OAuth you said


Published on

OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials but it became a big mess.

Published in: Technology

OAuth you said

  1. OAuth.io OAUTH YOU SAID?
  2. Why OAuth? Provide a standard way to access protected resources, without sharing passwords. OAuth.io OAuth, You said?
  3. OAuth.io AMAZING! BUT HOW? OAuth, You said?
  4. OAuth.io The middle-man between the service and the OAuth provider ! Never share your Facebook credentials with a service. ! Today, almost any app needing access or permissions relies on OAuth. OAuth, You said? Tokens!
  5. OAuth.io Users had to provide their Facebook credentials to third party services. ! Not secure. Intrusive. Inconvenient. OAuth, You said? Before? Basic Auth.
  6. OAuth was first designed to be interoperable and super easy to implement for developers. Started as a Protocol OAuth.io OAuth, You said?
  7. OAuth 2.0 has been reclassified as a framework. Which means no interoperability and no backward compatibility :/ Ended up as a Framework OAuth.io OAuth, You said?
  8. 30+ different implementations ! Two separate flows for token retrieval. ! Resources' names and parameters differ from one provider to another ! A nightmare for developers: lots of potential traps. No hope for a good learning curve… So yes, OAuth is broken OAuth.io OAuth, You said?
  9. OAuth 1.0 = October 2007 OAuth 1.0a = June 2009 OAuth 2.0 first draft = early 2010
 OAuth 2.0 final = late 2011 Many versions in 5 years OAuth.io OAuth, You said?
  10. Complex signature scheme. ! Almost no control over token expiry. ! No permission management. OAuth.io OAuth, You said? OAuth 1.0a was limited
  11. ! More flexible but less interoperable SSL rather than signatures Easier to implement No backward compatibility OAuth.io OAuth, You said? OAuth 2.0 compromise
  12. Resource Owner: the user who wants to share a resource, e.g. owner of the facebook photos. ! Client: the application that wants to leverage a resource hosted by a third party, e.g. the photo printing website. ! Authorization Server: the entity that decides to grant access to the client (application), e.g. Facebook’s authorization server. ! Resource Server: the place where the third party resource is hosted, e.g. Facebook’s server where the photos to print are. 4 quick definitions
  13. The Flow
  14. Further reading https://tools.ietf.org/html/rfc6749 http://tools.ietf.org/html/rfc5849 OAuth 1.0 Specs OAuth 2.0 Specs Fuck OAuth by Eran Hammer talk http://vimeo.com/52882780 OAuth.io OAuth, You said? Read our full OAuth Tutorial
  15. Credits The Big Lebowski Walker Texas Ranger aka Chuck (the 1st) Norris Jackie Brown 2001: A Space Odyssey R2D2: Star Wars (Dagobah) C3PO: Star Wars (Tatooine) Las Vegas Parano Terminator Forrest Gump Austin Powers OAuth.io OAuth, You said? Judge Dredd