Aslam Jarwar, profile picture
Uploaded byAslam Jarwar
PPTX, PDF143 views

OAuth

The document discusses the history and basics of OAuth, an open standard for authorization. It started in 2006 to allow websites to share private resources from another site without needing the user's password. The document outlines key terms like consumer, provider, tokens, and scope. It describes the 3-act process where a consumer gets a request token from the provider, redirects the user to authorize, then exchanges the request for an access token to access protected resources on behalf of the user. It also notes some loopholes in OAuth 1.0 and the development of OAuth 2.0.

Embed presentation

Download to read offline
URL: http://oauth.net/ 1
 History  What is OAuth  Terminologies used for OAuth  Working of OAuth protocol  Flow  Loopholes and drawbacks of Oauth  Consumer Implementation (Twitter & Xero) Contents
History  OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.  In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.  In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
What is OAuth  Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party  Protocol that allows to share private data hosted on x web site with y web site  A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.  A protocol for developing password less APIs  Its just a skeleton, Implementation can be vendor specific In Short “your valet key for the Web”
Terminologies used for OAuth  Consumer Application trying to access protected resource  Service Provider website or web-service hosting protected resource  User Owner of the protected data  Protected Resource Images, Videos or documents hosted on web site or web-service which are protected by the user  Tokens Random string of letters and numbers which is unique. Request Token, Access Token  Scope Set of data hosted on service provider that user wants to share with consumer
Working of OAuth protocol  Web 2.0 means sharing data, through API  Users want to access their data using many services  Developers want to satisfy their users (and make it easy for them)  Service providers need to keep their users data secure
Working of OAuth protocol A Play in 3 Acts (to exchange authorization) Actors on the scene  User  Consumer  Service Provider
Working of OAuth protocol A Play in 3 Acts (to exchange authorization) consumer has  Consumer key  Consumer secret Consumer (to Service Provider): “give me a request token”  oauth_consumer_key  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
A Play in 3 Acts (to exchange authorization) Service Provider (to consumer): “here is the request token(you can use it only once!)”  oauth_token (request token)  oauth_token_secret  [additional parameters]
A Play in 3 Acts (to exchange authorization) Second Act Where the User authorizes the Request Token Consumer (to the User): “Please go to the Service Provider and authorize this request” consumer ->user ->service provider  oauth_token (request token)  oauth_callback  [additional parameters] Service Provider (to the User): Do you authorize consumer to access your data?
A Play in 3 Acts (to exchange authorization) User (to the Service Provider):  YES!  (or maybe NO :-) ) Service Provider (to the User): “You can go back to the consumer” Service Provider-> User->Consumer  oauth_token (request token)
A Play in 3 Acts (to exchange authorization) Third Act Where the Consumer exchanges the Request Token for an Access Token Consumer (to the Service Provider): “Please give me the acces token for the user”  oauth_consumer_key  oauth_token (request token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)
A Play in 3 Acts (to exchange authorization) Service Provider (to the Consumer): “here is the access token for the user”  oauth_token (access token)  oauth_token_secret  [additional parameters] Now consumer accesses the resources Consumer (to the Service Provider): “Here i am again on behalf of the user”  oauth_consumer_key  oauth_token (access token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
Flow
Working of OAuth protocol  Site Y is the consumer and site X is service provider  Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers  User accesses site Y and wants to share private data hosted on site X  Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token  Site X returns Request Token to site Y  Site Y redirects user to site X Login service with the request token  User enters username/password or OpenID credentials to login to site X  Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token  Site Y sends the request token to site X asking for Access token  Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)
Loopholes and drawbacks of OAuth  Trust on Consumer is key  Consumer redirects user to the correct service provider  Consumer uses the private only for the specific time period  OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider  OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support
OAuth 2.0  OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0, Main framework was published in October 2012.  Focuses on client developer simplicity  Facebook's new Graph API only supports OAuth 2.0  Google and Microsoft had added OAuth 2.0 experimental support to their APIs In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"
Thank you 18

More Related Content

PPTX
O auth
byfaisalqau
 
ODP
Oauth
byehuard
 
PDF
Introduction to OAuth2.0
byOracle Corporation
 
PDF
OAuth2 primer
byManish Pandit
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PDF
OAuth 2.0 Misconceptions
byCory Forsyth
 
PPTX
OAuth2 Presentaion
byBhargav Surimenu
 
KEY
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 
O auth
byfaisalqau
 
Oauth
byehuard
 
Introduction to OAuth2.0
byOracle Corporation
 
OAuth2 primer
byManish Pandit
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
OAuth 2.0 Misconceptions
byCory Forsyth
 
