Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Present Future of OAuth

9,879 views

Published on

An exploration into the past, present and future of the OAuth protocol.

Published in: Technology, Design

The Present Future of OAuth

  1. OAUTH
  2. MICHAEL BLEIGH PRESENTS THE PRESENT FUTURE OF OAUTH with drawings
  3. PROLOGUE
  4. MY NAME IS MICHAEL BLEIGH
  5. I W O R K AT INTRIDEA
  6. ON TWITTER @MBLEIGH
  7. “HEY, WOULD ANYONE BE INTERESTED IN GIVING A TALK ABOUT OAUTH AT RAILSCONF?”
  8. “NO WAY, I MIGHT FALL ASLEEP WHILE SPEAKING”
  9. “HMM...I’D BETTER ADD SOME DRAWINGS.”
  10. T H I S TA L K IS ABOUT OPEN WEB STANDARDS
  11. ACT I IN WHICH THE PROBLEM IS DESCRIBED
  12. IN THE BEGINNING, THERE WERE WEB APPS
  13. WEB APP
  14. WEB APP
  15. WEB WEB APP A APP B
  16. “HEY, MY USERS WANT TO ACCESS YOUR STUFF.” WEB WEB APP A APP B
  17. WEB WEB APP A APP B + API
  18. HTTP BASIC
  19. r d@ ... swo r :p as p: //use h tt Autho dXNlc rizatio jpwYX n: Bas Nzd29 ic yZA==
  20. OK, HERE’S THE KEYS. WEB WEB APP A APP B + API
  21. WEB WEB APP A APP B + API
  22. WEB WEB APP A APP B + API
  23. FUBAR FAILED USER BAR FOR AUTHORIZATION ROBUSTNESS *COUGH*
  24. THIS IS A PROBLEM
  25. ACT 2 IN WHICH A N E W W AY IS CREATED
  26. CHRIS MESSINA BLAINE COOK LARRY HALFF DAVID RECORDON
  27. “HEY, WOULDN’T IT BE G R E AT T O H AV E A N OPEN AUTHORIZATION STANDARD”
  28. “TOTALLY, LET’S MAKE ONE AND CALL IT OAUTH.”
  29. FOOTAGE MISSING
  30. WEB WEB APP A APP B
  31. WEB WEB APP A APP B
  32. “HEY, MY USER WANTS TO ACCESS YOUR STUFF.” WEB WEB APP A APP B
  33. WEB WEB APP A APP B
  34. WEB WEB APP A APP B
  35. “WHAT’S YOUR PASSWORD?” “PASSWORD” WEB WEB APP A APP B
  36. WEB WEB APP A APP B
  37. WEB WEB APP A APP B
  38. ADVAN TAGES
  39. 1. SECURE
  40. 2. RESTRICTABLE “DELETE ALL USER DATA” “UMMM....NO” WEB WEB APP A APP B
  41. 3. REVOCABLE K * O IN * Y WEB APP B
  42. 3. STANDARD WEB WEB WEB APP A APP C APP D WEB WEB APP E APP F
  43. NOT QUITE PERFECT
  44. 1. COMPLICATED “OK, SO IT’S FIST BUMP, DOUBLE-HIGH FIVE...” WEB WEB APP A “NO NO, FIRST APP B YOU REVERSE LOW FIVE...”
  45. 2. BROWSER- DEPENDENT ?
  46. 2. BROWSER- DEPENDENT
  47. WE CAN DO BETTER
  48. ACT 3 IN WHICH WE LEARN FROM OUR MISTAKES
  49. OAUTH 2.0
  50. IMPROVE MENTS
  51. 1. SIMPLER WEB APP A < SSL > WEB APP B
  52. 2. FLOWS
  53. WEB SERVER WEB WEB APP A APP B
  54. USER-AGENT WEB APP A
  55. DEVICE WEB APP A SET-­TOPPER
  56. PASSWORD WEB APP A
  57. PASSWORD WEB APP A
  58. PASSWORD WEB APP A
  59. PASSWORD WEB APP A
  60. PASSWORD WEB APP A
  61. CLIENT CREDENTIALS WEB WEB APP A APP B
  62. ASSERTION CERTIFICATE OF AUTHENTICITY WEB WEB APP A APP B
  63. FLEX- IBILITY
  64. ACT 4 IN WHICH WE GET DOWN TO BUSINESS
  65. WHO’S DOING IT RIGHT NOW?
  66. WHO WILL BE DOING IT SOON?
  67. WHO WILL BE DOING IT SOON? YOU
  68. CONSUMING OAU T H 2 . 0
  69. # in Gemfile gem 'oauth2' $ rails g controller oauth # in routes.rb resource :oauth, :controller => 'oauth' do get :start get :callback end
  70. class OauthController < ApplicationController def start redirect_to client.web_server.authorize_url( :redirect_uri => callback_oauth_url(:format => 'json'), :scope => 'user' ) end def callback access_token = client.web_server.get_access_token( params[:code], :redirect_uri => callback_oauth_url(:format => 'json') ) # you should store the access token info now. render :json => access_token.get('/api/v2/json/user/show') end protected def client @client ||= OAuth2::Client.new( '296e901b0e6ab74db167', '625fe65c7f74ee4a015d121efb011a45776d510d', :site => 'https://github.com', :authorize_path => '/login/oauth/authorize', :access_token_path => '/login/oauth/access_token' ) end end
  71. PROVIDING OAUTH 2.0
  72. READ THE SPEC http://bit.ly/oauth2-spec
  73. NO SERIOUSLY, READ THE SPEC http://bit.ly/oauth2-spec

×