Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
An Introductionto OAuth 2Aaron Parecki • @aaronpkOSCON • Portland, Oregon • July 2012
A Brief Historyaaron.pk/oauth2               @aaronpk
Before OAuth   aka the Dark Ages    If a third party wanted access to an    account, you’d give them your password.aaron.p...
Several Problems and   Limitations    Apps store the user’s password    Apps get complete access to a user’s account   ...
Before OAuth 1.0    Services recognized the problems with password     authentication    Many services implemented thing...
Before OAuth 1.0    Flickr: “FlickrAuth” frobs and tokens    Google: “AuthSub”    Facebook: requests signed with MD5 ha...
“We want something like Flickr Auth /       Google AuthSub / Yahoo! BBAuth, but       published as an open standard, with ...
OAuth 1.0aaron.pk/oauth2   @aaronpk
aaron.pk/oauth2   @aaronpk
aaron.pk/oauth2   @aaronpk
OAuth 1.0 Signatures   The signature base string is often the most difficult part of   OAuth for newcomers to construct. T...
aaron.pk/oauth2   @aaronpk
OAuth 2:                  signatures replaced by https        HMACaaron.pk/oauth2                             @aaronpk
Some Current Implementers
The OAuth 2 Spec       http://oauth.net/2/
OAuth 2?!   There are 29 versions!aaron.pk/oauth2             @aaronpk
Currently Implemented DraftsProvider     Draft       ReferenceFoursquare   -10         http://aaron.pk/2YS                ...
So how does it work?aaron.pk/oauth2               @aaronpk
Definitions   Resource Owner: The User   Resource Server: The API   Authorization Server: Often the same    as the API ...
Use Cases   Web-server apps   Browser-based apps   Username/password access   Application access   Mobile appsaaron.p...
Use Cases – Grant Types   Web-server apps – authorization_code   Browser-based apps – implicit   Username/password acce...
Facebook’s OAuth FlowSource: https://developers.facebook.com/docs/authentication/   @aaronpk
Web Server Apps                       Authorization Code Grantaaron.pk/oauth2                          @aaronpk
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=R...
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=R...
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=R...
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=R...
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=R...
User visits the authorization pagehttps://facebook.com/dialog/oauth?response_type=code&client_id=28653682475872&redirect_u...
On success, user is redirectedback to your site with auth codehttps://example.com/auth?code=AUTH_CODE_HEREOn error, user i...
Server exchanges authcode for an access tokenYour server makes the following requestPOSThttps://graph.facebook.com/oauth/a...
Server exchanges authcode for an access tokenYour server gets a response like the following{    "access_token":"RsT5OjbzRn...
Browser-Based Apps                          Implicit Grantaaron.pk/oauth2                   @aaronpk
Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIR...
User visits the authorization pagehttps://facebook.com/dialog/oauth?response_type=token&client_id=2865368247587&redirect_u...
On success, user is redirectedback to your site with the accesstoken in the fragmenthttps://example.com/auth#token=ACCESS_...
Browser-Based Apps Use the “Implicit” grant type No server-side code needed Client secret not used Browser makes API r...
Username/Password                         Password Grantaaron.pk/oauth2                   @aaronpk
Password GrantPassword grant is only appropriate fortrusted clients, most likely first-party appsonly.If you build your ow...
Password Grant Type   Only appropriate for your   service’s website or your   service’s mobile apps.aaron.pk/oauth2
Password GrantPOST https://api.example.com/oauth/tokenPost Body:grant_type=password&username=USERNAME&password=PASSWORD&cl...
Application Access                          Client Credentials Grantaaron.pk/oauth2                             @aaronpk
Client Credentials GrantPOST https://api.example.com/1/oauth/tokenPost Body:grant_type=client_credentials&client_id=YOUR_C...
Mobile Apps                       Implicit Grantaaron.pk/oauth2                @aaronpk
aaron.pk/oauth2   @aaronpk
aaron.pk/oauth2   @aaronpk
Redirect back to your app    Facebook app redirects back to your app    using a custom URI scheme.    Access token is incl...
aaron.pk/oauth2   @aaronpk
Mobile Apps Use the “Implicit” grant type No server-side code needed Client secret not used Mobile app makes API reque...
Grant Type Summary   authorization_code:       Web-server apps   implicit:       Mobile and browser-based apps   passwo...
Grant Types &   Response Types   authorization_code:       response_type=code   implicit:        response_type=tokenaaro...
Grant Type Reviewaaron.pk/oauth2                 @aaronpk
Authorization Code    User visits auth page           response_type=code    User is redirected to your site with auth co...
