Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
OAuth 2.0 101
Next

Share

OAuth 2.0

My talk about OAuth 2.0 at Eduserv's Federated Access Management conference November 2011

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

OAuth 2.0

  1. 1. Alex Bilbie University of Lincoln @alexbilbie
  2. 2. Story time!
  3. 3. I’m a user of a web service
  4. 4. I own resources on the web service
  5. 5. For example, personal details
  6. 6. These resources are 1 stored on a resource server 2 1. personal details 2. facebook.com
  7. 7. The resource server exposes user resources over an API
  8. 8. I visit a 3rd party web application
  9. 9. The 3rd party web app is called a client
  10. 10. The client wants to 1 use my resources 2 1. 3rd party web app 2. personal details
  11. 11. But the resource server’s API requires user authorisation
  12. 12. How?
  13. 13. Give the client my password
  14. 14. Give the client my password
  15. 15. So what then?
  16. 16. OAuth
  17. 17. “An open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications.” oauth.net
  18. 18. ♥▲
  19. 19. User Authorises Owns Client Resources Accesses
  20. 20. The flow
  21. 21. User clicks “sign in” in the client application
  22. 22. The user is redirected to the resource server and asked to sign in
  23. 23. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
  24. 24. The resource server clearly tells the user the specific data the client wants to access
  25. 25. User authorises the application and is redirected back to client with a authorisation code in the query string
  26. 26. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
  27. 27. Client exchanges the authorisation code for an access token
  28. 28. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
  29. 29. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526 }
  30. 30. The access token can then be used as authorisation by the client to access the specified resources for a specific length of time
  31. 31. Advantages
  32. 32. No password sharing <- Happy security conscious user
  33. 33. Developers just need to implement a redirect and a POST request <- Happy developers
  34. 34. Users can revoke access tokens for specific clients
  35. 35. Nefarious clients can have their credentials revoked and all associated access tokens destroyed immediately
  36. 36. Currently version 1.0a lncn.eu/giy
  37. 37. Version 2.0 is almost finished lncn.eu/bkw
  38. 38. OAuth 2.0 • Simpler • Requires all communication over SSL • New flows • Better UX
  39. 39. Who’s using OAuth?
  40. 40. v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0 (prev v1.0a) v2.0 (prev v1.0a) v2.0
  41. 41. And in HE?
  42. 42. documents people location calendars data.lincoln.ac.uk bibliographic energy printing events
  43. 43. Internal and external authorisation
  44. 44. Single Sign-On
  45. 45. Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange (ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external)
  46. 46. Open source 2.0 server lncn.eu/ar6
  47. 47. Any questions?
  48. 48. Thank you @alexbilbie
  • xtrats

    May. 23, 2014
  • ahmy

    Feb. 14, 2014
  • kachrah

    Dec. 6, 2012
  • VRuslan

    Sep. 22, 2012
  • truongtd217

    Apr. 24, 2012
  • nirmalkumarv

    Mar. 28, 2012

My talk about OAuth 2.0 at Eduserv's Federated Access Management conference November 2011

Views

Total views

4,515

On Slideshare

0

From embeds

0

Number of embeds

1,509

Actions

Downloads

0

Shares

0

Comments

0

Likes

6

×