The document provides an overview of the history and development of OAuth standards for authorization. It describes some of the issues with early implementations that prompted the creation of OAuth 1.0, including services storing user passwords and lack of ability to revoke access. OAuth 1.0 introduced signatures to address these issues. OAuth 2.0 replaced signatures with HTTPS and defines common flows for different use cases, including authorization code, implicit, password, and client credentials grants.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
The presentation done at Colombo White Hat Security Meetup for introducing OAuth framework to the security enthusiasts. The event details are in [1].
[1] https://www.meetup.com/Colombo-White-Hat-Security/events/255358391/
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
DevTeach Montreal 2017 Talk on OAuth and OpenId Connect, how the technology works the communication channels used and the different kind of grants in OAuth and how OpenId Connect plays in the entire ecosystem
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Aaron Parecki
Location, sleep and weight are the three things Aaron has managed to track consistently. Combining these data sources helped him learn new things about himself.
Presented at http://quantifiedself.com/conference/San-Francisco-2013/
Low Friction Personal Data Collection - QS PortlandAaron Parecki
http://www.meetup.com/PDX-Quantified-Self/events/136825772/
Aaron will be discussing his challenges with finding self-tracking tools that make it easy to collect data with minimum effort on his part. This is a preview of the talk that Aaron will give at the QS Global Conference in San Francisco in October.
When our company was acquired we needed a way to keep our team and remote teams updated on what we was done. Some members were often travelling or in different time zones. We needed a way to see everything that was done each day all in one place, especially as the teams worked on more complex projects. Everyone was using different methods to do this: standups, written reports, emails and meetings. Nothing stuck.
“!done reports” introduce a simple IRC command: !done. Team members say !done and what they just did. These !dones are put into a daily report. !done becomes a part of everyday at work, not a strained task that’s easily forgotten.
Many development teams already use IRC, Skype and other systems to communicate. !done is an addition to existing systems, is open source and easily modified. It is built off of ZenIRC bot and bundled into Loqi, the friendly IRC bot lurking in the #pdxtech channel on freenode. This presentation will show you how a simple bot solved a lot of problems for a lot of distributed people.
Have you ever wanted to automatically turn on your lights when you get home, or turn them back off when you leave? What about controlling your lights by SMS or IRC? This presentation will teach you how to automate your life with location-based hacks and SMS.
Geolocation in Web and Native Mobile AppsAaron Parecki
While location-based mobile apps are becoming increasingly popular, they are still relatively new. Special considerations need to be made for battery life and handling large data sets of geolocated data. The good news is there are many services and technologies you can use to assist you in building mobile location-based apps.
In this session, Aaron Parecki, co-founder of Geoloqi.com, shows you services you can leverage to do things like nearby business lookups, location-based triggers, nearest intersection queries, and more. Aaron also covers the location services available on the various mobile platforms as well as in HTML 5, and shares some insights on how to deal with battery life. The session concludes with some real-world use cases for real-time location such as turning on and off your lights in your house or sending an SMS when you leave work.
A vowel? Yep! I'll show you spectrograms of various words to illustrate how "R" is just as much a vowel as "E" and "I". Of course there's also the vowels "Y" and "W", but those are a little more obvious. You'll leave with a basic understanding of phonetics as well as a soft spot in your heart for the vowel "R".
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
3. Before OAuth
aka the Dark Ages
If a third party wanted access to an
account, you’d give them your password.
aaron.pk/oauth2 @aaronpk
4. Several Problems and
Limitations
Apps store the user’s password
Apps get complete access to a user’s account
Users can’t revoke access to an app except by
changing their password
Compromised apps expose the user’s password
aaron.pk/oauth2 @aaronpk
5. Before OAuth 1.0
Services recognized the problems with password
authentication
Many services implemented things similar to
OAuth 1.0
Each implementation was slightly different,
certainly not compatible with each other
aaron.pk/oauth2 @aaronpk
6. Before OAuth 1.0
Flickr: “FlickrAuth” frobs and tokens
Google: “AuthSub”
Facebook: requests signed with MD5 hashes
Yahoo: BBAuth (“Browser-Based Auth”)
aaron.pk/oauth2 @aaronpk
7. “We want something like Flickr Auth /
Google AuthSub / Yahoo! BBAuth, but
published as an open standard, with
common server and client libraries.”