OAuth2 Presentaion
byBhargav Surimenu
 
OpenID vs OAuth - Identity on the Web
byRichard Metzler
 

What's hot

ODP
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PPTX
OAuth
byMohan Kumar Tadikimalla
 
PPT
Openid & Oauth: An Introduction
bySteve Ivy
 
PPTX
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
byManish Pandit
 
PPT
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
User Management with LastUser
byKiran Jonnalagadda
 
ODP
3rd-Party Authn/Authz
byphilipsharp
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
ODP
OAuth2 - Introduction
byKnoldus Inc.
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
PPTX
The State of OAuth2
byAaron Parecki
 
PDF
Spring security oauth2
byaxykim00
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
PPTX
OAuth 2
byChrisWood262
 
PDF
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
byVinay Manglani
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
Mohanraj - Securing Your Web Api With OAuth
byfossmy
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
OAuth
byMohan Kumar Tadikimalla
 
Openid & Oauth: An Introduction
bySteve Ivy
 
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
byManish Pandit
 
OAuth2 Protocol with Grails Spring Security
byNexThoughts Technologies
 
Demystifying OAuth 2.0
byKarl McGuinness
 
User Management with LastUser
byKiran Jonnalagadda
 
3rd-Party Authn/Authz
byphilipsharp
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
OAuth 2.0
byUwe Friedrichsen
 
OAuth2 - Introduction
byKnoldus Inc.
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
The State of OAuth2
byAaron Parecki
 
Spring security oauth2
byaxykim00
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
OAuth 2
byChrisWood262
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
byVinay Manglani
 
An Introduction to OAuth2
byAaron Parecki
 

Viewers also liked

PDF
Intro to OAuth
bymfrost503
 
PPT
Oauth flow
byguitang yang
 
PPTX
OAuth
byVijay Naik
 
PPTX
O auth with facebook and google using .net
bySathyaish Chakravarthy
 
PDF
The Present Future of OAuth
byMichael Bleigh
 
PDF
Facebook & OAuth
byDanny Deng
 
PPT
Facebook_Oauth
byAkshay Kale
 
PPTX
Hands-on with OAuth, Facebook and the Force.com Platform
byPat Patterson
 
PPTX
Oauth 2.0
byManish Kumar Singh
 
PDF
OAuth you said
byOAuth.io
 
PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
OAuth presentation - Social Media 2016
byRossana Salaro
 
PDF
Implementing OAuth
byleahculver
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
Intro to OAuth
bymfrost503
 
Oauth flow
byguitang yang
 
OAuth
byVijay Naik
 
O auth with facebook and google using .net
bySathyaish Chakravarthy
 
The Present Future of OAuth
byMichael Bleigh
 
Facebook & OAuth
byDanny Deng
 
Facebook_Oauth
byAkshay Kale
 
Hands-on with OAuth, Facebook and the Force.com Platform
byPat Patterson
 
Oauth 2.0
byManish Kumar Singh
 
OAuth you said
byOAuth.io
 
OAuth - Open API Authentication
byleahculver
 
OAuth presentation - Social Media 2016
byRossana Salaro
 
Implementing OAuth
byleahculver
 
An Introduction to OAuth 2
byAaron Parecki
 

Similar to OAuth

PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
PDF
Integrating services with OAuth
byLuca Mearelli
 
PPTX
OAuth [noddyCha]
bynoddycha
 
PDF
Implementing OAuth with PHP
byLorna Mitchell
 
PDF
Oauth Php App
byAbdullah Mamun
 
PDF
Secure Webservices
byMatthias Käppler
 
PPTX
OAuth
byTom Elrod
 
PPTX
MainFinalOAuth
byMohan Kumar Tadikimalla
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
PDF
Full stack security
byDPC Consulting Ltd
 
KEY
OAuth Android Göteborg
bydanieloskarsson
 
PPT
Oauth2.0
byYasmine Gaber
 
PDF
Api security with OAuth
bythariyarox
 
PPTX
Maintest3
byMohan Kumar Tadikimalla
 
KEY
OAuth: demystified (hopefully)
byMatt Gifford
 
PDF
A technical insight into the concepts and terminologies behind oauth – an ope...
byeSAT Journals
 
PPTX
Maintest2
byMohan Kumar Tadikimalla
 
PPTX
Api security
byteodorcotruta
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
Integrating services with OAuth
byLuca Mearelli
 
