Applications have long provided ways to enable other applications to access their API. In the past this has involved naked, plain-text password storage that provided the illusion of users securely giving permission to access the API in their name. oAuth removes this illusion, "putting the clothes" back on authorization so user data remains secure in an open, standards-supported way.

1. HOW TO AVOID LOSING
YOUR PANTS
USING OAUTH
EVERYTHING YOU NEED TO KNOW TO KEEP YOUR USERS
SAFE AND MAINTAIN YOUR SANITY WITH OAUTH
JESSE STAY
CEO, SOCIALTOO.COM
HTTP://STAYNALIVE.COM

2. A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY, THERE
WAS A STORY OF A WISE OLD EMPEROR...
OKAY, NOT THIS EMPEROR!

3. THE “UNTOLD” TRUTH
DON’T BE STUPID!

4. DON’T GET CAUGHT WITH YOUR PANTS DOWN!
MORAL OF THE STORY
PHOTO VIA HTTP://WWW.FLICKR.COM/PHOTOS/WIRETHREAD/175023943/

5. WHAT IS OAUTH?

6. WHAT IS OAUTH?
OAUTH IS OPEN

7. WHAT IS OAUTH?
OAUTH IS OPEN
OAUTH IS SECURE

8. WHAT IS OAUTH?
OAUTH IS OPEN
OAUTH IS SECURE
OAUTH IS
AUTHORIZATION

9. WHAT IS OAUTH?
OAUTH IS OPEN
OAUTH IS SECURE
OAUTH IS
AUTHORIZATION
OAUTH IS A STANDARD

10. COMPONENTS OF OAUTH
THE USER

11. COMPONENTS OF OAUTH
THE CONSUMER

12. COMPONENTS OF OAUTH
THE SERVICE PROVIDER

13. BASIC FLOW OF AN OAUTH APP
USER VISITS
APPLICATION, CLICKS
“AUTHORIZE” BUTTON

14. BASIC FLOW OF AN OAUTH APP
USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON
CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER FOR AUTH

15. BASIC FLOW OF AN OAUTH APP
USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON
CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER FOR AUTH
PROVIDER RETURNS
USER TO CONSUMER
W/ TOKEN TO ACT ON
BEHALF OF PROVIDER
FOR THAT USER

16. “BEHIND” THE SCENES
CONSUMER FORMATS
A REQUEST TO
PROVIDER TO GET A
REQUEST TOKEN,
APPENDS REQUEST
TOKEN TO THE
PROVIDER AUTH URL
CONSUMER THEN
REDIRECTS USER TO
PROVIDER AUTH URL
W/ THE REQUEST
TOKEN

17. “BEHIND” THE SCENES
USER AUTHENTICATES
WITH PROVIDER,
AUTHORIZES
CONSUMER TO MAKE
CALLS ON BEHALF OF
USER

18. “BEHIND” THE SCENES
PROVIDER REDIRECTS
USER BACK TO
CONSUMER’S CALLBACK
URL (SPECIFIED IN
ORIGINAL CONSUMER
TO PROVIDER REDIRECT
OR IN APP SETTINGS)
CONSUMER SENDS
ORIGINAL REQUEST
TOKEN, REQUESTING
ACCESS TOKEN FROM
PROVIDER

19. “BEHIND” THE SCENES
PROVIDER SENDS
CONSUMER ACCESS
TOKEN AND ACCESS
TOKEN SECRET, GIVING
CONSUMER
PERMISSION TO MAKE
API CALLS ON BEHALF
OF USER
CONSUMER MAKES API
CALLS FOR USER!

20. CONSUMER CALL AND REDIRECT TO PROVIDER:
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)

21. CONSUMER CALLBACK ON REDIRECT FROM
PROVIDER:
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)

22. MAKE SOME API CALLS!
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)

23. OAUTH ON THE IPHONE

24. OAUTH FOR DESKTOP
PROVIDER ASKS USER
FOR PIN
USER ENTERS PIN IN
CONSUMER DESKTOP
APP
CONSUMER SENDS PIN
WITH REQUEST FOR
ACCESS TOKEN

25. FLAWS OF OAUTH
MULTIPLE STEPS FOR
USER TO AUTHENTICATE
USER HAS TO LEAVE THE
CONSUMER SITE
NOT BUILT AS AN
AUTHENTICATION
PLATFORM - WHEN
PROVIDER IS DOWN, SO
IS OAUTH FOR THAT
PROVIDER

26. FACEBOOK CONNECT
AUTHENTICATION AND
AUTHORIZATION IN
ONE
USER NEVER LEAVES
SITE
MANY MORE
INTEGRATED TOOLS
CLOSED, PROPRIETARY

27. ANY QUESTIONS?
HTTP://WIKI.OAUTH.NET
HTTP://STAYNALIVE.COM
HTTP://APIWIKI.TWITTER.COM/AUTHENTICATION