Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to OAuth

1,049 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Introduction to OAuth

  1. 1. Introduction to OAuth Wei-Tsung Su 10/30/2013 (Ver. 1.0) Ubiquitous Computing & Ambient Networking Laboratory Page : 1
  2. 2. OAuth • OAuth is an open standard of authorization. (Wikipedia) • OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials). (oauth.net) • Standard – RFC 6749: The OAuth 2.0 Authorization Framework – RFC 5849: The OAuth 1.0 Protocol • Implementation – Apache Oltu (http://oltu.apache.org/) – Others on .NET, PHP, Ruby, Python, … Ubiquitous Computing & Ambient Networking Laboratory Page : 2
  3. 3. OAuth 2.0 Protocol Flow (3) Authorization Request (4) Access Token (1) Authorization Request (2) Authorization Grant Resource Owner (User) Authorization Server Client (5) Access Token API (6) Protected Resource Ubiquitous Computing & Ambient Networking Laboratory Resource Server Page : 3
  4. 4. OAuth 2.0: Case Study • Resource owner – You • Client – Google Calendar APIs Explorer • Authorization server – Google OAuth 2.0 Server • API – Google Calendar APIs • Resource Server – Google Calendar Ubiquitous Computing & Ambient Networking Laboratory Page : 4
  5. 5. OAuth 2.0: Case Study (con’t) (3) Authorization Request (1) Authorization Request (2) Authorization Grant Resource Owner (User) Google Calendar APIs Explorer (4) Access Token (5) Access Token (6) Protected Resource Google OAuth 2.0 Server Google Calendar APIs Ubiquitous Computing & Ambient Networking Laboratory Google Calendar Server (to access your Google calendar data) Page : 5
  6. 6. Authorization Grant • There are four ways how a user grants the authorization to a client – Authorization Code • • • • The client directs the user to authorization server The user inputs ID/PWD on authorization server. The authorization server sends authorization code to client The client sends authorization code to authorization server for obtaining the access token – Implicit • Simplifying the above process, the client can directly obtain the access token – Resource Owner Password Credentials (less security) • The users inputs ID/PWD on the client • The client sends the ID/PWD to authorization server for obtaining the access token – Client Credentials • Used when the client is also the resource owner or • The authorization of access protected resources are previously arranged to the client with the authorization server Ubiquitous Computing & Ambient Networking Laboratory Page : 6
  7. 7. Access Token • Access token – is a credential used to access protected resources. – is a string (usually opaque to the client) representing an authorization issued to the client. – represents specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server. • Standard – RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage Ubiquitous Computing & Ambient Networking Laboratory Page : 7
  8. 8. References • OAuth Official Sites – http://oauth.net/ – http://wiki.oauth.net • OAuth 2.0 Implementations – http://wiki.oauth.net/w/page/25236487/OAuth Ubiquitous Computing & Ambient Networking Laboratory Page : 8

×