OAuth [noddyCha]
bynoddycha
 
Implementing OAuth with PHP
byLorna Mitchell
 
Oauth Php App
byAbdullah Mamun
 
Secure Webservices
byMatthias Käppler
 
OAuth
byTom Elrod
 
MainFinalOAuth
byMohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
Full stack security
byDPC Consulting Ltd
 
OAuth Android Göteborg
bydanieloskarsson
 
Oauth2.0
byYasmine Gaber
 
Api security with OAuth
bythariyarox
 
Maintest3
byMohan Kumar Tadikimalla
 
OAuth: demystified (hopefully)
byMatt Gifford
 
A technical insight into the concepts and terminologies behind oauth – an ope...
byeSAT Journals
 
Maintest2
byMohan Kumar Tadikimalla
 
Api security
byteodorcotruta
 
Oauth 2.0 security
byvinoth kumar
 

Recently uploaded

PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 

OAuth

  • 1.
  • 2.
     History  Whatis OAuth  Terminologies used for OAuth  Working of OAuth protocol  Flow  Loopholes and drawbacks of Oauth  Consumer Implementation (Twitter & Xero) Contents
  • 3.
    History  OAuth startedaround November 2006, while Blaine Cook was working on the Twitter OpenID implementation.  In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.  In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
  • 4.
    What is OAuth Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party  Protocol that allows to share private data hosted on x web site with y web site  A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.  A protocol for developing password less APIs  Its just a skeleton, Implementation can be vendor specific In Short “your valet key for the Web”
  • 5.
    Terminologies used forOAuth  Consumer Application trying to access protected resource  Service Provider website or web-service hosting protected resource  User Owner of the protected data  Protected Resource Images, Videos or documents hosted on web site or web-service which are protected by the user  Tokens Random string of letters and numbers which is unique. Request Token, Access Token  Scope Set of data hosted on service provider that user wants to share with consumer
  • 6.
    Working of OAuthprotocol  Web 2.0 means sharing data, through API  Users want to access their data using many services  Developers want to satisfy their users (and make it easy for them)  Service providers need to keep their users data secure
  • 7.
    Working of OAuthprotocol A Play in 3 Acts (to exchange authorization) Actors on the scene  User  Consumer  Service Provider
  • 8.
    Working of OAuthprotocol A Play in 3 Acts (to exchange authorization) consumer has  Consumer key  Consumer secret Consumer (to Service Provider): “give me a request token”  oauth_consumer_key  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
  • 9.
    A Play in3 Acts (to exchange authorization) Service Provider (to consumer): “here is the request token(you can use it only once!)”  oauth_token (request token)  oauth_token_secret  [additional parameters]
  • 10.
    A Play in3 Acts (to exchange authorization) Second Act Where the User authorizes the Request Token Consumer (to the User): “Please go to the Service Provider and authorize this request” consumer ->user ->service provider  oauth_token (request token)  oauth_callback  [additional parameters] Service Provider (to the User): Do you authorize consumer to access your data?
  • 11.
    A Play in3 Acts (to exchange authorization) User (to the Service Provider):  YES!  (or maybe NO :-) ) Service Provider (to the User): “You can go back to the consumer” Service Provider-> User->Consumer  oauth_token (request token)
  • 12.
    A Play in3 Acts (to exchange authorization) Third Act Where the Consumer exchanges the Request Token for an Access Token Consumer (to the Service Provider): “Please give me the acces token for the user”  oauth_consumer_key  oauth_token (request token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)
  • 13.
    A Play in3 Acts (to exchange authorization) Service Provider (to the Consumer): “here is the access token for the user”  oauth_token (access token)  oauth_token_secret  [additional parameters] Now consumer accesses the resources Consumer (to the Service Provider): “Here i am again on behalf of the user”  oauth_consumer_key  oauth_token (access token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
  • 14.
  • 15.
    Working of OAuthprotocol  Site Y is the consumer and site X is service provider  Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers  User accesses site Y and wants to share private data hosted on site X  Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token  Site X returns Request Token to site Y  Site Y redirects user to site X Login service with the request token  User enters username/password or OpenID credentials to login to site X  Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token  Site Y sends the request token to site X asking for Access token  Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)
  • 16.
    Loopholes and drawbacksof OAuth  Trust on Consumer is key  Consumer redirects user to the correct service provider  Consumer uses the private only for the specific time period  OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider  OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support
  • 17.
    OAuth 2.0  OAuth2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0, Main framework was published in October 2012.  Focuses on client developer simplicity  Facebook's new Graph API only supports OAuth 2.0  Google and Microsoft had added OAuth 2.0 experimental support to their APIs In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"
  • 18.