Defining Oauth ”Oauth provides a method for users to grant third-party access to their resources without sharing their passwords. It also passwords provides a way to grant limited access (in scope, duration, etc …)”
Why Oauth? Issues with traditional client-service auth model Users share their credentials (password) with the application for each service Application needs as many credentials as services Once the application get the user password there is no way to invalid the access to the users resources … unless user changes his password Application has the same privileges as the user.
Background Based on well-established practices of many propietary industry protocols. Google AuthSub Yahoo BBAuth Flickr API Focused on website services but also desktop applications, mobile devices or set-top boxes.
Background OpenID 2006 Blaine Cook descentralized digital idetification standard. OpenAuth 2006 Chris Messina no sharing password and login agnostic. OpenAuth Google 2007 AOLs implements OpenAuth protocol 2007 OauthCore 1.0 Revision 2009 Oauth Core 1.0 RFC 2010 Present-Future … OAuth 2.0 Draft http://tools.ietf.org/html/draft-ietf-oauth-v2-26
WorkflowGoal: Print on demand our last Service providerSummer photos through a webapplication that we previouslyuploaded to Facebook.Step 1 –User access to PrintService.Step 2 – Print Service gives youthe choice to access to Facebookto get your photos.Step 3 – You were redirected toFacebook login pageStep 4 – Once you are logged inyou authorized the Print Serviceto access your photos onFacebook.Step 5 – You are redirected tothe Print Service where youaccess your photos. Consumer User
Workflow Redirection-based authorization. Credentials types. Get temporary credentials Obtain authorization from the resources owner. Get token credentials (request token + secret).
Live Example Give authorization to Wordpress to post on your Facebooks wall and your Twitter account.
References Official page. http://oauth.net/ Beginners guide to Oauth http://oauth.net/documentation/getting-started/ Google Oauth https://developers.google.com/accounts/ Getting Started with OAuth 2.0 by Ryan Boyd Programming Social Applications: Building Viral Experiences with OpenSocial, OAuth, OpenID, and Distributed Web Frameworks by Jonathan LeBlanc