Esri UC2013 . Technical Workshop .
Speed Geeking
2013 Esri International User Conference
July 8–12, 2013 | San Diego, Cali...
Esri UC2013 . Technical Workshop .
Before OAuth
• Apps stored the user’s password
• Apps got complete access to a user’s
a...
Esri UC2013 . Technical Workshop .
Before OAuth
• Services recognized the problems with password
authentication
• Many ser...
Esri UC2013 . Technical Workshop .
The OAuth 2 Spec
http://oauth.net/2/
Esri UC2013 . Technical Workshop .
Definitions
• Resource Owner: The User
• Resource Server: The API
• Authorization Serve...
Esri UC2013 . Technical Workshop .
Use Cases
• Web-server apps
• Browser-based apps
• Username/password access
• Applicati...
Esri UC2013 . Technical Workshop .
• Web-server apps – authorization_code
• Browser-based apps – implicit
• Username/passw...
Esri UC2013 . Technical Workshop .
Web Server Apps
Authorization Code Grant
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?res
ponse_type=code&c...
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?res
ponse_type=code&c...
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?res
ponse_type=code&c...
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?res
ponse_type=code&c...
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?res
ponse_type=code&c...
Esri UC2013 . Technical Workshop .
User visits the authorization page
https://facebook.com/dialog/oauth?response_ty
pe=cod...
Esri UC2013 . Technical Workshop .
On success, user is redirected
back to your site with auth code
https://example.com/aut...
Esri UC2013 . Technical Workshop .
Server exchanges auth code for an
access token
Your server makes the following request
...
Esri UC2013 . Technical Workshop .
Server exchanges auth code for an
access token
Your server gets a response like the fol...
Esri UC2013 . Technical Workshop .
Browser-Based Apps
Implicit Grant
Esri UC2013 . Technical Workshop .
Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?respon
se_type=token&...
Esri UC2013 . Technical Workshop .
User visits the authorization page
https://facebook.com/dialog/oauth?response_ty
pe=tok...
Esri UC2013 . Technical Workshop .
On success, user is redirected
back to your site with the access
token in the fragment
...
Esri UC2013 . Technical Workshop .
Browser-Based Apps
• Use the “Implicit” grant type
• No server-side code needed
• Clien...
Esri UC2013 . Technical Workshop .
Username/Password
Password Grant
Esri UC2013 . Technical Workshop .
Password Grant
Password grant is only appropriate for trusted
clients, most likely firs...
Esri UC2013 . Technical Workshop .
Password Grant Type
Only appropriate for your
service’s website or your
service’s mobil...
Esri UC2013 . Technical Workshop .
Password Grant
POST
https://api.example.com/oauth/token
Post Body:
grant_type=password
...
Esri UC2013 . Technical Workshop .
Password Grant
• User exchanges username and password for a token
• No server-side code...
Esri UC2013 . Technical Workshop .
Application Access
Client Credentials Grant
Esri UC2013 . Technical Workshop .
Client Credentials Grant
POST
https://api.example.com/1/oauth/t
oken
Post Body:
grant_t...
Esri UC2013 . Technical Workshop .
Grant Type Summary
• authorization_code:
Web-server apps
• implicit:
Mobile and browser...
Esri UC2013 . Technical Workshop .
Accessing Resources
So you have an access token. Now what?
Esri UC2013 . Technical Workshop .
Use the access token to make
requests
Now you can make requests using the
access token....
Esri UC2013 . Technical Workshop .
Eventually the access token may
expire
When you make a request with an
expired token, y...
Esri UC2013 . Technical Workshop .
Get a new access token using a
refresh token
Your server makes the following request
PO...
Esri UC2013 . Technical Workshop .
Scope
Limiting access to resouces
Esri UC2013 . Technical Workshop .
Limiting Access to Third Parties
An Introduction to OAuth 2
Esri UC2013 . Technical Workshop .
Limiting Access to Third Parties
An Introduction to OAuth 2
Esri UC2013 . Technical Workshop .
Limiting Access to Third Parties
An Introduction to OAuth 2
Esri UC2013 . Technical Workshop .
OAuth 2 scope on Github
https://github.com/login/oauth/authorize?
client_id=...&scope=u...
Esri UC2013 . Technical Workshop .
oauth.net/2
An Introduction to OAuth 2
Esri UC2013 . Technical Workshop .
oauth.net Website
• Source code available on Github
- github.com/aaronpk/oauth.net
• Pl...
Esri UC2013 . Technical Workshop .
Thanks.
@aaronpk
aparecki@esri.com
github.com/aaronpk
An Introduction to OAuth 2
Upcoming SlideShare
Loading in …5
×