Blaine Cook, April 5th, 2007
aaron.pk/oauth2 @aaronpk
11. OAuth 1.0 Signatures
The signature base string is often the most difficult part of
OAuth for newcomers to construct. The signature base string
is composed of the HTTP method being used, followed by
an ampersand ("&") and then the URL-encoded base URL
being accessed, complete with path (but not query
parameters), followed by an ampersand ("&"). Then, you
take all query parameters and POST body parameters
(when the POST body is of the URL-encoded type, otherwise
the POST body is ignored), including the OAuth parameters
necessary for negotiation with the request at hand, and sort
them in lexicographical order by first parameter name and
oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7o
then parameter value (for duplicate parameters), all the
while ensuring that both the key and the value for oauth_callback="http%3A%2F%2
dC2XJcn4XlZJqk", each
parameter are URL encoded in isolation. Instead of using
Flocalhost%3A3005%2Fthe_dance%2Fprocess_callb
the equals ("=") sign to mark the key/value relationship, you
ack%3Fservice_provider_id%3D11", oauth_signatur
use the URL-encoded form of "%3D". Each parameter is then
e_method="HMAC-
joined by the URL-escaped ampersand sign, "%26".
SHA1", oauth_timestamp="1272323042", oauth_cons
umer_key="GDdmIQH6jhtmLUypg82g", oauth_signa
ture="8wUi7m5HFQy76nowoCThusfgB%2BQ%3D", oa
uth_version="1.0"
aaron.pk/oauth2 @aaronpk
19. Definitions
Resource Owner: The User
Resource Server: The API
Authorization Server: Often the same
as the API server
Client: The Third-Party Application
aaron.pk/oauth2 @aaronpk
23. Web Server Apps
Authorization Code Grant
aaron.pk/oauth2 @aaronpk
24. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
25. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
26. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
27. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
28. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
29. User visits the authorization page
https://facebook.com/dialog/oauth?response_
type=code&client_id=28653682475872&redirect
_uri=everydaycity.com&scope=email
aaron.pk/oauth2 @aaronpk
30. On success, user is redirected
back to your site with auth code
https://example.com/auth?code=AUTH_CODE_HERE
On error, user is redirected back
to your site with error code
https://example.com/auth?error=access_denied
aaron.pk/oauth2 @aaronpk
31. Server exchanges auth
code for an access token
Your server makes the following request
POST
https://graph.facebook.com/oauth/access_to
ken
Post Body:
grant_type=authorization_code
&code=CODE_FROM_QUERY_STRING
&redirect_uri=REDIRECT_URI
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
aaron.pk/oauth2 @aaronpk
32. Server exchanges auth
code for an access token
Your server gets a response like the following
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
or if there was an error
{
"error":"invalid_request"
}
aaron.pk/oauth2 @aaronpk
34. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=token&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
35. User visits the authorization page
https://facebook.com/dialog/oauth?response_
type=token&client_id=2865368247587&redirect
_uri=everydaycity.com&scope=email
aaron.pk/oauth2 @aaronpk
36. On success, user is redirected
back to your site with the access
token in the fragment
https://example.com/auth#token=ACCESS_TOKEN
On error, user is redirected back
to your site with error code
https://example.com/auth#error=access_denied
aaron.pk/oauth2 @aaronpk
37. Browser-Based Apps
Use the “Implicit” grant type
No server-side code needed
Client secret not used
Browser makes API requests directly
aaron.pk/oauth2 @aaronpk
39. Password Grant
Password grant is only appropriate for
trusted clients, most likely first-party apps
only.
