OAuth2 in simple words

•

1 like•429 views

Kent Tong

OAuth2 explained in a few simple slides

Technology

OAuth2
Kent Tong, TipTec Development © 2018

OAuth2: Using your Google or Facebook account
with other web apps

Redirecting the user to authentication server
Your web
app
Browser
Google
Redirect to:
https://auth.google.com
http://localhost/myapp
https://auth.google.com
https://auth.google.com
Redirect the user to Google,
Facebook, etc.

User logging in and granting permission to the app
Google
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
Using the access token, the
web app can do things as the
user.
Redirect the browser
to the web app.
...
access_token=abc

But wait!
Google
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
How does Google
know the URL of
your web app?
How does Google know
the name of your web app
(app 123)?

Your web app needs to tell Google its name &
resume URL at the beginning
Your web
app
Browser
Google
Redirect to:
https://auth.google.com ?
client_id=app123&
redirect_url=http://localhost/myapp/resume
http://localhost/myapp
https://auth.google.com ?
client_id=...&
redirect_url=...
Your web app provides
its name and resume
URL to Google via the
browser.

User logging in and granting permission to the app
Google
https://auth.google.com
Grant permission to
app 123?
Browser
OK
Your web
app
http://localhost/myapp
Redirect to:
http://localhost/myapp/resume?
access_token=abc
...
access_token=abc

$Acting as the user to do things (e.g., retrieve his profile info) Google https://profile.google.com Your web app https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... } May be a dedicated server for retrieving user profile.$

However, the token is for the web app but handed to
the browser
Google
Grant permission to
app 123?
Browser
OK
Redirect to:
http://localhost/myapp/resume?
access_token=abc
If the browser has been hacked, the
hacker can use the access token and
pretend to be your web app.
Your web
app
...
access_token=abc

Sending an authorization code instead of the access
token
Google
Grant permission to
app 123?
Browser
OK
Your web
app
Redirect to:
http://localhost/myapp/resume? code=xyz
...?code=xyz

$The app can get an access token with the authorization code Google https://token.google.com Grant permission to app 123? Browser OK Your web app ...?code=xyz https://token.google.com? client_id=app123& client_secret=aaa code=xyz { "access_token":"abc", ... } Google Only the web app and Google know this client secret. Allow? Redirect. May be a dedicated server for getting an access token.$

$Acting as the user to do things Google https://profile.google.com Your web app http://localhost/myapp https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... }$

The app wants everything or just simple things like
email?
Your web
app
Browser
Google
Redirect to:
https://auth.google.com?
client_id=app123&
scope=public_info&
redirect_url=http://localhost/myapp/resume
https://auth.google.comhttps://auth.google.com?
client_id=app123&
scope=public_info&
...
The available scope
values and meanings
are decided by the
auth server.

app wants everything or just simple things like
email?
Google
https://auth.google.com
Grant permission to
read your public
info to app 123?
Browser
OK
Your web
app
Redirect

What's hot

How Do Search Engines Work

PromozSEO

VRAD INFO

brake02waste

Search Engine Optimization - Fundamentals - SEO

Neeraj Reddy

People using your web app also use many other online services. You'll often want to pull data from those other services into your app, or publish data from your app out to other services. In this talk, Randy will explain the terminology you need to know, share best practices and techniques for integrating, and walk through two real-world examples. You'll leave with code snippets to help you get started integrating.

Api

randyhoyt

Web Services

SHC

3 Quick accessibility wins for your site

Rian Rietveld

Mystery of Alexa and ways to Increase your Alexa Ranking

Yogesh Kumar

automatisering

plough23pan

Intro to developing for @twitterapi (updated)

Raffi Krikorian

What's happening here?

Raffi Krikorian

Intro to developing for @twitterapi

Raffi Krikorian

Consuming & embedding external content in WordPress

Akshay Raje

Hack a Facebook password

kasiomberce kasiomberce

The Good, The Bad & The Spammy IONsearch 2012

Steve Lock

What's hot (14)

How Do Search Engines Work

VRAD INFO

Search Engine Optimization - Fundamentals - SEO

Api

Web Services

3 Quick accessibility wins for your site

Mystery of Alexa and ways to Increase your Alexa Ranking

automatisering

Intro to developing for @twitterapi (updated)

What's happening here?

Intro to developing for @twitterapi

Consuming & embedding external content in WordPress

Hack a Facebook password

The Good, The Bad & The Spammy IONsearch 2012

Similar to OAuth2 in simple words

OAuth and Open-id

Parisa Moosavinezhad

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.

Stateless authentication for microservices - GR8Conf 2015

Alvaro Sanchez-Mariscal

Stateless authentication for microservices - Greach 2015

Alvaro Sanchez-Mariscal

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013

Aaron Parecki

Import google contacts with php or javascript using google contacts api and o...

