• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OAuth 2.0  Simplified
 

OAuth 2.0 Simplified

on

  • 6,638 views

OAuth 2.0 Flows explained with mock examples

OAuth 2.0 Flows explained with mock examples

Statistics

Views

Total Views
6,638
Views on SlideShare
6,630
Embed Views
8

Actions

Likes
16
Downloads
197
Comments
1

3 Embeds 8

http://localhost 3
http://synerzip.github.io 3
http://helloworld.atihow.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Many thanks Rohit! The way you had explained the concept is nice. Thanks for all the sketches!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OAuth 2.0  Simplified OAuth 2.0 Simplified Presentation Transcript

    • OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipPassionate about TechNext
    • Why study about OAuth?
    • Do you care about these or Similar Sites?Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
    • Http Access Facebook Browser LinkedIn Foursquare Twitter Api AccessMashups
    • 7155 APIs listed onhttp://ProgrammableWeb.com
    • 390 APIs on http://ProgrammableWeb.com support OAuth
    • Security Closed ClosedAuthentication Authorization
    • OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?
    • OAuth In a Nut Shell Can I have your Credit Card?
    • OAuth Practical ExampleDisclaimer before you read ahead:All product names and people names used inthe following slides are not entirely accurate.They are only placeholders to explain theconcept. None of that information shouldassumed to be correct or incorrect.
    • Without OAuth
    • Without OAuth
    • Without OAuth
    • Lets Start Again
    • With OAuth
    • With OAuth URL changed to http://picasa.com
    • URL isWith OAuth http://picasa.com
    • URL changed toWith OAuth http://picasa.com with code parameter
    • With OAuth
    • OAuth 2.0 Flow in Depth
    • Scenario Wants to integrate with Google BOB Services e.g Picasa Owns OwnsPrint-Fast Picasa
    • Authorization Roles Server Wants to integrate with Google BOB Services e.g Picasa Resource Owns Owns ServerClient Print-Fast Picasa
    • Authorization Roles Server Wants to integrate with Google BOB Services e.g Picasa Resource Owns Owns ServerClient Resource Owner Print-Fast Picasa David
    • Authorization Client Registration Server Client Registers with BOB Authorization Server Resource Owns Owns ServerClient Client_Id=print-fast Client_Secret=xxx Redirect_Url = Print-Fast http://print-fast.com Picasa
    • OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
    • Step 1 – Get Authorization Grant
    • Authorization Request Authorization GrantURL used ishttp://picasa.com/?client_id=photo-fast &scope=profile,email,photos&redirect_uri=http://print-fast.com&response_type=code
    • Authorization GrantAuthorization Grant Code = ase34
    • Authorization Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Resource Authorization Grant Owner David code = ase34 Authorization Client ServerPrint-Fast Resource Server Protocol Flow
    • Step 2 – Exchange for Access Token
    • Authorization Client Code = ase34 Server Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4code = ase34 access_token = x3e4
    • Resource Owner Authorization Grant David code = ase34 Client_Id=print-fast Client_Secret=xxx Authorization Client Access Token Server access_token= x3e4Print-Fast Resource Server Protocol Flow
    • Step 3 – Access Protected Resources
    • Authorization Client Code = ase34 Server Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4code = ase34 http://picasa.com/ ..../usr133/photos access_token = x3e4 *“http://…/DSC34.jpg”, Picasa “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
    • Resource Owner David Authorization Client ServerPrint-Fast Access Token Picasa access_token = x3e4 Resource Protected Resource Server *“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”+ Protocol Flow
    • Complete Flow at Once
    • Authorization Request Resource Authorization Grant Owner Authorization Grant AuthorizationClient Access Token Server Access Token Resource Protected Resource Server Protocol Flow
    • With Refresh Token
    • Access Grant & Client Credentials Access Token & Refresh Token Access Token Protected Resource Resource AuthorizationClient Access Token Server Server Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token Protocol Flow
    • OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
    • Step 1 – Get Access Token
    • Implicit Grant Request Implicit GrantURL used ishttp://picasa.com/?client_id=photo-fast &scope=profile,email,photos&redirect_uri=http://print-fast.com&response_type=token
    • Access token = x3e4Implicit Grant
    • Implicit Grant Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Resource Access Token Owner David access_token= x3e4 Authorization Client ServerPrint-Fast Picasa Resource Server Protocol Flow
    • Step 2 – Access Protected Resources
    • http://picasa.com/..../usr133/photosaccess_token = x3e4 *“http://…/DSC34.jpg”, Picasa “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
    • Resource Owner David Meant for Pure Browser basedClient Applications Access Token Picasa access_token = x3e4 Resource Protected Resource Server *“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”+ Protocol Flow
    • Complete Flow at Once
    • Authorization Request Resource Access Token OwnerClient Access Token Resource Protected Resource Server Protocol Flow
