SlideShare a Scribd company logo
OAuth 2.0
October 2015
OAuth 2.0
What I will cover:
 Brief overview of OAuth 2.0
 How all the concepts fit together
 How you can use OAuth in your own projects
 i.e. API's, identity provider etc
 Implementing Facebook into your projects
The players
Service Provider Client
User
Resources Server
User owns private
data in resources
server (eg. Personal
details, photos)
Client wants to
access user's data in
resources server.
RS provides access
to data via REST API
endpoints.
Preliminary
 Before anything happens, Client is registered with
Service Provider so SP can recognize it
 Client is given a “client_id” and “secret_key”
 Secret Key MUST never be exposed in public.
 Keep it within your php code – not in any client-side code
eg. javascript etc
Authorization Grant
 3rd Party website (aka client or application) wants to
access data owned by User but stored in Resource
Server
 Resource Server provides an endpoint so a client
can get data
 GET /me/photo → returns a private photo of User
 RS won't just give access to anyone. User must
authorize client to access private data
 Service Provider (SP) provides 2 endpoints to
facilitate authorization
 GET /authorize ← Use first
 POST /token ← What client actually wants
Authorization
 Client will redirect user to SP's website @ /authorize
endpoint.
 User is no longer at client's website
 GET /authorize
 Query parameters:
 “response_type” = 'code‘
 “client_id” = <CLIENT_ID>
 “redirect_uri” = <REDIRECT_URI>
 “scope” = <what permissions client is asking user to give it>
 SP will check if User gives Client permission. Either
User had given permission in the past OR it will be
asked to authorize
 SP will redirect user to <REDIRECT_URI> (an
endpoint on client's website). A “code” will be given.
Or an “error”. These are query parameters. i.e.
code=298e63d823b86e52a95
Token
 That redirect endpoint isn't just an ordinary website
URL. It must expect a code (or error) being returned
amongst its query parameters
 If there is no error, the client must quickly request a
token.
 POST /token
 “client_id” = <CLIENT_ID>
 “client_secret” = <SECRET KEY>
 “grant_type” = 'authorization code‘
 “code” = <CODE FROM PRIOR REQUEST>
 “redirect_uri” = <SAME AS BEFORE>
 Returns JSON array with “access_token” and
“expires_on” OR “error” i.e.
access_token=206c80413b9a96c1384463edd
Making API requests
 Now that you have a token, you can call API
requests on Resources Server
 User can revoke authorization anytime
 Token can expire (which means Client has to
go through process of getting a new token)
 The SP has a registrar of all the non-expired
tokens and the corresponding client and
scope permissions
Uses
 Many other grant types
 Implicit Grant, Client Credentials, Refresh Token, Resource
Owner Password Credentials and many many more
 You can use OAuth specifications for many projects
ranging from identity provider to a web service where
other 3rd parties can use your API
 You can design a SP
 You can design a client
 Make sure SP (Resources Server if separate to SP)
uses HTTPS connection
Facebook Connect/Graph API
 Allows users to log on to your site using
their Facebook account
 Facebook allows 3rd party applications to
access user's data (i.e. profile data such as
name, age, gender etc)
 Facebook allows you to make your website
social-savvy
 Make posts on user's timeline
 Access their friends list
 Grab their photos (like Tinder does)
Facebook Connect
 eHarmony gives you the
option of creating an
account with them
(traditional way)
 Login using an account
registered with them
 Login using facebook
connect
 The site never needs
to know user's
password
Account registration in your
database
 Traditionally:
 Using Facebook:
FB guarantees every fb account will have a UNIQUE fb_id
No need for a password
You can save token in
a session if you want
Initial Setting up
PHP – install and configure
 Install SDK using composer: require
“facebook/php-sdk”
Step 1 – website link to open
dialog
 You can put $loginUrl in your view:
<a href=”<?= $loginUrl ?>”>Connect using Facebook</a>
 'scope' determines what permissions your app requires from the user.
Facebook will ask the user to authorize your app to use those
permissions. (i.e. 'scope'=> 'read_stream, user_photos')
 $loginUrl will contain client_id, scope, redirect_uri as query params
Objective
1. On Website: Work out the correct URL for the
facebook login dialog box to appear
 You must pass information to it such as
client_id, scope, redirect_uri, state etc
2. Once user logs on, you need to grab user's
fb_id
 Check if fb_id already exists in your records
 NO: New registration
 YES: Prior registered customer
3. Get and Store token to make future api requests
Step 2 – get fb_id
 $facebook->getUser() will return fb_id. Check if
that user already exists in your db.
 YES: Great! You have their personal details
already stored + Token
 NO: Use api to get basic details of user and
create new account
Step 2 – contd.
 $user_profile contains an array which contains
information about the user. You can use this information
to populate your database records of your user base
Step 3 – Storing the token
 You don't technically need to store the token because the
SDK takes care of it in the behind the scenes.
 $facebook->getUser(), before returning the fb_id does
many things behind the scenes
 Gets access code, exchanges it for token, saves token in
session and finally returns the fb_id
 BUT if you don't store the token yourself, you must
always ask the user to log in, in order for SDK to do
everything behind the scenes. If you have the token, you
can also access Graph API without facebook SDK.
 You can store token yourself: $facebook-
>getAccessToken();
Step 4 – Using access token
 You don't need access token. SDK provides method
that will access Graph API conveniently
 $facebook->api($url, $method, $parameters)
 But you can use API manually(HTTP REST API) . All
the endpoints and documentation are online.
 You obviously must sign the HTTP request with the
token in the body (access_token=<$token>) or
possibly header
Thank You