Implicit    User visits auth page           response_type=token    User is redirected to your site with access token    ...
Password    Your server exchanges username/password for access token           POST /token           username=xxxxxxx&pas...
Client Credentials    Your server exchanges client ID/secret for access token           POST /token           client_id=x...
Accessing Resources                     So you have an access token.                                      Now what?aaron.p...
Use the access token tomake requestsNow you can make requests using the access token.GET https://api.example.com/meAuthori...
Eventually the access tokenwill expireWhen you make a request with an expiredtoken, you will get this response{    "error"...
Get a new access tokenusing a refresh tokenYour server makes the following requestPOST https://api.example.com/oauth/token...
Moving access into                     separate specs                       Bearer tokens vs MAC                          ...
Bearer Tokens    GET /1/profile HTTP/1.1    Host: api.example.com    Authorization: Bearer B2mpLsHWhuVFw3YeLFW3f2    Beare...
Security Recommendationsfor Clients Using BearerTokens Safeguard bearer tokens Validate SSL certificates Always use htt...
MAC TokensGET /1/profile HTTP/1.1Host: api.example.comAuthorization: MAC id="jd93dh9dh39D",                   nonce="27315...
OAuth 2 ClientsClient libraries should handle refreshing the tokenautomatically behind the scenes.aaron.pk/oauth2         ...
Scope                  Limiting access to resoucesaaron.pk/oauth2                         @aaronpk
Limiting Access to Third Partiesaaron.pk/oauth2                       @aaronpk
Limiting Access to Third Partiesaaron.pk/oauth2                       @aaronpk
Limiting Access to Third Partiesaaron.pk/oauth2                       @aaronpk
OAuth 2 scope    Created to limit access to the third party.    The scope of the access request expressed as a list of s...
OAuth 2 scope on Facebook    https://www.facebook.com/dialog/oauth?    client_id=YOUR_APP_ID&redirect_uri=YOUR_URL    &sco...
OAuth 2 scope on Facebookaaron.pk/oauth2                @aaronpk
OAuth 2 scope on Github    https://github.com/login/oauth/authorize?      client_id=...&scope=user,public_repo     user   ...
Proposed New UI for Twitterby Ben Wardhttp://blog.benward.me/post/968515729
Implementing an OAuth Server
Implementing an OAuth   Server    Find a server library already written:       A short list available here: http://oauth...
Implementing an OAuth   Server    Choose which grant types you want to support         Authorization Code – for traditio...
OAuth 2 scope on your service    Think about what scopes you might offer    Don’t over-complicate it for your users    ...
Mobile Applications    External user agents are best       Use the service’s primary app for authentication, like       ...
Staying Involvedaaron.pk/oauth2                @aaronpk
Join the Mailing List! https://www.ietf.org/mailman/listinfo/oauth People talk about OAuth Keep up to date on changes ...
oauth.netaaron.pk/oauth2   @aaronpk
oauth.net Website    http://oauth.net    Source code available on Github       github.com/aaronpk/oauth.net    Please ...
github.com/aaronpk/oauth.netaaron.pk/oauth2                   @aaronpk
More Info, Slides & Code Samples:aaron.pk/oauth2                                          Thanks.                         ...
Upcoming SlideShare
Loading in …5
×

An Introduction to OAuth 2

85,932 views

Published on

Slides from my Intro to OAuth 2 presentation at OSCON 2012

Published in: Technology

An Introduction to OAuth 2

  1. An Introductionto OAuth 2Aaron Parecki • @aaronpkOSCON • Portland, Oregon • July 2012
  2. A Brief Historyaaron.pk/oauth2 @aaronpk
  3. Before OAuth aka the Dark Ages If a third party wanted access to an account, you’d give them your password.aaron.pk/oauth2 @aaronpk
  4. Several Problems and Limitations  Apps store the user’s password  Apps get complete access to a user’s account  Users can’t revoke access to an app except by changing their password  Compromised apps expose the user’s passwordaaron.pk/oauth2 @aaronpk
  5. Before OAuth 1.0  Services recognized the problems with password authentication  Many services implemented things similar to OAuth 1.0  Each implementation was slightly different, certainly not compatible with each otheraaron.pk/oauth2 @aaronpk
  6. Before OAuth 1.0  Flickr: “FlickrAuth” frobs and tokens  Google: “AuthSub”  Facebook: requests signed with MD5 hashes  Yahoo: BBAuth (“Browser-Based Auth”)aaron.pk/oauth2 @aaronpk
