SlideShare a Scribd company logo

Oauth Behind The Scenes

Thang Tran Duc
Thang Tran Duc

Oauth Behind The Scenes

Technology
1 of 13
Download to read offline
OAuth Behind the scenes Tran Duc Thang Framgia Vietnam
Preface • Tran Duc Thang • 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project. • 2011 ~ 2013: Keio University. • 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
Preface • Have you ever logged into a website using your Google, or Facebook account ? • If yes, have you ever been afraid of losing your Google or Facebook account information ? • Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
Contents 1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the scenes.
What is OAuth • OAuth stands for Open Authorization. • Authentication vs Authorization ? • OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”
History • OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. • The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. • The OAuth 1.0 published as RFC 5849 in April 2010. • The OAuth 2.0 published in October 2012.
OAuth in the World OAUTH 1.0 OAUTH 2.0
OAuth 2: How does it work ? • Resource Owner: End-user • Authorization Server: Where the authorization occurs • Client: An application making protected resource requests on behalf of the resource owner. • Resource Server: Where hosts user’s resource. • Instead of using the resource owner's credentials to access protected resources, the client obtains an access token. • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. • The client uses the access token to access the protected resources hosted by the resource server.
OAuth 2: How does it work ? • OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec. • OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks. • OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
OAuth 2: How does it work ? OAuth 2 - Authorization Code Grant in details
• The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground • Demo Google OAuth 2.0 • Demo Facebook Oauth 2.0 OAuth 2 Demo
References • RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849) • RFC 6749: The OAuth 2.0 Authorization Framework (http:// tools.ietf.org/html/rfc6749) • OAuth Community Site (http://oauth.net/) • OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth) • OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/ articles/oauth-20-the-good-the-bad-the-ugly--net-33216) • OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/ oauth-2-0-and-the-road-to-hell/)
Thank you for listening!

Recommended

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
open id & o-auth
open id & o-authopen id & o-auth
open id & o-authPaul Fryer
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuthAndrea Chiodoni
 
Privacy and Security
Privacy and SecurityPrivacy and Security
Privacy and SecurityVishal Chavan
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 

Recommended

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
open id & o-auth
open id & o-authopen id & o-auth
open id & o-authPaul Fryer
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuthAndrea Chiodoni
 
Privacy and Security
Privacy and SecurityPrivacy and Security
Privacy and SecurityVishal Chavan
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIPmahan9
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnetsmahan9
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Usability Testing by Deepthi
Usability Testing by DeepthiUsability Testing by Deepthi
Usability Testing by DeepthiAgile Testing Alliance
 
Grid security
Grid securityGrid security
Grid securityjosephineusha
 
Secure Objects
Secure ObjectsSecure Objects
Secure ObjectsAshutosh Jaiswal
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth WranglingKellan
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slidesmahan9
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryNational Information Standards Organization (NISO)
 
whosinithtml
whosinithtmlwhosinithtml
whosinithtmlShane Bruce
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Securing GIS data
Securing GIS dataSecuring GIS data
Securing GIS dataJoachim Van der Auwera
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 
OAuth
OAuthOAuth
OAuthAdi Challa
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth
OAuthOAuth
OAuthTom Elrod
 

More Related Content

What's hot

Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIPmahan9
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnetsmahan9
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth WranglingKellan
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slidesmahan9
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 

What's hot (19)

Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIP
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnets
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
 
Usability Testing by Deepthi
Usability Testing by DeepthiUsability Testing by Deepthi
Usability Testing by Deepthi
 
Grid security
Grid securityGrid security
Grid security
 
Secure Objects
Secure ObjectsSecure Objects
Secure Objects
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slides
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
 
whosinithtml
whosinithtmlwhosinithtml
whosinithtml
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Securing GIS data
Securing GIS dataSecuring GIS data
Securing GIS data
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web Exploitation
 

Similar to Oauth Behind The Scenes

ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platformPham Thinh
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)Michael Maurice
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationBiodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationRenzo Kottmann
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identityGopikrishna Gujjula
 

Similar to Oauth Behind The Scenes (20)

OAuth
OAuthOAuth
OAuth
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
OAuth
OAuthOAuth
OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Api security
Api security Api security
Api security
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platform
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationBiodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identity
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Oauth Behind The Scenes

  • 1. OAuth Behind the scenes Tran Duc Thang Framgia Vietnam
  • 2. Preface • Tran Duc Thang • 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project. • 2011 ~ 2013: Keio University. • 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
  • 3. Preface • Have you ever logged into a website using your Google, or Facebook account ? • If yes, have you ever been afraid of losing your Google or Facebook account information ? • Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
  • 4. Contents 1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the scenes.
  • 5. What is OAuth • OAuth stands for Open Authorization. • Authentication vs Authorization ? • OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”
  • 6. History • OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. • The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. • The OAuth 1.0 published as RFC 5849 in April 2010. • The OAuth 2.0 published in October 2012.
  • 7. OAuth in the World OAUTH 1.0 OAUTH 2.0
  • 8. OAuth 2: How does it work ? • Resource Owner: End-user • Authorization Server: Where the authorization occurs • Client: An application making protected resource requests on behalf of the resource owner. • Resource Server: Where hosts user’s resource. • Instead of using the resource owner's credentials to access protected resources, the client obtains an access token. • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. • The client uses the access token to access the protected resources hosted by the resource server.
  • 9. OAuth 2: How does it work ? • OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec. • OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks. • OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
  • 10. OAuth 2: How does it work ? OAuth 2 - Authorization Code Grant in details
  • 11. • The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground • Demo Google OAuth 2.0 • Demo Facebook Oauth 2.0 OAuth 2 Demo
  • 12. References • RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849) • RFC 6749: The OAuth 2.0 Authorization Framework (http:// tools.ietf.org/html/rfc6749) • OAuth Community Site (http://oauth.net/) • OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth) • OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/ articles/oauth-20-the-good-the-bad-the-ugly--net-33216) • OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/ oauth-2-0-and-the-road-to-hell/)
  • 13. Thank you for listening!