More Related Content

What's hot

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
Aaron Parecki
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
Syed Ali Raza
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
OAuth
OAuthOAuth
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
Parisa Moosavinezhad
 
Oauth 2.0
Oauth 2.0Oauth 2.0
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
Kamyar Mohager
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
Umang Goyal
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
danieloskarsson
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
User Management with LastUser
User Management with LastUserUser Management with LastUser
User Management with LastUser
Kiran Jonnalagadda
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
Social Login Userguide
Social Login UserguideSocial Login Userguide
Social Login Userguide
Magebuzz
 
Testing experience in web application P2 special cases
Testing experience in web application P2 special casesTesting experience in web application P2 special cases
Testing experience in web application P2 special cases
Vu Tran
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
Min Li
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi
 

What's hot (19)

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
OAuth
OAuthOAuth
OAuth
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
User Management with LastUser
User Management with LastUserUser Management with LastUser
User Management with LastUser
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Social Login Userguide
Social Login UserguideSocial Login Userguide
Social Login Userguide
 
Testing experience in web application P2 special cases
Testing experience in web application P2 special casesTesting experience in web application P2 special cases
Testing experience in web application P2 special cases
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 

Viewers also liked

OAuth
OAuthOAuth
OAuth
Vijay Naik
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
An architecture for privacy-enabled user profile portability on the Web of Data
An architecture for privacy-enabled user profile portability on the Web of DataAn architecture for privacy-enabled user profile portability on the Web of Data
An architecture for privacy-enabled user profile portability on the Web of Data
Benjamin Heitmann
 
VeSPA: Vehicular Security and Privacy-preserving Architecture
VeSPA: Vehicular Security and Privacy-preserving ArchitectureVeSPA: Vehicular Security and Privacy-preserving Architecture
VeSPA: Vehicular Security and Privacy-preserving Architecture
nalexiou
 
Hotnets Slides
Hotnets SlidesHotnets Slides
Hotnets Slides
mahan9
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnets
mahan9
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
John Macasio
 
Google+ Login - A Primer
Google+ Login - A PrimerGoogle+ Login - A Primer
Google+ Login - A Primer
Tom Opgenorth
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
How governance drives your information and security architecture
How governance drives your information and security architectureHow governance drives your information and security architecture
How governance drives your information and security architecture
Randy Williams
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
DATAVERSITY
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 

Viewers also liked (13)

