SlideShare a Scribd company logo

Introduction to OAuth

Paul Osman
Paul Osman

OAuth is an open standard for token-based authorization that allows third-party applications to obtain limited access to a user's data without requiring them to share their passwords. It allows sites to exchange user-authorized tokens that can be revoked and have varying scopes and time limits. OAuth has gone through several versions to address vulnerabilities and inconsistencies, with OAuth 2.0 simplifying the protocol through the use of bearer tokens and authorization/resource server separation. While implementations are emerging, OAuth 2.0 continues to be refined as an IETF draft standard.

Technology
1 of 49
Download to read offline
OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
the problem
password anti-pattern
Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
Terminology has changed a lot. These slides are old school.
some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
Step 5. $$$
The Result Inconsistent implementations. Different fixes for older providers. Be aware.
OAuth 1.0a Protocol Overview
Endpoint URIs Request Token URL User Authorization URL Access Token URL
Request a Request Token
Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
Exchange authorized Request Token for Access Token
Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
Accessing a Protected Resource
Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
OAuth 2.0
Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
User Delegation Flows User-Agent Flow Web Server Flow Device Flow
Direct credentials Flows Username and Password Flow Client Credentials Flow
Autonomous flows: Assertion Flow
OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signals and Github.
There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
So things are looking good, but as always when working with something this new...
Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
thank you! Paul Osman paul@eval.ca

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
Ihor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Cultural diff
Cultural diffCultural diff
Cultural diffJessWalker1
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
rcoiner
 

More Related Content

What's hot

OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
Ihor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 

What's hot (19)

OAuth2
OAuth2OAuth2
OAuth2
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 

Viewers also liked

30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
rcoiner
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]mattone84
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfBOSC 2010
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
Veronica Deja DeRosa
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisBOSC 2010
 
Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011 Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011
Windesheim University of Applied Sciences
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceuta
CVO-SSH
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBOSC 2010
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6jangpd007
 
Marcellus Shale
Marcellus ShaleMarcellus Shale
Marcellus Shale
mkenergygroup
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundDevan McCoy
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane ComeaultIzabela Popova
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken
Erna Winters
 
Louise Cohen | PROJECTS
Louise Cohen | PROJECTSLouise Cohen | PROJECTS
Louise Cohen | PROJECTS
polyvalent designer at www.louisecohen.nl
 
Identityworks
IdentityworksIdentityworks
Identityworks
jacksm
 

Viewers also liked (20)

Cultural diff
Cultural diffCultural diff
Cultural diff
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdf
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatis
 
Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011 Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceuta
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_ruby
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6
 
Marcellus Shale
Marcellus ShaleMarcellus Shale
Marcellus Shale
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surround
 
Utube
UtubeUtube
Utube
 
NRTEE: Pierre Lundahl
NRTEE: Pierre LundahlNRTEE: Pierre Lundahl
NRTEE: Pierre Lundahl
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane Comeault
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken
 
NRTEE: Kirsten Vice
NRTEE: Kirsten ViceNRTEE: Kirsten Vice
NRTEE: Kirsten Vice
 
Louise Cohen | PROJECTS
Louise Cohen | PROJECTSLouise Cohen | PROJECTS
Louise Cohen | PROJECTS
 
Identityworks
IdentityworksIdentityworks
Identityworks
 

Similar to Introduction to OAuth

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
firestoke
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
Matthias Käppler
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
Clément OUDOT
 

Similar to Introduction to OAuth (20)

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and More
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 

Recently uploaded

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 

Recently uploaded (20)

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

Introduction to OAuth

  • 1. OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
  • 3.
  • 4.
  • 6.
  • 7. Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
  • 8.
  • 9. Terminology has changed a lot. These slides are old school.
  • 10.
  • 11. some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
  • 12. OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
  • 13. Step 1. Attacker initiates OAuth authorization
  • 14. Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
  • 15. Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
  • 16. Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
  • 18. The Result Inconsistent implementations. Different fixes for older providers. Be aware.
  • 20.
  • 21. Endpoint URIs Request Token URL User Authorization URL Access Token URL
  • 23. Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
  • 24. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
  • 25. Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
  • 26. Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
  • 27. Exchange authorized Request Token for Access Token
  • 28. Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
  • 29. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
  • 31. Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
  • 32. Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
  • 33. Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
  • 35. Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
  • 36. OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
  • 37. User Delegation Flows User-Agent Flow Web Server Flow Device Flow
  • 38. Direct credentials Flows Username and Password Flow Client Credentials Flow
  • 39. Autonomous flows: Assertion Flow
  • 40. OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
  • 42. OAuth 2.0 is currently in its 5th version of an IETF Draft.
  • 43. There are implementations in the wild including Facebook, 37 Signals and Github.
  • 44. There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
  • 45. So things are looking good, but as always when working with something this new...
  • 46.
  • 47. Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
  • 48.
  • 49. thank you! Paul Osman paul@eval.ca