An OAuth 1.0 presentation I gave to an Italian TLC Telco, before OAuth consortium joined IETF.
Shows also some differences and combinations with OpenID
2. What’s OAuth?
• An Open Protocol to allow secure API
authorization in a simple and standard
method for mobile, desktop and web
application;
• a protocol for developing password less
APIs;
• a way for an application to interact with an
API on a user’s behalf without knowing the
user’s authentication credentials.
3. Hypothetical Scenarios
“Import pictures from Picasa “Allow Dailymotion read
into Virgilio Photo Album” Virgilio’s User data”
End User End User
Service
Consumer Service
Provider
Consumer Provider
5. B2B shared information
• Consumer Key: a value used by the
Consumer to identify itself to the Service
Provider;
• Consumer Secret: a secret used by the
Consumer to establish ownership of the
Consumer Key;
• The Consumer establishes a Consumer Key
and a Consumer Secret with the Service
Provider to be authenticated; the Consumer
needs to be registered!
6. OpenID & OAuth
• OpenID: helps determine who you are -
AUTHENTICATION;
• OAuth: defines how to give access to
protected data - AUTHORIZATION;
• They are complementary; a site that
supports OAuth could also support
OpenID for authentication!!!
8. OAuth is
Production Ready!!!
• Google
• Yahoo!
• MySpace
• Digg
• Twitter
• Magnolia
• Plaxo
... and much more!
9. OAuth community
• Leaded by Brian Cook & Chris Messina;
• Active Google-group:
http://groups.google.com/group/oauth/
• Blog: http://blog.oauth.net/
• Many available implementations from OS
communities:
Java - C# - JavaScript - Perl - PHP ...