2. Nice to meet you
Software Engineer @Colpatria Scotiabank
Making things happen!
Loves reading, programming and teaching.
@yurynino
@yurynino
@yurynino
yury.nino.roa
7. It was bad because ...
● Same credentials at the client and
the protected resource are required.
● It exposed the user’s password to
the client application.
Taken from Oauth 2.0 in Action
8. What if we were able to have
this kind of limited credential,
issued separately for each
client and each user
combination, to be used at a
protected resource?
9. OAuth is a protocol
designed to do
exactly that:
Delegating.
12. A client is a piece of
software that
attempts to access the
protected resource on
behalf of the resource
owner.
Taken from Oauth 2.0 in Action
13. An Access Token is an
artifact issued by the
authorization server to
a client that indicates
the rights that the client
has been delegated.
Taken from Oauth 2.0 in Action
14. A protected
resource is
available through an
HTTP server and it
requires an OAuth
token to be accessed.
Taken from Oauth 2.0 in Action
15. A resource owner
is the entity that has
the authority to
delegate access to the
client. It isn’t a piece
of software.
Taken from Oauth 2.0 in Action
16. An authorization
server is an HTTP
server that provides
mechanisms for
allowing resource
owners to authorize
clients, and issues
tokens to the clients.
Taken from Oauth 2.0 in Action
17. Tokens, scopes, and authorization grants
An access token, sometimes
known as just a token is an
artifact issued by the
authorization server to a
client that indicates the
rights that the client has been
delegated.
OAuth a token represents the
combination of the client’s
requested access, the resource
owner that authorized the
client, and the rights conferred
during that authorization.
A scope is a
representation of a set of rights at
a protected resource. They are a
mechanism for limiting the access
granted to a client.
18. Are you paying attention?
1. Which components are no software?
2. Which components should know the token
content?
32. Are you paying attention?
1. How does Resource Owner authenticate
before Authorization Server grant the
access to the Resource?
2. How do you think a granted authorization
is removed?
35. OAuth 2.0 is a delegation
protocol, letting someone,
who controls a resource, allow
a software application to
access that resource on their
behalf.
Taken from Oauth 2.0 in Action
36. Real-life examples of OAuth 2.0 in action
● StackOverflow allowing you to log in
with your Google account.
● Posting a status update from your
phone using the Facebook app.
● LinkedIn suggesting contacts for you
to add by looking at your Google
contacts.
37. Fundamental to the power of OAuth 2.0 is
the notion of delegation. Although OAuth 2.0
is often called an authorization protocol (and
this is the name given to it in the RFC which
defines it), it is a delegation protocol.