If you build your own website as a client of
your API, then this is a great way to handle
logging in.
aaron.pk/oauth2 @aaronpk
40. Password Grant Type
Only appropriate for your
service’s website or your
service’s mobile apps.
aaron.pk/oauth2
41. Password Grant
POST https://api.example.com/oauth/token
Post Body:
grant_type=password
&username=USERNAME
&password=PASSWORD
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
aaron.pk/oauth2 @aaronpk
47. Redirect back to your app
Facebook app redirects back to your app
using a custom URI scheme.
Access token is included in the redirect, just
like browser-based apps.
fb2865://authorize/#access_token=BAAEEmo2nocQBAFFOeRTd
aaron.pk/oauth2 @aaronpk
49. Mobile Apps
Use the “Implicit” grant type
No server-side code needed
Client secret not used
Mobile app makes API requests directly
aaron.pk/oauth2 @aaronpk
50. Grant Type Summary
authorization_code:
Web-server apps
implicit:
Mobile and browser-based apps
password:
Username/password access
client_credentials:
Application access
aaron.pk/oauth2 @aaronpk
53. Authorization Code
User visits auth page
response_type=code
User is redirected to your site with auth code
http://example.com/?code=xxxxxxx
Your server exchanges auth code for access token
POST /token
code=xxxxxxx&grant_type=authorization_code
aaron.pk/oauth2 @aaronpk
54. Implicit
User visits auth page
response_type=token
User is redirected to your site with access token
http://example.com/#token=xxxxxxx
Token is only available to the browser since it’s in the fragment
aaron.pk/oauth2 @aaronpk
55. Password
Your server exchanges username/password for access token
POST /token
username=xxxxxxx&password=yyyyyyy&
grant_type=password
aaron.pk/oauth2 @aaronpk
56. Client Credentials
Your server exchanges client ID/secret for access token
POST /token
client_id=xxxxxxx&client_secret=yyyyyyy&
grant_type=client_credentials
aaron.pk/oauth2 @aaronpk
57. Accessing Resources
So you have an access token.
Now what?
aaron.pk/oauth2 @aaronpk
58. Use the access token to
make requests
Now you can make requests using the access token.
GET https://api.example.com/me
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
Access token can be in an HTTP header or a query
string parameter
https://api.example.com/me?access_token=RsT5Ojb
zRn430zqMLgV3Ia
aaron.pk/oauth2 @aaronpk
59. Eventually the access token
will expire
When you make a request with an expired
token, you will get this response
{
"error":"expired_token"
}
Now you need to get a new access token!
aaron.pk/oauth2 @aaronpk
60. Get a new access token
using a refresh token
Your server makes the following request
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Your server gets a similar response as the original call to
oauth/token with new tokens.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
aaron.pk/oauth2 @aaronpk
61. Moving access into
separate specs
Bearer tokens vs MAC
authentication
aaron.pk/oauth2 @aaronpk
62. Bearer Tokens
GET /1/profile HTTP/1.1
Host: api.example.com
Authorization: Bearer B2mpLsHWhuVFw3YeLFW3f2
Bearer tokens are a cryptography-free way to access
protected resources.
Relies on the security present in the HTTPS connection, since the
request itself is not signed.
aaron.pk/oauth2 @aaronpk
63. Security Recommendations
for Clients Using Bearer
Tokens
Safeguard bearer tokens
Validate SSL certificates
Always use https
Don’t store bearer tokens in plaintext cookies
Issue short-lived bearer tokens
Don’t pass bearer tokens in page URLs
aaron.pk/oauth2 @aaronpk
64. MAC Tokens
GET /1/profile HTTP/1.1
Host: api.example.com
Authorization: MAC id="jd93dh9dh39D",
nonce="273156:di3hvdf8",
bodyhash="k9kbtCIyI3/FEfpS/oIDjk6k=",
mac="W7bdMZbv9UWOTadASIQHagZyirA="
MAC tokens provide a way to make authenticated requests
with cryptographic verification of the request.