  7. “We want something like Flickr Auth / Google AuthSub / Yahoo! BBAuth, but published as an open standard, with common server and client libraries.” Blaine Cook, April 5th, 2007aaron.pk/oauth2 @aaronpk
  8. OAuth 1.0aaron.pk/oauth2 @aaronpk
  9. aaron.pk/oauth2 @aaronpk
  10. aaron.pk/oauth2 @aaronpk
  11. OAuth 1.0 Signatures The signature base string is often the most difficult part of OAuth for newcomers to construct. The signature base string is composed of the HTTP method being used, followed by an ampersand ("&") and then the URL-encoded base URL being accessed, complete with path (but not query parameters), followed by an ampersand ("&"). Then, you take all query parameters and POST body parameters (when the POST body is of the URL-encoded type, otherwise the POST body is ignored), including the OAuth parameters necessary for negotiation with the request at hand, and sort them in lexicographical order by first parameter name and oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7o then parameter value (for duplicate parameters), all the while ensuring that both the key and the value for oauth_callback="http%3A%2F%2 dC2XJcn4XlZJqk", each parameter are URL encoded in isolation. Instead of using Flocalhost%3A3005%2Fthe_dance%2Fprocess_callb the equals ("=") sign to mark the key/value relationship, you ack%3Fservice_provider_id%3D11", oauth_signatur use the URL-encoded form of "%3D". Each parameter is then e_method="HMAC- joined by the URL-escaped ampersand sign, "%26". SHA1", oauth_timestamp="1272323042", oauth_cons umer_key="GDdmIQH6jhtmLUypg82g", oauth_signa ture="8wUi7m5HFQy76nowoCThusfgB%2BQ%3D", oa uth_version="1.0"aaron.pk/oauth2 @aaronpk
  12. aaron.pk/oauth2 @aaronpk
  13. OAuth 2: signatures replaced by https HMACaaron.pk/oauth2 @aaronpk
  14. Some Current Implementers
  15. The OAuth 2 Spec http://oauth.net/2/
  16. OAuth 2?! There are 29 versions!aaron.pk/oauth2 @aaronpk
  17. Currently Implemented DraftsProvider Draft ReferenceFoursquare -10 http://aaron.pk/2YS http://code.google.com/apis/accounts/doGoogle -10 cs/OAuth2.html https://developers.facebook.com/docs/autFacebook -10 (ish) hentication/oauth2_updates/Windows -10 http://aaron.pk/2YVLiveSalesforce -10 http://aaron.pk/2YWGithub -07 http://develop.github.com/p/oauth.htmlGeoloqi -10 http://developers.geoloqi.com/api @aaronpk
  18. So how does it work?aaron.pk/oauth2 @aaronpk
  19. Definitions Resource Owner: The User Resource Server: The API Authorization Server: Often the same as the API server Client: The Third-Party Applicationaaron.pk/oauth2 @aaronpk
  20. Use Cases Web-server apps Browser-based apps Username/password access Application access Mobile appsaaron.pk/oauth2 @aaronpk
  21. Use Cases – Grant Types Web-server apps – authorization_code Browser-based apps – implicit Username/password access – password Application access – client_credentials Mobile apps – implicitaaron.pk/oauth2 @aaronpk
  22. Facebook’s OAuth FlowSource: https://developers.facebook.com/docs/authentication/ @aaronpk
  23. Web Server Apps Authorization Code Grantaaron.pk/oauth2 @aaronpk
  24. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  25. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  26. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  27. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  28. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  29. User visits the authorization pagehttps://facebook.com/dialog/oauth?response_type=code&client_id=28653682475872&redirect_uri=everydaycity.com&scope=emailaaron.pk/oauth2 @aaronpk
  30. On success, user is redirectedback to your site with auth codehttps://example.com/auth?code=AUTH_CODE_HEREOn error, user is redirected backto your site with error codehttps://example.com/auth?error=access_deniedaaron.pk/oauth2 @aaronpk
  31. Server exchanges authcode for an access tokenYour server makes the following requestPOSThttps://graph.facebook.com/oauth/access_tokenPost Body:grant_type=authorization_code&code=CODE_FROM_QUERY_STRING&redirect_uri=REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETaaron.pk/oauth2 @aaronpk
  32. Server exchanges authcode for an access tokenYour server gets a response like the following{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}or if there was an error{ "error":"invalid_request"}aaron.pk/oauth2 @aaronpk
  33. Browser-Based Apps Implicit Grantaaron.pk/oauth2 @aaronpk
