Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth Introduction

7,296 views

Published on

Published in: Technology, Design
  • Be the first to comment

OAuth Introduction

  1. 1. OAuthOr: „Why you don‘t have to pass credentials“
  2. 2. About me!Marvin Hoffmann (B.Sc.)Computer Science and MediaSemester 2 Why am I here?Security will always be a key aspectof application development
  3. 3. What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusion
  4. 4. What‘s coming?some history and basicssome OAuthsome Facebookproject referenceconclusionsemester holidays :)
  5. 5. History and basics
  6. 6. Once upon a time... you had to pass your username and password to let applications use one anotherSource: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
  7. 7. That of course...we don‘t want to be necessary!Pass username and password?
  8. 8. That of course...we don‘t want to be necessary!Pass username and password? No thanks. There must be another way!
  9. 9. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  10. 10. What‘s necessary?AuthenticationWho the heck are you? Authorization You are allowed to do xyz and only xyz!
  11. 11. OAuth
  12. 12. We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 HashesSource: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
  13. 13. What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look likeSource: http://hueniverse.com/2010/05/introducing-oauth-2-0/
  14. 14. Facebo ok
  15. 15. OAuth and Facebook lo oks familiar ?Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
  16. 16. How to get there 1register your application or websiteas Facebook-Application to getyour App credentials an App ID / API Key an App Secret(tokens you get are only valid foryour Facebook-App)
  17. 17. How to get there 2add App-ID and App-Secret to yourcodeexample:$facebook = new Facebook(array( appId => YOUR_APP_KEY, secret => YOUR_APP_SECRET));your App/Website will now beidentified correctlyDomain will be checked aswell!
  18. 18. How to get there 3define what your app needs to usee.g. „Post to Facebook as me“;„Access basic information“example:<fb:login-button show-faces="true" width="500" max-rows="1" perms="user_useralbums, read_stream,publish_stream"></fb:login-button>rights? See photos, read from andwrite to stream
  19. 19. How to get there 4 App-ID App-Secret Do mainSource: https://developers.facebook.com/apps/
  20. 20. How to get there 5You‘re good to go!Your App/Website will know beidentified (always) and the userhas to grand specific rights (once)
  21. 21. HTTP calls flowSource: https://developers.facebook.com/docs/authentication/
  22. 22. Little more detailsSource: https://developers.facebook.com/docs/authentication/
  23. 23. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_streamSource: https://developers.facebook.com/docs/authentication/
  24. 24. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVERSource: https://developers.facebook.com/docs/authentication/
  25. 25. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVESource: https://developers.facebook.com/docs/authentication/
  26. 26. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expiresSource: https://developers.facebook.com/docs/authentication/
  27. 27. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expiresSource: https://developers.facebook.com/docs/authentication/
  28. 28. Project Reference no code :(
  29. 29. Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client!Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
  30. 30. Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in JavaLinks: RestFB: http://restfb.com
  31. 31. The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
  32. 32. Conclusion
  33. 33. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  34. 34. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  35. 35. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  36. 36. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  37. 37. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  38. 38. One more thing!a stolen token is not as horrible asstolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access
  39. 39. Thanks!Questions?

×