Similar to the original OAuth 1.0 method of using signatures.
@aaronpk
65. OAuth 2 Clients
Client libraries should handle refreshing the token
automatically behind the scenes.
aaron.pk/oauth2 @aaronpk
66. Scope
Limiting access to resouces
aaron.pk/oauth2 @aaronpk
70. OAuth 2 scope
Created to limit access to the third party.
The scope of the access request expressed as a list of space-
delimited strings.
In practice, many people use comma-separators instead.
The spec does not define any values, it’s left up to the
implementor.
If the value contains multiple strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
aaron.pk/oauth2 @aaronpk
73. OAuth 2 scope on Github
https://github.com/login/oauth/authorize?
client_id=...&scope=user,public_repo
user
• Read/write access to profile info only.
public_repo
• Read/write access to public repos and organizations.
repo
• Read/write access to public and private repos and organizations.
delete_repo
• Delete access to adminable repositories.
gist
• write access to gists.
aaron.pk/oauth2 @aaronpk
74. Proposed New UI for Twitter
by Ben Ward
http://blog.benward.me/post/968515729
76. Implementing an OAuth
Server
Find a server library already written:
A short list available here: http://oauth.net/2/
Read the spec of your chosen draft, in its entirety.
These people didn’t write the spec for you to ignore it.
Each word is chosen carefully.
Ultimately, each implementation is somewhat different, since in
many cases the spec says SHOULD and leaves the choice up to
the implementer.
Understand the security implications of the implementation
choices you make.
aaron.pk/oauth2 @aaronpk
77. Implementing an OAuth
Server
Choose which grant types you want to support
Authorization Code – for traditional web apps
Implicit – for browser-based apps and mobile apps
Password – for your own website or mobile apps
Client Credentials – if applications can access resources on
their own
Choose whether to support Bearer tokens, MAC or both
Define appropriate scopes for your service
aaron.pk/oauth2 @aaronpk
78. OAuth 2 scope on your service
Think about what scopes you might offer
Don’t over-complicate it for your users
Read vs write is a good start
aaron.pk/oauth2 @aaronpk
79. Mobile Applications
External user agents are best
Use the service’s primary app for authentication, like
Facebook
Or open native Safari on iPhone rather than use an
embedded browser
Auth code or implicit grant type
In both cases, the client secret should never be
used, since it is possible to decompile the app which
would reveal the secret
aaron.pk/oauth2 @aaronpk
81. Join the Mailing List!
https://www.ietf.org/mailman/listinfo/oauth
People talk about OAuth
Keep up to date on changes
People argue about OAuth
It’s fun!
aaron.pk/oauth2 @aaronpk
83. oauth.net Website
http://oauth.net
Source code available on Github
github.com/aaronpk/oauth.net
Please feel free to contribute to the website
Contribute new lists of libraries, or help update information
OAuth is community-driven!
aaron.pk/oauth2 @aaronpk
It was common to see third party sites asking for your Twitter or Email passwords to log you in. Obviously you should be reluctant to hand over your login information to some other site.
Problem is it’s really hard to get the signatures right as a third party, and you have to have a real solid understanding of it if you’re going to implement it on your server.
This led to a lot of confusion by developers both on the client and server side.
OAuth 2 recognizes the challenges of requiring signatures and nonces, and moves to a model where all data is transferred using the built-in encryption of HTTPS.
Many sites are adopting the new OAuth 2 spec.http://windowsteamblog.com/windows_live/b/developer/archive/2011/05/04/announcing-support-for-oauth-2-0.aspxhttp://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html
Make sure to keep the refresh token around
Now the Javascript code can read the access token in the fragment and begin making API requests
Now the Javascript code can read the access token in the fragment and begin making API requests
Now the Javascript code can read the access token in the fragment and begin making API requests