Design 19

OAuth Introduction

h_marvin

Securing APIs with OAuth 2.0

Kai Hofstetter

Devteach 2017 OAuth and Open id connect demystified

Taswar Bhatti

OAuth in the Wild

Victor Rentea

UC2013 Speed Geeking: Intro to OAuth2

Aaron Parecki

Introduction to OAuth 2.0 - the technology you need but never really learned

Mikkel Flindt Heisterberg

An Introduction to OAuth 2

Aaron Parecki

Stateless Auth using OAuth2 & JWT

Gaurav Roy

Introduction to OAuth

Mikkel Flindt Heisterberg

Stateless Auth using OAUTH2 & JWT

Mobiliya

Stateless authentication for microservices applications - JavaLand 2015

Alvaro Sanchez-Mariscal

Integrating OAuth and Social Login Into Wordpress

William Tam

OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information. This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication. Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth Online Tools: - https://oauth.com/playground - https://oauthdebugger.com - https://oidcdebugger.com Never Build Auth Again → https://developer.okta.com

What the Heck is OAuth and OIDC - UberConf 2018

Matt Raible

Facebook + Ruby

Alex Koppel

Similar to OAuth2 in simple words (20)

OAuth and Open-id

Stateless authentication for microservices - GR8Conf 2015

Stateless authentication for microservices - Greach 2015

Stateless authentication for microservices - Spring I/O 2015

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013

Import google contacts with php or javascript using google contacts api and o...

OAuth Introduction

Securing APIs with OAuth 2.0

Devteach 2017 OAuth and Open id connect demystified

OAuth in the Wild

UC2013 Speed Geeking: Intro to OAuth2

Introduction to OAuth 2.0 - the technology you need but never really learned

An Introduction to OAuth 2

Stateless Auth using OAuth2 & JWT

Introduction to OAuth

Stateless Auth using OAUTH2 & JWT

Stateless authentication for microservices applications - JavaLand 2015

Integrating OAuth and Social Login Into Wordpress

What the Heck is OAuth and OIDC - UberConf 2018

Facebook + Ruby

Recently uploaded

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

Manulife - Insurer Transformation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Recently uploaded (20)

presentation ICT roal in 21st century education

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Cyberprint. Dark Pink Apt Group [EN].pdf

Manulife - Insurer Transformation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Ransomware_Q4_2023. The report. [EN].pdf

Corporate and higher education May webinar.pptx

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

AXA XL - Insurer Innovation Award Americas 2024

AWS Community Day CPH - Three problems of Terraform

OAuth2 in simple words

2. OAuth2: Using your Google or Facebook account with other web apps

3. Redirecting the user to authentication server Your web app Browser Google Redirect to: https://auth.google.com http://localhost/myapp https://auth.google.com https://auth.google.com Redirect the user to Google, Facebook, etc.

4. User logging in and granting permission to the app Google Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc Using the access token, the web app can do things as the user. Redirect the browser to the web app. ... access_token=abc

5. But wait! Google Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc How does Google know the URL of your web app? How does Google know the name of your web app (app 123)?

6. Your web app needs to tell Google its name & resume URL at the beginning Your web app Browser Google Redirect to: https://auth.google.com ? client_id=app123& redirect_url=http://localhost/myapp/resume http://localhost/myapp https://auth.google.com ? client_id=...& redirect_url=... Your web app provides its name and resume URL to Google via the browser.

7. User logging in and granting permission to the app Google https://auth.google.com Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc ... access_token=abc

8. Acting as the user to do things (e.g., retrieve his profile info) Google https://profile.google.com Your web app https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... } May be a dedicated server for retrieving user profile.

9. However, the token is for the web app but handed to the browser Google Grant permission to app 123? Browser OK Redirect to: http://localhost/myapp/resume? access_token=abc If the browser has been hacked, the hacker can use the access token and pretend to be your web app. Your web app ... access_token=abc

10. Sending an authorization code instead of the access token Google Grant permission to app 123? Browser OK Your web app Redirect to: http://localhost/myapp/resume? code=xyz ...?code=xyz

11. The authorization code CANNOT be used to do things as the user Google https://profile.google.com Browser or hacker https://profile.google.com? clientId=app123& access_token=xyz "invalid access token"

12. The app can get an access token with the authorization code Google https://token.google.com Grant permission to app 123? Browser OK Your web app ...?code=xyz https://token.google.com? client_id=app123& client_secret=aaa code=xyz { "access_token":"abc", ... } Google Only the web app and Google know this client secret. Allow? Redirect. May be a dedicated server for getting an access token.

13. Acting as the user to do things Google https://profile.google.com Your web app http://localhost/myapp https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... }

14. The app wants everything or just simple things like email? Your web app Browser Google Redirect to: https://auth.google.com? client_id=app123& scope=public_info& redirect_url=http://localhost/myapp/resume https://auth.google.comhttps://auth.google.com? client_id=app123& scope=public_info& ... The available scope values and meanings are decided by the auth server.

15. app wants everything or just simple things like email? Google https://auth.google.com Grant permission to read your public info to app 123? Browser OK Your web app Redirect

OAuth2 in simple words

Recommended

Recommended

More Related Content

What's hot

What's hot (14)

Similar to OAuth2 in simple words

Similar to OAuth2 in simple words (20)

Recently uploaded

Recently uploaded (20)

OAuth2 in simple words