SlideShare a Scribd company logo

OAuth - Open API Authentication

L
leahculver

http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.

Technology
1 of 23
Download to read offline
OAuth Basic Introduction
What is OAuth? A simple open standard for secure API authentication.
The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
Similar to... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...
Who is involved?
Goals: Be Simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard
Goals: Be Secure • secure for users • easy to implement security features for developers • balance security with ease of use
Goals: Be Open • any website can implement OAuth • any developer can use OAuth • open source client libraries • published technical specifications
Goals: Be Flexible • don’t need a username and password • authentication method agnostic • can use OpenID (or not!) • whatever works best for the web service • developers don’t need to handle auth
What the end user sees... an example from ma.gnolia and nsyght.
OMG! Need to login!
Login with service provider
Authorize
Done!
How Does OAuth Work? (for developers)
Register a Consumer Application • Provide service provider with data about your application (name, creator, url etc...) • Service provider assigns consumer a consumer key and consumer secret • Service provider gives documentation of authorization URLs and methods
Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce
Where is this information passed? • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
Security • Tokens - aren’t passing username/password • Timestamp and nonce - verify unique requests • Signature - encrypted parameters help service provider recognize consumer • Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL)
Current Status of OAuth • oauth.net • Auth Core 1.0 Draft 7 • several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, • Ma.gnolia and Twitter implementations • more implementations soon!
Thanks! Chris is still working on the logo...

Recommended

OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 

Recommended

OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Securing Your API
Securing Your APISecuring Your API
Securing Your APIJason Austin
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityDataWorks Summit
 

More Related Content

What's hot

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methodssana mateen
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 

What's hot (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Ssl https
Ssl httpsSsl https
Ssl https
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Securing Your API
Securing Your APISecuring Your API
Securing Your API
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 

Viewers also liked

Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityDataWorks Summit
 
Built-In Security for the Cloud
Built-In Security for the CloudBuilt-In Security for the Cloud
Built-In Security for the CloudDataWorks Summit
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with HadoopCloudera, Inc.
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...DataWorks Summit
 
Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data miningharithavijay94
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastDataWorks Summit
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersDataWorks Summit
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)Emilio Coppa
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access SecurityCloudera, Inc.
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
HADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY pptHADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY pptsravya raju
 
Cours Big Data Chap1
Cours Big Data Chap1Cours Big Data Chap1
Cours Big Data Chap1Amal Abid
 

Viewers also liked (20)

Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Built-In Security for the Cloud
Built-In Security for the CloudBuilt-In Security for the Cloud
Built-In Security for the Cloud
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...
 
Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data mining
 
Hadoop
HadoopHadoop
Hadoop
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache Knox
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
HADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY pptHADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY ppt
 
Cours Big Data Chap1
Cours Big Data Chap1Cours Big Data Chap1
Cours Big Data Chap1
 

Similar to OAuth - Open API Authentication

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Web Services with OAuth
Web Services with OAuthWeb Services with OAuth
Web Services with OAuthMarcus Ramberg
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Barcamp 2008 O Auth
Barcamp 2008 O AuthBarcamp 2008 O Auth
Barcamp 2008 O AuthBen Cheng
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth WranglingKellan
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)Michael Maurice
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 

Similar to OAuth - Open API Authentication (20)

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Api security
Api security Api security
Api security
 
OAuth 1.0
OAuth 1.0OAuth 1.0
OAuth 1.0
 
Web Services with OAuth
Web Services with OAuthWeb Services with OAuth
Web Services with OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Barcamp 2008 O Auth
Barcamp 2008 O AuthBarcamp 2008 O Auth
Barcamp 2008 O Auth
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)
 
OAuth
OAuthOAuth
OAuth
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 

Recently uploaded

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

OAuth - Open API Authentication

  • 2. What is OAuth? A simple open standard for secure API authentication.
  • 3. The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
  • 4. Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 5. Similar to... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...
  • 7. Goals: Be Simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard
  • 8. Goals: Be Secure • secure for users • easy to implement security features for developers • balance security with ease of use
  • 9. Goals: Be Open • any website can implement OAuth • any developer can use OAuth • open source client libraries • published technical specifications
  • 10. Goals: Be Flexible • don’t need a username and password • authentication method agnostic • can use OpenID (or not!) • whatever works best for the web service • developers don’t need to handle auth
  • 11. What the end user sees... an example from ma.gnolia and nsyght.
  • 12. OMG! Need to login!
  • 15. Done!
  • 16. How Does OAuth Work? (for developers)
  • 17. Register a Consumer Application • Provide service provider with data about your application (name, creator, url etc...) • Service provider assigns consumer a consumer key and consumer secret • Service provider gives documentation of authorization URLs and methods
  • 18. Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 19. OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce
  • 20. Where is this information passed? • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
  • 21. Security • Tokens - aren’t passing username/password • Timestamp and nonce - verify unique requests • Signature - encrypted parameters help service provider recognize consumer • Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL)
  • 22. Current Status of OAuth • oauth.net • Auth Core 1.0 Draft 7 • several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, • Ma.gnolia and Twitter implementations • more implementations soon!
  • 23. Thanks! Chris is still working on the logo...