OAuth Presentation


Published on

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OAuth Presentation

  1. 1. OAuthAPI Access Delegation Protocol<br />
  2. 2. Contents<br />What is OAuth<br />Terminologies used for OAuth<br />Working of OAuth protocol<br />Use-cases of OAuth<br />Available implementations of OAuth<br />Other similar Vendor specific protocols<br />Loopholes and drawbacks of OAuth<br />
  3. 3. What is OAuth<br />History<br />OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.<br />In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.<br />In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.<br />What is OAuth<br />Protocol that allows to share private data hosted on x web site with y web site<br />Its just a skeleton, Implementation can be vendor specific<br />
  4. 4. Terminologies used for OAuth<br />Consumer<br />Application trying to access protected resource<br />Service Provider<br />website or web-service hosting protected resource<br />User<br />Owner of the protected data<br />Protected Resource<br />Images, Videos or documents hosted on web site or web-service which are protected by the user<br />Tokens<br />Random string of letters and numbers which is unique. Request Token, Access Token<br />Scope<br />Set of data hosted on service provider that user wants to share with consumer<br />
  5. 5. Working of OAuth protocol <br />Site Y is the consumer and site X is service provider<br />Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers<br />User accesses site Y and wants to share private data hosted on site X<br />Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token<br />Site X returns Request Token to site Y<br />Site Y redirects user to site X Login service with the request token<br />User enters username/password or OpenID credentials to login to site X<br />Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token<br />Site Y sends the request token to site X asking for Access token<br />Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)<br />
  6. 6. Use-cases of OAuth<br />User wants to order prints of the protected photos shared on some photo sharing site see details<br />Will be very useful for Mash-up<br />Will help in Data Portability<br />
  7. 7. Available Implementations of OAuth<br />Google has released open source API to implement OAuth<br />Yahoo has come up with Yahoo status application which supports OAuth<br />Tripit is the first implementation of OAuth<br />
  8. 8. Other Similar vendor specific protocols<br />Google AuthSub<br />Yahoo BBAuth (Browser Based Authentication)<br />AOL Open Authentication<br />Upcoming API<br />Flickr API<br />Amazon Web Services API<br />
  9. 9. Loopholes and drawbacks of OAuth<br /><ul><li>Trust on Consumer is key
  10. 10. Consumer redirects user to the correct service provider
  11. 11. Consumer uses the private only for the specific time period
  12. 12. OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider
  13. 13. OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support</li></li></ul><li>Thank you<br />Kiran Thakkar kiran_thakkar@persistent.co.in<br />