(FOR THE WIN)



OAuth FTW
How OAuth and portable data can
revolutionize your web app




Chris Messina                   ...
OAuth |ō| |ôˌθ|
Noun.
An open protocol that allows secure
API authorization in a simple and
standard method from desktop, ...
The story of OAuth starts with OpenID.

factoryjoe.com
factoryjoe.com




               ?!
X
!

factoryjoe.com




?        X




Can has OpenID?
X




               (APPLICATION PROGRAMMING INTERFACE)



B-b-but what about API apps?
?
!?!
How much are your username
   and password worth?
wayn.com
imeem.com
   PC Load Letter?! What the f...!
The Password Anti-pattern!
Passwords are not confetti.
Please stop throwing them around.
Especially if they’re not yours.

  OAuth replaces the need for
usernames and passwords with
tokens and a hashing signature.
let’s take a look
Brightkite > pings Fire Eagle for Request Token
Fire Eagle > returns authorization realm
Brightkite > requests that user authorize Brightkite
Fire Eagle > user authenticates through Yahoo! accounts
Fire Eagle > user grants authorization to Brightkite
Fire Eagle > Fire Eagle redirects user to callback URL
Brightkite > asks FE to exchange Request Token for Access Token
Fire Eagle > checks signature; if valid, returns Access To...
users can manage access...
...and change access
or can revoke access later without having
to change their primary account password
(i.e. if they lose their phone or their...
?
discovery
Identity -› Discovery -› Authorization
OpenID -› XRDS-Simple -› OAuth Endpoint

(EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
Identity -› Discovery -› [Authentication] -› Authorization
http://will.norris.name




<meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />
OpenID XRDS

<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<xrds:XRDS
    xmlns:xrds=quot;xri://$xrdsquot;
    xm...
XRDS-Simple for
                  Portable Contacts
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<xrds:XRDS
    ...
XRDS-Simple for
           Portable Contacts

<XRD version=quot;2.0quot;>
  <Type>xri://$xrds*simple</Type>
  <Service>
  ...
XRDS-Simple for
           Portable Contacts

<XRD version=quot;2.0quot;>
  <Type>xri://$xrds*simple</Type>
  <Service>
  ...
adoption
•OpenSocial                  •Meetup.com
•MySpace                     •Ma.gnolia
•Google                      •Get Satisfa...
code
•C#                         •OCaml
•Coldfusion                 •Perl
•Java                       •PHP
•Javascript         ...
the pitch
fin.

      oauth.net
me -› factoryjoe.com
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
Upcoming SlideShare
Loading in …5
×

How OAuth and portable data can revolutionize your web app - Chris Messina

5,681 views

Published on

Published in: Technology
  • Be the first to comment

How OAuth and portable data can revolutionize your web app - Chris Messina

  1. (FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
  2. OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
  3. The story of OAuth starts with OpenID.
  4.  factoryjoe.com
  5. factoryjoe.com ?! X
  6. ! 
  7. factoryjoe.com ? X Can has OpenID?
  8. X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
  9. ?
  10. !?!
  11. How much are your username and password worth?
  12. wayn.com
  13. imeem.com
  14.  PC Load Letter?! What the f...!
  15. The Password Anti-pattern!
  16. Passwords are not confetti.
  17. Please stop throwing them around.
  18. Especially if they’re not yours.
  19.  OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
  20. let’s take a look
  21. Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
  22. Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
  23. Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
  24. Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
  25. users can manage access...
  26. ...and change access
  27. or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
  28. ?
  29. discovery
  30. Identity -› Discovery -› Authorization
  31. OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
  32. Identity -› Discovery -› [Authentication] -› Authorization
  33. http://will.norris.name <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />
  34. OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  35. XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  36. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  37. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  38. adoption
  39. •OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
  40. code
  41. •C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
  42. the pitch
  43. fin. oauth.net me -› factoryjoe.com

×