    • OAuth Flows/Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
    • Davi dResource Owner Username/Pas sword Resource Owner Credentials & Client Credentials Picasa – Access Token with Optional Refresh Token AuthorizationDesktop Client Server Client Access Token Picasa Resource Protected Resource Server Protocol Flow
    • Use Cases• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided• Example – Salesforce OAuth has provision for this
    • Grant Types• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
    • Client Credentials Access Token with Optional Refresh Token Authorization ServerClient Access Token Resource Protected Resource Server Protocol Flow
    • Use case• The Data accessed is not owned by Resource Owner, but by the Client• Say Skype showing statistics of uptime of its services
    • Use case• There is contract already set between the Client and the Authorization Server• E.g Google Apps Marketspace• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
    • OAuth from Mobile Device
    • Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
    • Disclaimer• Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices• I have no claim on the following slides with reference stated in them• Thank you Brian Campbell for the excellent presentation
    • Cloud! Request Authorization Token Authorization Endpoint Endpoint  When user first needs to access some protected resource, client opens a browser and sends user to 1 the authorization endpoint Device https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type Browser =code&scope=update_status Native 1 App Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_st atus"); Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl); startActivity(launchBrowser); NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status"; [[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Authenticate and Approve Token Endpoint Authorization Endpoint  The AS authenticates the user  Directly  Indirectly via Facebook, Twitter, Google, Yahoo, etc. 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Approve Token Endpoint Authorization Endpoint  User approves the requested access 2 Device Browser Native AppReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Handle Callback Token Authorization Endpoint Endpoint 3 Device Server returns control to the app via HTTP redirection Browser and includes an authorization code Native App HTTP/1.1 302 Found Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAReference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In AndroidManifest.xml file: Device <activity android:name=".MyAppCallback” … > Browser <intent-filter> Native <action android:name="android.intent.action.VIEW"/> App 3 <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="x-com.mycorp.myapp" /> </intent-filter> </activity> String authzCode = getIntent().getData().getQueryParameter("code");Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Handle Callback (cont’d) Token Endpoint Authorization Endpoint Registering a custom URI scheme In app info plist file: Device Browser Native App 3 - (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { NSString *queryString = [url query]; NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init]; for (NSString *param in [queryString componentsSeparatedByString:@"&"]) { NSArray *elts = [param componentsSeparatedByString:@"="]; if([elts count] < 2) continue; [qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]]; }; NSString *code = [qsParms objectForKey:@"code"]; ...Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Trade Code for Token(s) Token Authorization Endpoint Endpoint Token Endpoint Request POST /as/token.oauth2 HTTP/1.1 Host: as.example.com 4 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Device Browser client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA Native App Token Endpoint Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”, "refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8” }Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Cloud! Using an Access Token Token Authorization Endpoint Endpoint  Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header Device 5 POST /api/update-status HTTP/1.1 Browser Host: rs.example.com Native Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS App Content-Type: application/x-www-form-urlencoded;charset=UTF-8 status=Almost%20done. NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken]; NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease]; [request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]]; [request setValue:authzHeader forHTTPHeaderField:@"Authorization"]; DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost post = new HttpPost("https://rs.example.com/api/update-status"); post.setHeader("Authorization", "Bearer " + accessToken);Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
    • Pros and Cons• Pros • Cons – User may be already – Complicated Custom URI logged in most cases schema – User will trust as he/she sees https and domain name
    • Popular Approaches• Using User Agent (Stock Browser)• Using Embedded WebView
    • Pros and Cons• Pros • Cons – Easier to monitor pages – May not appeal since and extract neither https or domain authorization or access name is visible codes – WebView has separate cookie and history leading to client entering credentials each time
    • Reference• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation