SlideShare a Scribd company logo

OAuth FTW

Chris Messina
Chris Messina

OAuth is an open protocol that allows secure API authorization through a simple authorization method. It replaces the need for usernames and passwords with tokens and signatures. This allows users to manage third party access to their account without having to change their main password. Many companies have adopted OAuth due to its security and ability to revoke access without changing primary login credentials. Code libraries exist for a variety of programming languages to make OAuth integration easier.

Technology
1 of 47
Download to read offline
(FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
The story of OAuth starts with OpenID.
 factoryjoe.com
factoryjoe.com ?! X
! 
factoryjoe.com ? X Can has OpenID?
X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
?
!?!
How much are your username and password worth?
wayn.com
imeem.com
 PC Load Letter?! What the f...!
The Password Anti-pattern!
Passwords are not confetti.
Please stop throwing them around.
Especially if they’re not yours.
 OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
let’s take a look
Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
users can manage access...
...and change access
or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
?
discovery
Identity -› Discovery -› Authorization
OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
Identity -› Discovery -› [Authentication] -› Authorization
http://will.norris.name <meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://will.norris.name/?xrdsquot; />
OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
adoption
•OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
code
•C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
the pitch
fin. oauth.net me -› factoryjoe.com

Recommended

Back to school night10 11
Back to school night10 11Back to school night10 11
Back to school night10 11
Derrall Garrison
 
Backtoschoolnight14 15
Backtoschoolnight14 15 Backtoschoolnight14 15
Backtoschoolnight14 15
Derrall Garrison
 
Backtoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrisonBacktoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrison
Derrall Garrison
 
Water wonders
Water wondersWater wonders
Water wonders
Derrall Garrison
 
Epw presentation
Epw presentationEpw presentation
Epw presentation
Derrall Garrison
 
The DiSo Project
The DiSo ProjectThe DiSo Project
The DiSo Project
Chris Messina
 
Btsn 2016 2017
Btsn 2016 2017Btsn 2016 2017
Btsn 2016 2017
Derrall Garrison
 
The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open Web
Chris Messina
 

Recommended

Back to school night10 11
Back to school night10 11Back to school night10 11
Back to school night10 11
Derrall Garrison
 
Backtoschoolnight14 15
Backtoschoolnight14 15 Backtoschoolnight14 15
Backtoschoolnight14 15
Derrall Garrison
 
Backtoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrisonBacktoschoolnight11 12 lingarrison
Backtoschoolnight11 12 lingarrison
Derrall Garrison
 
Water wonders
Water wondersWater wonders
Water wonders
Derrall Garrison
 
Epw presentation
Epw presentationEpw presentation
Epw presentation
Derrall Garrison
 
The DiSo Project
The DiSo ProjectThe DiSo Project
The DiSo Project
Chris Messina
 
Btsn 2016 2017
Btsn 2016 2017Btsn 2016 2017
Btsn 2016 2017
Derrall Garrison
 
The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open Web
Chris Messina
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
AndreCharland
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert SessionLos Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Peter Lubbers
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
Nyros Technologies
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
sullis
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
David Calavera
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
Alex Kavanagh
 
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
Jacob Gyllenstierna
 
Google Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocialGoogle Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocial
Patrick Chanezon
 
Widgets Tools Keynote
Widgets Tools KeynoteWidgets Tools Keynote
Widgets Tools Keynote
Michael Mahemoff
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
Chris Swan
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
Joseph Scott
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
BookNet Canada
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
marpierc
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
Tatsuo Kudo
 
Uber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee WebcastUber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee Webcast
Chris Messina
 
Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
Chris Messina
 

More Related Content

Similar to OAuth FTW

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
David Calavera
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
BookNet Canada
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
marpierc
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 

Similar to OAuth FTW (20)

Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Los Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert SessionLos Angeles HTML5 User Group Meeting Ask the Expert Session
Los Angeles HTML5 User Group Meeting Ask the Expert Session
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
 
GTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementationGTAC: AtomPub, testing your server implementation
GTAC: AtomPub, testing your server implementation
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
 
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009OpenSocial - GTUG Stockholm Meeting Oct 1 2009
OpenSocial - GTUG Stockholm Meeting Oct 1 2009
 
Google Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocialGoogle Devfest Singapore - OpenSocial
Google Devfest Singapore - OpenSocial
 
Widgets Tools Keynote
Widgets Tools KeynoteWidgets Tools Keynote
Widgets Tools Keynote
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
 
BNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demoBNC Tech Forum 09: Lexcycle Stanza demo
BNC Tech Forum 09: Lexcycle Stanza demo
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 

More from Chris Messina

Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
Chris Messina
 
Joining the Conversation
Joining the ConversationJoining the Conversation
Joining the Conversation
Chris Messina
 
SWAT0 (variant flow)
SWAT0 (variant flow)SWAT0 (variant flow)
SWAT0 (variant flow)
Chris Messina
 
Identity is the platform (Toronto)
Identity is the platform (Toronto)Identity is the platform (Toronto)
Identity is the platform (Toronto)
Chris Messina
 
Openness In The Era Of Social Web
Openness In The Era Of Social WebOpenness In The Era Of Social Web
Openness In The Era Of Social Web
Chris Messina
 

More from Chris Messina (20)

Uber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee WebcastUber Developer Platform Overview for Apigee Webcast
Uber Developer Platform Overview for Apigee Webcast
 
Joining the conversation
Joining the conversationJoining the conversation
Joining the conversation
 
Joining the Conversation
Joining the ConversationJoining the Conversation
Joining the Conversation
 
Future of the Social Web and How to Stop It
Future of the Social Web and How to Stop ItFuture of the Social Web and How to Stop It
Future of the Social Web and How to Stop It
 
SWAT0 (variant flow)
SWAT0 (variant flow)SWAT0 (variant flow)
SWAT0 (variant flow)
 
Google & the open, social web
Google & the open, social webGoogle & the open, social web
Google & the open, social web
 
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
OpenID & OAuth for the Consumer Web Workshop, Part 1 of 3
 
Socialism, Activity Streams, & Federating The Social Web
Socialism, Activity Streams, & Federating The Social WebSocialism, Activity Streams, & Federating The Social Web
Socialism, Activity Streams, & Federating The Social Web
 
Activity Streams, Socialism, & the Future of Open Source
Activity Streams, Socialism, & the Future of Open SourceActivity Streams, Socialism, & the Future of Open Source
Activity Streams, Socialism, & the Future of Open Source
 
The Open and Social Web
The Open and Social WebThe Open and Social Web
The Open and Social Web
 
The Future of the Social Web and How to Stop It
The Future of the Social Web and How to Stop ItThe Future of the Social Web and How to Stop It
The Future of the Social Web and How to Stop It
 
Google and the Social Web (Mexico City Dev Fest 2010)
Google and the Social Web (Mexico City Dev Fest 2010)Google and the Social Web (Mexico City Dev Fest 2010)
Google and the Social Web (Mexico City Dev Fest 2010)
 
ActivityStrea.ms: Is It Getting Streamy In Here?
ActivityStrea.ms: Is It Getting Streamy In Here?ActivityStrea.ms: Is It Getting Streamy In Here?
ActivityStrea.ms: Is It Getting Streamy In Here?
 
Identity is the platform (Netflix)
Identity is the platform (Netflix)Identity is the platform (Netflix)
Identity is the platform (Netflix)
 
Identity is the platform (Toronto)
Identity is the platform (Toronto)Identity is the platform (Toronto)
Identity is the platform (Toronto)
 
Identity is the Platform (Russian variant)
Identity is the Platform (Russian variant)Identity is the Platform (Russian variant)
Identity is the Platform (Russian variant)
 
Identity is the Platform
Identity is the PlatformIdentity is the Platform
Identity is the Platform
 
The Open, Social Web Workshop
The Open, Social Web WorkshopThe Open, Social Web Workshop
The Open, Social Web Workshop
 
Social Network Supermarkets and How to Defeat Them
Social Network Supermarkets and How to Defeat ThemSocial Network Supermarkets and How to Defeat Them
Social Network Supermarkets and How to Defeat Them
 
Openness In The Era Of Social Web
Openness In The Era Of Social WebOpenness In The Era Of Social Web
Openness In The Era Of Social Web
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

OAuth FTW

  • 1. (FOR THE WIN) OAuth FTW How OAuth and portable data can revolutionize your web app Chris Messina October 10, 2008 Future of Web Apps London, England
  • 2. OAuth |ō| |ôˌθ| Noun. An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
  • 3. The story of OAuth starts with OpenID.
  • 7. factoryjoe.com ? X Can has OpenID?
  • 8. X (APPLICATION PROGRAMMING INTERFACE) B-b-but what about API apps?
  • 9.
  • 10. ?
  • 11. !?!
  • 12. How much are your username and password worth?
  • 14.
  • 16.
  • 17.
  • 18. PC Load Letter?! What the f...!
  • 20. Passwords are not confetti.
  • 21. Please stop throwing them around.
  • 23.  OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
  • 25. Brightkite > pings Fire Eagle for Request Token Fire Eagle > returns authorization realm
  • 26. Brightkite > requests that user authorize Brightkite Fire Eagle > user authenticates through Yahoo! accounts
  • 27. Fire Eagle > user grants authorization to Brightkite Fire Eagle > Fire Eagle redirects user to callback URL
  • 28. Brightkite > asks FE to exchange Request Token for Access Token Fire Eagle > checks signature; if valid, returns Access Token ...subsequent requests are signed with this Access Token
  • 29. users can manage access...
  • 31. or can revoke access later without having to change their primary account password (i.e. if they lose their phone or their computer gets stolen)
  • 32. ?
  • 34. Identity -› Discovery -› Authorization
  • 35. OpenID -› XRDS-Simple -› OAuth Endpoint (EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
  • 36. Identity -› Discovery -› [Authentication] -› Authorization
  • 38. OpenID XRDS <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 39. XRDS-Simple for Portable Contacts <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot;> <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD> </xrds:XRDS>
  • 40. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 41. XRDS-Simple for Portable Contacts <XRD version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority=quot;0quot;> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type> ...
  • 43. •OpenSocial •Meetup.com •MySpace •Ma.gnolia •Google •Get Satisfaction •Yahoo! (Fire Eagle) •Agree2 •Netflix •SoundCloud •SmugMug •88Miles •Photobucket •Pownce •Plaxo •Brightkite •Soocial.com •Praized http://wiki.oauth.net/ServiceProviders
  • 44. code
  • 45. •C# •OCaml •Coldfusion •Perl •Java •PHP •Javascript •CakePHP •Jifty •Python •.NET •Ruby •Objective-C •...interest in XMPP http://oauth.net/code
  • 47. fin. oauth.net me -› factoryjoe.com