  34. Create a “Log In” linkLink to:https://facebook.com/dialog/oauth?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=emailaaron.pk/oauth2 @aaronpk
  35. User visits the authorization pagehttps://facebook.com/dialog/oauth?response_type=token&client_id=2865368247587&redirect_uri=everydaycity.com&scope=emailaaron.pk/oauth2 @aaronpk
  36. On success, user is redirectedback to your site with the accesstoken in the fragmenthttps://example.com/auth#token=ACCESS_TOKENOn error, user is redirected backto your site with error codehttps://example.com/auth#error=access_deniedaaron.pk/oauth2 @aaronpk
  37. Browser-Based Apps Use the “Implicit” grant type No server-side code needed Client secret not used Browser makes API requests directlyaaron.pk/oauth2 @aaronpk
  38. Username/Password Password Grantaaron.pk/oauth2 @aaronpk
  39. Password GrantPassword grant is only appropriate fortrusted clients, most likely first-party appsonly.If you build your own website as a client ofyour API, then this is a great way to handlelogging in.aaron.pk/oauth2 @aaronpk
  40. Password Grant Type Only appropriate for your service’s website or your service’s mobile apps.aaron.pk/oauth2
  41. Password GrantPOST https://api.example.com/oauth/tokenPost Body:grant_type=password&username=USERNAME&password=PASSWORD&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETResponse:{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}aaron.pk/oauth2 @aaronpk
  42. Application Access Client Credentials Grantaaron.pk/oauth2 @aaronpk
  43. Client Credentials GrantPOST https://api.example.com/1/oauth/tokenPost Body:grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETResponse:{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}aaron.pk/oauth2 @aaronpk
  44. Mobile Apps Implicit Grantaaron.pk/oauth2 @aaronpk
  45. aaron.pk/oauth2 @aaronpk
  46. aaron.pk/oauth2 @aaronpk
  47. Redirect back to your app Facebook app redirects back to your app using a custom URI scheme. Access token is included in the redirect, just like browser-based apps. fb2865://authorize/#access_token=BAAEEmo2nocQBAFFOeRTdaaron.pk/oauth2 @aaronpk
  48. aaron.pk/oauth2 @aaronpk
  49. Mobile Apps Use the “Implicit” grant type No server-side code needed Client secret not used Mobile app makes API requests directlyaaron.pk/oauth2 @aaronpk
  50. Grant Type Summary authorization_code: Web-server apps implicit: Mobile and browser-based apps password: Username/password access client_credentials: Application accessaaron.pk/oauth2 @aaronpk
  51. Grant Types & Response Types authorization_code: response_type=code implicit: response_type=tokenaaron.pk/oauth2 @aaronpk
  52. Grant Type Reviewaaron.pk/oauth2 @aaronpk
  53. Authorization Code  User visits auth page response_type=code  User is redirected to your site with auth code http://example.com/?code=xxxxxxx  Your server exchanges auth code for access token POST /token code=xxxxxxx&grant_type=authorization_codeaaron.pk/oauth2 @aaronpk
  54. Implicit  User visits auth page response_type=token  User is redirected to your site with access token http://example.com/#token=xxxxxxx  Token is only available to the browser since it’s in the fragmentaaron.pk/oauth2 @aaronpk
  55. Password  Your server exchanges username/password for access token POST /token username=xxxxxxx&password=yyyyyyy& grant_type=passwordaaron.pk/oauth2 @aaronpk
  56. Client Credentials  Your server exchanges client ID/secret for access token POST /token client_id=xxxxxxx&client_secret=yyyyyyy& grant_type=client_credentialsaaron.pk/oauth2 @aaronpk
  57. Accessing Resources So you have an access token. Now what?aaron.pk/oauth2 @aaronpk
  58. Use the access token tomake requestsNow you can make requests using the access token.GET https://api.example.com/meAuthorization: Bearer RsT5OjbzRn430zqMLgV3IaAccess token can be in an HTTP header or a querystring parameterhttps://api.example.com/me?access_token=RsT5OjbzRn430zqMLgV3Iaaaron.pk/oauth2 @aaronpk
  59. Eventually the access tokenwill expireWhen you make a request with an expiredtoken, you will get this response{ "error":"expired_token"}Now you need to get a new access token!aaron.pk/oauth2 @aaronpk
  60. Get a new access tokenusing a refresh tokenYour server makes the following requestPOST https://api.example.com/oauth/tokengrant_type=refresh_token&reresh_token=e1qoXg7Ik2RRua48lXIV&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETYour server gets a similar response as the original call tooauth/token with new tokens.{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}aaron.pk/oauth2 @aaronpk
