The document discusses the evolution and workings of OAuth 2.0, detailing its purpose and the key actors involved. It includes a step-by-step guide for developing a Java OAuth client application to access Dropbox. Additionally, it covers various authorization flows, error handling, and relevant fields as per the OAuth 2.0 authorization framework (RFC 6749).

1. @nabeelxy
11/02/2014

2.  How OAuth was born
 What problem OAuth solves
 Evolution of OAuth to the current 2.0
 OAuth 2.0 actors, client profiles, access tokens,
abstract protocol and core authorization flows

3. It would be great if we can familiarize
the team with the concepts of OAuth
through an example client app
development.
Tom, Twitter App Manager
A good suggestion! Most
services like FB, Gmail, Twitter,
Dropbox provide SDK to
develop clients. Let me walk
through a simple Java OAuth
client for accessing Dropbox.
Sam, App Dev

4. (1) Register dbapp_nabeel app
(2) App Key, App Secret
(3) Provide Authorization URL
(4) Request Authorization code
(5) Authorization code
(6) Authorization code;
request access token
(7) Access token
(8) Access dropbox
given access token
Nabeel Nabeel’s dropbox a/c

7. DbxAppInfo dbxAppInfo = new
DbxAppInfo(dropBoxAppKey,
dropBoxAppSecret);
DbxRequestConfig dbxRequestConfig = new
DbxRequestConfig(
"JavaDropboxExample/1.0",
Locale.getDefault().toString());
DbxWebAuthNoRedirect dbxWebAuthNoRedirect =
new DbxWebAuthNoRedirect(
dbxRequestConfig, dbxAppInfo);
String authorizeUrl =
dbxWebAuthNoRedirect.start();

11. DbxAuthFinish authFinish =
dbxWebAuthNoRedirect.finish(dropboxAuth
Code);
String authAccessToken =
authFinish.accessToken;
dbxClient = new
DbxClient(dbxRequestConfig,
authAccessToken);

12. dbxClient.getAccountInfo..
dbxClient.uploadFile..
dbxClient.createFolder..
dbxClient.getMetadataWithChildren…
bxClient.getFile..
…

14.  Authorization code
 For apps with backend servers
 Implicit grant for browser based client side
applications (no backend server)
 Resource owner password based grants
 Only for very trusted applications (usually for first-party
applications only)
 Client credentials
 For application access (i.e. client is an application)

16.  Authorization Request
GET
/authorize?response_type=code&client_id=s6BhdRkqt3
&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexa
mple%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
 Authorization Response
HTTP/1.1 302 Found|
Location:
https://client.example.com/cb?code=SplxlOBeZQQYbYS
6WxSbIA&state=xyz

17.  Access Token Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS
6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexampl
e%2Ecom%2Fcb

18.  Access Token Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA“,
"token_type":"example“,
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA“,
"example_parameter":"example_value”
}

23.  Deep dive into each authorization flows
 Understanding Required and Optional fields
 Understanding re-direction based architecture
 Handling errors and failures
 Examples on the last three authorization flows
 Implement Authorization Code flow for full server
side web application profile

24.  OAuth 2.0 Authorization Framework (RFC 6749)
 Getting Started with OAuth 2.0