UC2013 Speed Geeking: Intro to OAuth2

3,333 views

Published on

A 5-minute introduction to OAuth 2.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,333
On SlideShare
0
From Embeds
0
Number of Embeds
267
Actions
Shares
0
Downloads
59
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

UC2013 Speed Geeking: Intro to OAuth2

  1. 1. Esri UC2013 . Technical Workshop . Speed Geeking 2013 Esri International User Conference July 8–12, 2013 | San Diego, California An Introduction to OAuth 2 Aaron Parecki @aaronpk
  2. 2. Esri UC2013 . Technical Workshop . Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
  3. 3. Esri UC2013 . Technical Workshop . Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) An Introduction to OAuth 2
  4. 4. Esri UC2013 . Technical Workshop . The OAuth 2 Spec http://oauth.net/2/
  5. 5. Esri UC2013 . Technical Workshop . Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
  6. 6. Esri UC2013 . Technical Workshop . Use Cases • Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps An Introduction to OAuth 2
  7. 7. Esri UC2013 . Technical Workshop . • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password access – password • Application access – client_credentials • Mobile apps – implicit Use Cases – Grant Types An Introduction to OAuth 2
  8. 8. Esri UC2013 . Technical Workshop . Web Server Apps Authorization Code Grant
  9. 9. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  10. 10. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  11. 11. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  12. 12. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  13. 13. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  14. 14. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=code&client_id=28653682475872&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  15. 15. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
  16. 16. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server makes the following request POST https://graph.facebook.com/oauth/ access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
  17. 17. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" }An Introduction to OAuth 2
  18. 18. Esri UC2013 . Technical Workshop . Browser-Based Apps Implicit Grant
  19. 19. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?respon se_type=token&client_id=CLIENT_ID &redirect_uri=REDIRECT_URI&scope=email An Introduction to OAuth 2
  20. 20. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=token&client_id=2865368247587&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  21. 21. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
  22. 22. Esri UC2013 . Technical Workshop . Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
  23. 23. Esri UC2013 . Technical Workshop . Username/Password Password Grant
  24. 24. Esri UC2013 . Technical Workshop . Password Grant Password grant is only appropriate for trusted clients, most likely first-party apps only. If you build your own website as a client of your API, then this is a great way to handle logging in. An Introduction to OAuth 2
  25. 25. Esri UC2013 . Technical Workshop . Password Grant Type Only appropriate for your service’s website or your service’s mobile apps. An Introduction to OAuth 2
  26. 26. Esri UC2013 . Technical Workshop . Password Grant POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"An Introduction to OAuth 2
  27. 27. Esri UC2013 . Technical Workshop . Password Grant • User exchanges username and password for a token • No server-side code needed • Client secret only used from confidential clients - (Don’t send client secret from a mobile app!) • Useful for developing a first-party login system An Introduction to OAuth 2
  28. 28. Esri UC2013 . Technical Workshop . Application Access Client Credentials Grant
  29. 29. Esri UC2013 . Technical Workshop . Client Credentials Grant POST https://api.example.com/1/oauth/t oken Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  30. 30. Esri UC2013 . Technical Workshop . Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
  31. 31. Esri UC2013 . Technical Workshop . Accessing Resources So you have an access token. Now what?
  32. 32. Esri UC2013 . Technical Workshop . Use the access token to make requests Now you can make requests using the access token. GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzR n430zqMLgV3Ia An Introduction to OAuth 2
  33. 33. Esri UC2013 . Technical Workshop . Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
  34. 34. Esri UC2013 . Technical Workshop . Get a new access token using a refresh token Your server makes the following request POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  35. 35. Esri UC2013 . Technical Workshop . Scope Limiting access to resouces
  36. 36. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  37. 37. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  38. 38. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  39. 39. Esri UC2013 . Technical Workshop . OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists. An Introduction to OAuth 2
  40. 40. Esri UC2013 . Technical Workshop . oauth.net/2 An Introduction to OAuth 2
  41. 41. Esri UC2013 . Technical Workshop . oauth.net Website • Source code available on Github - github.com/aaronpk/oauth.net • Please feel free to contribute to the website • Contribute new lists of libraries, or help update information An Introduction to OAuth 2
  42. 42. Esri UC2013 . Technical Workshop . Thanks. @aaronpk aparecki@esri.com github.com/aaronpk An Introduction to OAuth 2

×