  61. Moving access into separate specs Bearer tokens vs MAC authenticationaaron.pk/oauth2 @aaronpk
  62. Bearer Tokens GET /1/profile HTTP/1.1 Host: api.example.com Authorization: Bearer B2mpLsHWhuVFw3YeLFW3f2 Bearer tokens are a cryptography-free way to access protected resources. Relies on the security present in the HTTPS connection, since the request itself is not signed.aaron.pk/oauth2 @aaronpk
  63. Security Recommendationsfor Clients Using BearerTokens Safeguard bearer tokens Validate SSL certificates Always use https Don’t store bearer tokens in plaintext cookies Issue short-lived bearer tokens Don’t pass bearer tokens in page URLsaaron.pk/oauth2 @aaronpk
  64. MAC TokensGET /1/profile HTTP/1.1Host: api.example.comAuthorization: MAC id="jd93dh9dh39D", nonce="273156:di3hvdf8", bodyhash="k9kbtCIyI3/FEfpS/oIDjk6k=", mac="W7bdMZbv9UWOTadASIQHagZyirA="MAC tokens provide a way to make authenticated requestswith cryptographic verification of the request.Similar to the original OAuth 1.0 method of using signatures. @aaronpk
  65. OAuth 2 ClientsClient libraries should handle refreshing the tokenautomatically behind the scenes.aaron.pk/oauth2 @aaronpk
  66. Scope Limiting access to resoucesaaron.pk/oauth2 @aaronpk
  67. Limiting Access to Third Partiesaaron.pk/oauth2 @aaronpk
  68. Limiting Access to Third Partiesaaron.pk/oauth2 @aaronpk
  69. Limiting Access to Third Partiesaaron.pk/oauth2 @aaronpk
  70. OAuth 2 scope  Created to limit access to the third party.  The scope of the access request expressed as a list of space- delimited strings.  In practice, many people use comma-separators instead.  The spec does not define any values, it’s left up to the implementor.  If the value contains multiple strings, their order does not matter, and each string adds an additional access range to the requested scope.aaron.pk/oauth2 @aaronpk
  71. OAuth 2 scope on Facebook https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL &scope=email,read_streamaaron.pk/oauth2 @aaronpk
  72. OAuth 2 scope on Facebookaaron.pk/oauth2 @aaronpk
  73. OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists.aaron.pk/oauth2 @aaronpk
  74. Proposed New UI for Twitterby Ben Wardhttp://blog.benward.me/post/968515729
  75. Implementing an OAuth Server
  76. Implementing an OAuth Server  Find a server library already written:  A short list available here: http://oauth.net/2/  Read the spec of your chosen draft, in its entirety.  These people didn’t write the spec for you to ignore it.  Each word is chosen carefully.  Ultimately, each implementation is somewhat different, since in many cases the spec says SHOULD and leaves the choice up to the implementer.  Understand the security implications of the implementation choices you make.aaron.pk/oauth2 @aaronpk
  77. Implementing an OAuth Server  Choose which grant types you want to support  Authorization Code – for traditional web apps  Implicit – for browser-based apps and mobile apps  Password – for your own website or mobile apps  Client Credentials – if applications can access resources on their own  Choose whether to support Bearer tokens, MAC or both  Define appropriate scopes for your serviceaaron.pk/oauth2 @aaronpk
  78. OAuth 2 scope on your service  Think about what scopes you might offer  Don’t over-complicate it for your users  Read vs write is a good startaaron.pk/oauth2 @aaronpk
  79. Mobile Applications  External user agents are best  Use the service’s primary app for authentication, like Facebook  Or open native Safari on iPhone rather than use an embedded browser  Auth code or implicit grant type  In both cases, the client secret should never be used, since it is possible to decompile the app which would reveal the secretaaron.pk/oauth2 @aaronpk
  80. Staying Involvedaaron.pk/oauth2 @aaronpk
  81. Join the Mailing List! https://www.ietf.org/mailman/listinfo/oauth People talk about OAuth Keep up to date on changes People argue about OAuth It’s fun!aaron.pk/oauth2 @aaronpk
  82. oauth.netaaron.pk/oauth2 @aaronpk
  83. oauth.net Website  http://oauth.net  Source code available on Github  github.com/aaronpk/oauth.net  Please feel free to contribute to the website  Contribute new lists of libraries, or help update information  OAuth is community-driven!aaron.pk/oauth2 @aaronpk
  84. github.com/aaronpk/oauth.netaaron.pk/oauth2 @aaronpk
  85. More Info, Slides & Code Samples:aaron.pk/oauth2 Thanks. Aaron Parecki @aaronpk aaronparecki.com github.com/aaronpk

×