Oauth 2.0


Published on

Introduction to Oauth 2, oauth2 overview

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Oauth 2.0

  1. 1. OAuth 2.0 By- Manish Singh
  2. 2. What is oauth?  Valet Key For the Web.  Authorization framework to grant restricted access to any third party app.  No need for user password.  Requires User Consent in most of the cases.  Allows different applications or servers to share user data.  Today the systems or applications need to work in harmony with each other by means of sharing application specific data and information.
  3. 3. Who All Use Oauth??  Facebook  Google  Twitter  Microsoft  Flickr  Yahoo! And many more internet giants.
  4. 4. Scenarios of oauth  Facebook became popular because of third party apps and games. All of these require you to provide some kind of access to your profile.  Similar third party apps are available for twitter etc.  Eg: you can publish your linked in status simultaneously on twitter as well.  Many sites provide facility to login with your Facebook, Google or Twitter a/c.
  5. 5. Oauth2 Terminologies  Resource Server or the Resource Provider is a web site or web services API where User keeps his/her protected data.  Authorization Server is the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.  User or the Resource Owner is a member of the Resource Provider, wanting to share certain resources with a third-party app.
  6. 6. Continued…  Client or Consumer Application is typically a web- based or mobile application that wants to access User's Protected Resources.  Client Credentials are the consumer key and consumer secret used to authenticate the Client.  Tokens are the access token generated by server after request from client using which a client app access certain portion of user data.
  7. 7. High level flow of Oauth 2.0  The third party app developer/client registers himself on oauth service provider( like FB etc).  He Can add His apps there then. He gets app key/secret for each app he registers.  Whenever Uses any app, it asks for user’s permission to grant acccess for some of his personal data.  If User approves then a token is issued to the client app for a limited time.  The client uses the token to access the resource.
  8. 8. Example of twitter Oauth
  9. 9. Oauth2 flows  Bases on apps and use cases there are multiple flows in oauth2. Some of the widely used are:  Authorization Code Grant is used if app is server side and needs user consent to access his data.  Implicit Grant flow is for client side apps ( HTML5 or Javascript based) which need user consent.  Client Credentials Grant is used when app client and secret is needed and no user consent required
  10. 10. Oauth2 Request Params  Client id  Secret ( used in auth code flow and client cred flow)  Redirect url  Scope ( optional)  Response type/grant type  state
  11. 11. Auth Code Grant Flow
  12. 12. Implicit Grant Flow
  13. 13. Client Credentials Flow
  14. 14. Oauth 2.0 Advantages  Integration of third party apps to any sites. Win win situation for the oauth provider and app developers.  By using OAuth 2.0, access can be granted for limited scope or duration.  No Need for users to give password on third party site.
  15. 15. OAuth 2.0 Drawbacks  Writing an authorization server is somewhat complex.  Interoperability issues. Like Facebook oauth can be used only for Facebook APIs.  Sometimes unknowingly user can provide access for too much of his personal profile data which can be misused  Sometimes due to bad implementation there can be security issues in oauth2.
  16. 16. Thank You Presentation by: Manish Singh Website: http://immanish4u.com Email: immanish4u@gmail.com