SlideShare a Scribd company logo

Introduction to OAuth

Paul Osman
Paul Osman
Technology
1 of 49
Download to read offline
OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
the problem
password anti-pattern
Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
Terminology has changed a lot. These slides are old school.
some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
Step 5. $$$
The Result Inconsistent implementations. Different fixes for older providers. Be aware.
OAuth 1.0a Protocol Overview
Endpoint URIs Request Token URL User Authorization URL Access Token URL
Request a Request Token
Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
Exchange authorized Request Token for Access Token
Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
Accessing a Protected Resource
Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
OAuth 2.0
Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
User Delegation Flows User-Agent Flow Web Server Flow Device Flow
Direct credentials Flows Username and Password Flow Client Credentials Flow
Autonomous flows: Assertion Flow
OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signals and Github.
There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
So things are looking good, but as always when working with something this new...
Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
thank you! Paul Osman paul@eval.ca

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Cultural diff
Cultural diffCultural diff
Cultural diffJessWalker1
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overviewrcoiner
 

More Related Content

What's hot

OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 

What's hot (19)

OAuth2
OAuth2OAuth2
OAuth2
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 

Viewers also liked

30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overviewrcoiner
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]mattone84
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfBOSC 2010
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisBOSC 2010
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceutaCVO-SSH
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBOSC 2010
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6jangpd007
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundDevan McCoy
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane ComeaultIzabela Popova
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliothekenErna Winters
 
Identityworks
IdentityworksIdentityworks
Identityworksjacksm
 

Viewers also liked (20)

Cultural diff
Cultural diffCultural diff
Cultural diff
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdf
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatis
 
Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011 Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceuta
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_ruby
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6
 
Marcellus Shale
Marcellus ShaleMarcellus Shale
Marcellus Shale
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surround
 
Utube
UtubeUtube
Utube
 
NRTEE: Pierre Lundahl
NRTEE: Pierre LundahlNRTEE: Pierre Lundahl
NRTEE: Pierre Lundahl
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane Comeault
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken
 
NRTEE: Kirsten Vice
NRTEE: Kirsten ViceNRTEE: Kirsten Vice
NRTEE: Kirsten Vice
 
Louise Cohen | PROJECTS
Louise Cohen | PROJECTSLouise Cohen | PROJECTS
Louise Cohen | PROJECTS
 
Identityworks
IdentityworksIdentityworks
Identityworks
 

Similar to Introduction to OAuth

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect ProtocolClément OUDOT
 

Similar to Introduction to OAuth (20)

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and More
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 

Recently uploaded

Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 

Recently uploaded (20)

Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 

Introduction to OAuth

  • 1. OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
  • 3.
  • 4.
  • 6.
  • 7. Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
  • 8.
  • 9. Terminology has changed a lot. These slides are old school.
  • 10.
  • 11. some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
  • 12. OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
  • 13. Step 1. Attacker initiates OAuth authorization
  • 14. Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
  • 15. Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
  • 16. Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
  • 18. The Result Inconsistent implementations. Different fixes for older providers. Be aware.
  • 20.
  • 21. Endpoint URIs Request Token URL User Authorization URL Access Token URL
  • 23. Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
  • 24. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
  • 25. Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
  • 26. Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
  • 27. Exchange authorized Request Token for Access Token
  • 28. Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
  • 29. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
  • 31. Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
  • 32. Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
  • 33. Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
  • 35. Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
  • 36. OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
  • 37. User Delegation Flows User-Agent Flow Web Server Flow Device Flow
  • 38. Direct credentials Flows Username and Password Flow Client Credentials Flow
  • 39. Autonomous flows: Assertion Flow
  • 40. OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
  • 42. OAuth 2.0 is currently in its 5th version of an IETF Draft.
  • 43. There are implementations in the wild including Facebook, 37 Signals and Github.
  • 44. There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
  • 45. So things are looking good, but as always when working with something this new...
  • 46.
  • 47. Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
  • 48.
  • 49. thank you! Paul Osman paul@eval.ca