2. Preface
• Tran Duc Thang
• 2008 ~ 2011: Hanoi University of Science and
Technology, K53. HEDSPI Project.
• 2011 ~ 2013: Keio University.
• 2013 ~ now: Working as BrSE and Web Developer at
Framgia Vietnam.
3. Preface
• Have you ever logged into a website using your
Google, or Facebook account ?
• If yes, have you ever been afraid of losing your Google
or Facebook account information ?
• Have you ever though about how the authentication
work when you logged in by using Google or
Facebook account ?
4. Contents
1. What is OAuth ?
2. History
3. OAuth in the world
4. OAuth 2.0 How does it work ?
5. OAuth 2.0 Demo: Behind the
scenes.
5. What is OAuth
• OAuth stands for Open Authorization.
• Authentication vs Authorization ?
• OAuth is “An open protocol to allow secure
authorization in a simple and standard method from
web, mobile and desktop applications.”
6. History
• OAuth began in November 2006 when Blaine Cook
was developing the Twitter OpenID implementation.
• The OAuth discussion group was created in April 2007,
for the small group of implementers to write the draft
proposal for an open protocol.
• The OAuth 1.0 published as RFC 5849 in April 2010.
• The OAuth 2.0 published in October 2012.
8. OAuth 2: How does it work ?
• Resource Owner: End-user
• Authorization Server: Where the authorization
occurs
• Client: An application making protected
resource requests on behalf of the resource
owner.
• Resource Server: Where hosts user’s
resource.
• Instead of using the resource owner's credentials to access
protected resources, the client obtains an access token.
• Access tokens are issued to third-party clients by an authorization
server with the approval of the resource owner.
• The client uses the access token to access the protected resources
hosted by the resource server.
9. OAuth 2: How does it work ?
• OAuth 2 is completely different to OAuth 1, and is not
backwards compatible with OAuth 1 spec.
• OAuth 2 itself does not have any encryption and
request verification. It relies entirely on SSL/TLS. It
also uses ‘state’ to prevent CSRF attacks.
• OAuth 2 defines four grant types (authorization code,
implicit, resource owner password credentials, and
client credential) for supporting different types of
applications.
10. OAuth 2: How does it work ?
OAuth 2 - Authorization Code Grant in details
11. • The Web Server Flow Demo (authorization code grant
type) with Google OAuth 2.0 Playground
• Demo Google OAuth 2.0
• Demo Facebook Oauth 2.0
OAuth 2 Demo
12. References
• RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)
• RFC 6749: The OAuth 2.0 Authorization Framework (http://
tools.ietf.org/html/rfc6749)
• OAuth Community Site (http://oauth.net/)
• OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)
• OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/
articles/oauth-20-the-good-the-bad-the-ugly--net-33216)
• OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/
oauth-2-0-and-the-road-to-hell/)