OAuth
OAuthOAuth
OAuth
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
An architecture for privacy-enabled user profile portability on the Web of Data
An architecture for privacy-enabled user profile portability on the Web of DataAn architecture for privacy-enabled user profile portability on the Web of Data
An architecture for privacy-enabled user profile portability on the Web of Data
 
VeSPA: Vehicular Security and Privacy-preserving Architecture
VeSPA: Vehicular Security and Privacy-preserving ArchitectureVeSPA: Vehicular Security and Privacy-preserving Architecture
VeSPA: Vehicular Security and Privacy-preserving Architecture
 
Hotnets Slides
Hotnets SlidesHotnets Slides
Hotnets Slides
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnets
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
Google+ Login - A Primer
Google+ Login - A PrimerGoogle+ Login - A Primer
Google+ Login - A Primer
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
How governance drives your information and security architecture
How governance drives your information and security architectureHow governance drives your information and security architecture
How governance drives your information and security architecture
 
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the WheelData Privacy in the DMBOK - No Need to Reinvent the Wheel
Data Privacy in the DMBOK - No Need to Reinvent the Wheel
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Similar to Oauth

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
h_marvin
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
Danny Jessee
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Integrating LINE Login with Firebase
Integrating LINE Login with Firebase Integrating LINE Login with Firebase
Integrating LINE Login with Firebase
LINE Corporation
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
Provectus
 
Claims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newClaims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .new
RavikantChaturvedi
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in asp
OPENLANE
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
Pat Patterson
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
Passport js authentication in nodejs how to implement facebook login feature ...
Passport js authentication in nodejs how to implement facebook login feature ...Passport js authentication in nodejs how to implement facebook login feature ...
Passport js authentication in nodejs how to implement facebook login feature ...
Katy Slemon
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)
Damon Widjaja
 
Introduction to Facebook JavaScript & Python SDK
Introduction to Facebook JavaScript & Python SDKIntroduction to Facebook JavaScript & Python SDK
Introduction to Facebook JavaScript & Python SDK
Colin Su
 

Similar to Oauth (20)

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Integrating LINE Login with Firebase
Integrating LINE Login with Firebase Integrating LINE Login with Firebase
Integrating LINE Login with Firebase
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
 
Claims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newClaims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .new
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in asp
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
 
Passport js authentication in nodejs how to implement facebook login feature ...
Passport js authentication in nodejs how to implement facebook login feature ...Passport js authentication in nodejs how to implement facebook login feature ...
Passport js authentication in nodejs how to implement facebook login feature ...
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)
 
Introduction to Facebook JavaScript & Python SDK
Introduction to Facebook JavaScript & Python SDKIntroduction to Facebook JavaScript & Python SDK
Introduction to Facebook JavaScript & Python SDK
 

Recently uploaded

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 

Recently uploaded (20)

Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 

Oauth

  • 2. OAuth 2.0 What I will cover:  Brief overview of OAuth 2.0  How all the concepts fit together  How you can use OAuth in your own projects  i.e. API's, identity provider etc  Implementing Facebook into your projects
  • 3. The players Service Provider Client User Resources Server User owns private data in resources server (eg. Personal details, photos) Client wants to access user's data in resources server. RS provides access to data via REST API endpoints.
  • 4. Preliminary  Before anything happens, Client is registered with Service Provider so SP can recognize it  Client is given a “client_id” and “secret_key”  Secret Key MUST never be exposed in public.  Keep it within your php code – not in any client-side code eg. javascript etc
  • 5. Authorization Grant  3rd Party website (aka client or application) wants to access data owned by User but stored in Resource Server  Resource Server provides an endpoint so a client can get data  GET /me/photo → returns a private photo of User  RS won't just give access to anyone. User must authorize client to access private data  Service Provider (SP) provides 2 endpoints to facilitate authorization  GET /authorize ← Use first  POST /token ← What client actually wants
  • 6. Authorization  Client will redirect user to SP's website @ /authorize endpoint.  User is no longer at client's website  GET /authorize  Query parameters:  “response_type” = 'code‘  “client_id” = <CLIENT_ID>  “redirect_uri” = <REDIRECT_URI>  “scope” = <what permissions client is asking user to give it>  SP will check if User gives Client permission. Either User had given permission in the past OR it will be asked to authorize  SP will redirect user to <REDIRECT_URI> (an endpoint on client's website). A “code” will be given. Or an “error”. These are query parameters. i.e. code=298e63d823b86e52a95
  • 7. Token  That redirect endpoint isn't just an ordinary website URL. It must expect a code (or error) being returned amongst its query parameters  If there is no error, the client must quickly request a token.  POST /token  “client_id” = <CLIENT_ID>  “client_secret” = <SECRET KEY>  “grant_type” = 'authorization code‘  “code” = <CODE FROM PRIOR REQUEST>  “redirect_uri” = <SAME AS BEFORE>  Returns JSON array with “access_token” and “expires_on” OR “error” i.e. access_token=206c80413b9a96c1384463edd
  • 8. Making API requests  Now that you have a token, you can call API requests on Resources Server  User can revoke authorization anytime  Token can expire (which means Client has to go through process of getting a new token)  The SP has a registrar of all the non-expired tokens and the corresponding client and scope permissions
  • 9. Uses  Many other grant types  Implicit Grant, Client Credentials, Refresh Token, Resource Owner Password Credentials and many many more  You can use OAuth specifications for many projects ranging from identity provider to a web service where other 3rd parties can use your API  You can design a SP  You can design a client  Make sure SP (Resources Server if separate to SP) uses HTTPS connection
  • 10. Facebook Connect/Graph API  Allows users to log on to your site using their Facebook account  Facebook allows 3rd party applications to access user's data (i.e. profile data such as name, age, gender etc)  Facebook allows you to make your website social-savvy  Make posts on user's timeline  Access their friends list  Grab their photos (like Tinder does)
  • 11. Facebook Connect  eHarmony gives you the option of creating an account with them (traditional way)  Login using an account registered with them  Login using facebook connect  The site never needs to know user's password
  • 12. Account registration in your database  Traditionally:  Using Facebook: FB guarantees every fb account will have a UNIQUE fb_id No need for a password You can save token in a session if you want
  • 14. PHP – install and configure  Install SDK using composer: require “facebook/php-sdk”
  • 15. Step 1 – website link to open dialog  You can put $loginUrl in your view: <a href=”<?= $loginUrl ?>”>Connect using Facebook</a>  'scope' determines what permissions your app requires from the user. Facebook will ask the user to authorize your app to use those permissions. (i.e. 'scope'=> 'read_stream, user_photos')  $loginUrl will contain client_id, scope, redirect_uri as query params
  • 16. Objective 1. On Website: Work out the correct URL for the facebook login dialog box to appear  You must pass information to it such as client_id, scope, redirect_uri, state etc 2. Once user logs on, you need to grab user's fb_id  Check if fb_id already exists in your records  NO: New registration  YES: Prior registered customer 3. Get and Store token to make future api requests
  • 17. Step 2 – get fb_id  $facebook->getUser() will return fb_id. Check if that user already exists in your db.  YES: Great! You have their personal details already stored + Token  NO: Use api to get basic details of user and create new account
  • 18. Step 2 – contd.  $user_profile contains an array which contains information about the user. You can use this information to populate your database records of your user base
  • 19. Step 3 – Storing the token  You don't technically need to store the token because the SDK takes care of it in the behind the scenes.  $facebook->getUser(), before returning the fb_id does many things behind the scenes  Gets access code, exchanges it for token, saves token in session and finally returns the fb_id  BUT if you don't store the token yourself, you must always ask the user to log in, in order for SDK to do everything behind the scenes. If you have the token, you can also access Graph API without facebook SDK.  You can store token yourself: $facebook- >getAccessToken();
  • 20. Step 4 – Using access token  You don't need access token. SDK provides method that will access Graph API conveniently  $facebook->api($url, $method, $parameters)  But you can use API manually(HTTP REST API) . All the endpoints and documentation are online.  You obviously must sign the HTTP request with the token in the body (access_token=<$token>) or possibly header