Successfully reported this slideshow.
Your SlideShare is downloading. ×

Building and using web services with OAuth

Ad

BUILDING AND USING SECURE  WEB SERVICES WITH OAUTH   Skillswap Goes Portable, November 25, 2008 Bruce Boughton [email_addr...

Ad

web services are about data  let’s think about data...

Ad

DATA SHOULD BE PORTABLE (even your private data) <ul><li>The Internet is awash with data </li></ul><ul><li>(put there by o...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
2015 akure gdg dev fest
2015 akure gdg dev fest
Loading in …3
×

Check these out next

1 of 41 Ad
1 of 41 Ad

More Related Content

Similar to Building and using web services with OAuth (20)

Building and using web services with OAuth

  1. 1. BUILDING AND USING SECURE WEB SERVICES WITH OAUTH Skillswap Goes Portable, November 25, 2008 Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/
  2. 2. web services are about data let’s think about data...
  3. 3. DATA SHOULD BE PORTABLE (even your private data) <ul><li>The Internet is awash with data </li></ul><ul><li>(put there by our users) </li></ul>
  4. 4. why?
  5. 5. CONTROL YOUR DATA Don't get locked into one vendor
  6. 6. Mash|ups < data > MORE INTERESTING http://pipes.yahoo.com/bruceboughton/skillswapmashup
  7. 7. RE-PURPOSE YOUR DATA in different contexts
  8. 8. INTERPRET IT ACCESS IT <ul><li>Data is portable if you can easily </li></ul> 
  9. 9. Data should be available in STANDARD DATA FORMATS <xml/> POSH  JSON μ f
  10. 10. How can users let third parties ACCESS THEIR PRIVATE DATA? <ul><li>User data is moving to the cloud </li></ul>
  11. 13. 40-60% OF TWEETS VIA API* Blaine Cook co-authored OAuth <ul><li>Why pick on Twitter? </li></ul>
  12. 15. http://kecute.wordpress.com/2007/11/05/cat-computer-geek/
  13. 16. we need an easy , user-friendly standard for third party api security
  14. 18. GOOGLE CONTACTS DEMO <ul><li>http://lab.madgex.com/oauth-net/googlecontacts/ </li></ul>
  15. 19. YOU CHOOSE who you share YOUR DATA with <ul><li>OAuth puts the user back in control </li></ul>
  16. 20. NO NEED to give out your PASSWORD <ul><li>OAuth is secure </li></ul>
  17. 21. FIRE EAGLE LOCATION DEMO <ul><li>http://whereami.lab.madgex.com/ </li></ul>
  18. 22. Supports FINE-GRAINED privacy controls <ul><li>Lightweight and open for extension </li></ul>
  19. 23. Google Yahoo OpenSocial Netflix MySpace Pownce Ma.gnolia SmugMug GetSatisfaction and more... <ul><li>Big name adoption </li></ul>
  20. 24. one thing: OAuth != OpenID (but they do play nicely)
  21. 25. OpenID is authentication OAUTH IS ACCESS CONTROL
  22. 26. let’s get technical
  23. 27. Protected resources are exposed by service providers and used by consumer applications on behalf of users
  24. 28. e.g. My physical location is exposed by the Fire Eagle API and used by the Madgex Lab demo on my behalf
  25. 29. Consumer identity asserted using CONSUMER KEY and SECRET
  26. 30. Consumer gets an ACCESS TOKEN (tied to a user, usually re-usable) <ul><li>To fetch a protected resource </li></ul>
  27. 31. Consumer asks USER TO LOG IN and AUTHORIZE request <ul><li>To get an access token </li></ul>
  28. 32. Requests are SIGNED and include a TIMESTAMP and NONCE
  29. 33. This is just PLAIN OLD HTTP with added super powers
  30. 34. don’t worry, there are plenty of open source libraries
  31. 35. Ruby .NET Python PHP Java JavaScript Objective-C and more... http://oauth.net/code
  32. 36. do we have time for some code? OAuth.net library http://lab.madgex.com/oauth-net
  33. 37. <ul><li>Configuring the Fire Eagle service </li></ul><ul><li>(without discovery) </li></ul>
  34. 38. <ul><li>Requesting the user’s location </li></ul>
  35. 39. <ul><li>Handling authorization </li></ul><ul><li>(if we didn’t already have an access token) </li></ul>
  36. 40. <ul><li>Using the protected resource </li></ul>
  37. 41. QUESTIONS? OR BEER. Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/

×