owns OwnsPrint-Fast Picasa
  22. 22. Authorization Roles Server Wants to integrate with Google BOB Services e.g Picasa Resource Owns Owns ServerClient Print-Fast Picasa
  23. 23. Authorization Roles Server Wants to integrate with Google BOB Services e.g Picasa Resource Owns Owns ServerClient Resource Owner Print-Fast Picasa David
  24. 24. Authorization Client Registration Server Client Registers with BOB Authorization Server Resource Owns Owns ServerClient Client_Id=print-fast Client_Secret=xxx Redirect_Url = Print-Fast http://print-fast.com Picasa
  25. 25. OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  26. 26. Step 1 – Get Authorization Grant
  27. 27. Authorization Request Authorization GrantURL used ishttp://picasa.com/?client_id=photo-fast &scope=profile,email,photos&redirect_uri=http://print-fast.com&response_type=code
  28. 28. Authorization GrantAuthorization Grant Code = ase34
  29. 29. Authorization Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Resource Authorization Grant Owner David code = ase34 Authorization Client ServerPrint-Fast Resource Server Protocol Flow
  30. 30. Step 2 – Exchange for Access Token
  31. 31. Authorization Client Code = ase34 Server Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4code = ase34 access_token = x3e4
  32. 32. Resource Owner Authorization Grant David code = ase34 Client_Id=print-fast Client_Secret=xxx Authorization Client Access Token Server access_token= x3e4Print-Fast Resource Server Protocol Flow
  33. 33. Step 3 – Access Protected Resources
  34. 34. Authorization Client Code = ase34 Server Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4code = ase34 http://picasa.com/ ..../usr133/photos access_token = x3e4 *“http://…/DSC34.jpg”, Picasa “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
  35. 35. Resource Owner David Authorization Client ServerPrint-Fast Access Token Picasa access_token = x3e4 Resource Protected Resource Server *“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”+ Protocol Flow
  36. 36. Complete Flow at Once
  37. 37. Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
  38. 38. With Refresh Token
  39. 39. Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Resource AuthorizationClient Access Token Server Server Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token Protocol Flow
  40. 40. OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  41. 41. Step 1 – Get Access Token
  42. 42. Implicit Grant Request Implicit GrantURL used ishttp://picasa.com/?client_id=photo-fast &scope=profile,email,photos&redirect_uri=http://print-fast.com&response_type=token
  43. 43. Access token = x3e4Implicit Grant
  44. 44. Implicit Grant Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Resource Access Token Owner David access_token= x3e4 Authorization Client ServerPrint-Fast Picasa Resource Server Protocol Flow
  45. 45. Step 2 – Access Protected Resources
  46. 46. http://picasa.com/..../usr133/photosaccess_token = x3e4 *“http://…/DSC34.jpg”, Picasa “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
  47. 47. Resource Owner David Meant for Pure Browser basedClient Applications Access Token Picasa access_token = x3e4 Resource Protected Resource Server *“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”+ Protocol Flow
  48. 48. Complete Flow at Once
  49. 49. Authorization Request Resource Access Token OwnerClient Access Token Resource Protected Resource Server Protocol Flow
  50. 50. OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  51. 51. Davi dResource Owner Username/Pas sword Resource Owner Credentials & Client Credentials Picasa – Access Token with Optional Refresh Token AuthorizationDesktop Client Server Client Access Token Picasa Resource Protected Resource Server Protocol Flow
  52. 52. Use Cases• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided• Example – Salesforce OAuth has provision for this
  53. 53. Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
  54. 54. Client Credentials Access Token with Optional Refresh Token Authorization ServerClient Access Token Resource Protected Resource Server Protocol Flow
  55. 55. Use case• The Data accessed is not owned by Resource Owner, but by the Client• Say Skype showing statistics of uptime of its services
  56. 56. Use case• There is contract already set between the Client and the Authorization Server• E.g Google Apps Marketspace• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
  57. 57. OAuth from Mobile Device
  58. 58. Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  59. 59. Disclaimer• Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices• I have no claim on the following slides with reference stated in them• Thank you Brian Campbell for the excellent presentation
  60. 60. Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and sends user to 1 the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  61. 61. Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  62. 62. Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  63. 63. Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP redirection Browser and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  64. 64. Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > Browser <intent-filter> Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  65. 65. Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  66. 66. Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device Browser client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  67. 67. Cloud! Using an Access Token Token Authorization Endpoint Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
  68. 68. Pros and Cons• Pros • Cons – User may be already – Complicated Custom URI logged in most cases schema – User will trust as he/she sees https and domain name
  69. 69. Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
  70. 70. Pros and Cons• Pros • Cons – Easier to monitor pages – May not appeal since and extract neither https or domain authorization or access name is visible codes – WebView has separate cookie and history leading to client entering credentials each time
  71. 71. Reference• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×