Download to read offline
![Working of OAuth protocol
A Play in 3 Acts (to exchange authorization)
consumer has
Consumer key
Consumer secret
Consumer (to Service Provider):
“give me a request token”
oauth_consumer_key
oauth_signature_method
oauth_signature
oauth_timestamp
oauth_nonce
oauth_version (optional)
[additional parameters]](https://image.slidesharecdn.com/oauth-140522044435-phpapp01/75/O-auth-8-2048.jpg)
![A Play in 3 Acts (to exchange authorization)
Service Provider (to consumer):
“here is the request token(you can use it only once!)”
oauth_token (request token)
oauth_token_secret
[additional parameters]](https://image.slidesharecdn.com/oauth-140522044435-phpapp01/75/O-auth-9-2048.jpg)
![A Play in 3 Acts (to exchange authorization)
Second Act
Where the User authorizes the Request Token
Consumer (to the User):
“Please go to the Service Provider and authorize this request”
consumer ->user ->service provider
oauth_token (request token)
oauth_callback
[additional parameters]
Service Provider (to the User):
Do you authorize consumer to access your data?](https://image.slidesharecdn.com/oauth-140522044435-phpapp01/75/O-auth-10-2048.jpg)
![A Play in 3 Acts (to exchange authorization)
Service Provider (to the Consumer):
“here is the access token for the user”
oauth_token (access token)
oauth_token_secret
[additional parameters]
Now consumer accesses the resources
Consumer (to the Service Provider):
“Here i am again on behalf of the user”
oauth_consumer_key
oauth_token (access token)
oauth_signature_method
oauth_signature
oauth_timestamp
oauth_nonce
oauth_version (optional)
[additional parameters]](https://image.slidesharecdn.com/oauth-140522044435-phpapp01/75/O-auth-13-2048.jpg)
More Related Content
![OAuth [noddyCha]](https://cdn.slidesharecdn.com/ss_thumbnails/oauthbychaitanya-120507093315-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
O auth
- 1.
- 2. History Whatis OAuth Terminologies used for OAuth Working of OAuth protocol Flow Loopholes and drawbacks of Oauth OAuth 2.0 Consumer Implementation (Twitter & Xero) Contents
- 3. History OAuth startedaround November 2006, while Blaine Cook was working on the Twitter OpenID implementation. In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol. In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
- 4. What is OAuth Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party Protocol that allows to share private data hosted on x web site with y web site A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials. A protocol for developing password less APIs Its just a skeleton, Implementation can be vendor specific In Short “your valet key for the Web”
- 5. Terminologies used forOAuth Consumer Application trying to access protected resource Service Provider website or web-service hosting protected resource User Owner of the protected data Protected Resource Images, Videos or documents hosted on web site or web-service which are protected by the user Tokens Random string of letters and numbers which is unique. Request Token, Access Token Scope Set of data hosted on service provider that user wants to share with consumer
- 6. Working of OAuthprotocol Web 2.0 means sharing data, through API Users want to access their data using many services Developers want to satisfy their users (and make it easy for them) Service providers need to keep their users data secure
- 7. Working of OAuthprotocol A Play in 3 Acts (to exchange authorization) Actors on the scene User Consumer Service Provider
- 8. Working of OAuthprotocol A Play in 3 Acts (to exchange authorization) consumer has Consumer key Consumer secret Consumer (to Service Provider): “give me a request token” oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
- 9. A Play in3 Acts (to exchange authorization) Service Provider (to consumer): “here is the request token(you can use it only once!)” oauth_token (request token) oauth_token_secret [additional parameters]
- 10. A Play in3 Acts (to exchange authorization) Second Act Where the User authorizes the Request Token Consumer (to the User): “Please go to the Service Provider and authorize this request” consumer ->user ->service provider oauth_token (request token) oauth_callback [additional parameters] Service Provider (to the User): Do you authorize consumer to access your data?
- 11. A Play in3 Acts (to exchange authorization) User (to the Service Provider): YES! (or maybe NO :-) ) Service Provider (to the User): “You can go back to the consumer” Service Provider-> User->Consumer oauth_token (request token)
- 12. A Play in3 Acts (to exchange authorization) Third Act Where the Consumer exchanges the Request Token for an Access Token Consumer (to the Service Provider): “Please give me the acces token for the user” oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
- 13. A Play in3 Acts (to exchange authorization) Service Provider (to the Consumer): “here is the access token for the user” oauth_token (access token) oauth_token_secret [additional parameters] Now consumer accesses the resources Consumer (to the Service Provider): “Here i am again on behalf of the user” oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
- 14.
- 15. Working of OAuthprotocol Site Y is the consumer and site X is service provider Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers User accesses site Y and wants to share private data hosted on site X Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token Site X returns Request Token to site Y Site Y redirects user to site X Login service with the request token User enters username/password or OpenID credentials to login to site X Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token Site Y sends the request token to site X asking for Access token Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)
- 16. Loopholes and drawbacksof OAuth Trust on Consumer is key Consumer redirects user to the correct service provider Consumer uses the private only for the specific time period OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support
- 17. OAuth 2.0 OAuth2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0, Main framework was published in October 2012. Focuses on client developer simplicity Facebook's new Graph API only supports OAuth 2.0 Google and Microsoft had added OAuth 2.0 experimental support to their APIs In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"
- 18.