SlideShare a Scribd company logo

OAuth Introduction

H
h_marvin
TechnologyDesign
1 of 39
OAuth Or: „Why you don‘t have to pass credentials“
About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
History and basics
Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
That of course... we don‘t want to be necessary! Pass username and password?
That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
OAuth
We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
Facebo ok
OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
Little more details Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Project Reference no code :(
Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
Conclusion
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access
Thanks! Questions?

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipMyles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linkingRamu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slidesPersonagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsSkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipMyles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linkingRamu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slidesPersonagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsSkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Colin Su
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKDimitar Danailov
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsJustin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App IndexationJustin Briggs
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersDeveloper Force - Force.com Community
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factorsSEO_adam
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesShruti Arya
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesiProspect Canada
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteAdam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant SridharanFrancisco Saez Cerda
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Suzzicks
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEOAffiliate Summit
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOSHidetoshi Mori
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-reportJim Barritt
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open SocialJulia Foxworthy
 
Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + RubyAlex Koppel
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsDavid Keener
 

More Related Content

What's hot

Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Colin Su
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKDimitar Danailov
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsJustin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App IndexationJustin Briggs
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factorsSEO_adam
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesShruti Arya
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesiProspect Canada
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteAdam Audette
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Suzzicks
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEOAffiliate Summit
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-reportJim Barritt
 

What's hot (20)

Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook api
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDK
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich Snippets
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App Indexation
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication Providers
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factors
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websites
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websites
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant Sridharan
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEO
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOS
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-report
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open Social
 

Similar to OAuth Introduction

Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsDavid Keener
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Shiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesShiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesRoy Pereira
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSalesforce Developers
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_socialRajesh Kumar
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Damon Widjaja
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedGaurav Behere
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011Iskandar Najmuddin
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdfTomasz Kopacz
 
What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011Iskandar Najmuddin
 

Similar to OAuth Introduction (20)

Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + Ruby
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook Apps
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Shiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesShiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development Guidelines
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Google APIs
Google APIsGoogle APIs
Google APIs
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for Facebook
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_social
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting Started
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011
 
Kt 15 07-2013
Kt 15 07-2013Kt 15 07-2013
Kt 15 07-2013
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf
 
What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

OAuth Introduction

  • 1. OAuth Or: „Why you don‘t have to pass credentials“
  • 2. About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
  • 3. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
  • 4. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
  • 6. Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
  • 7. That of course... we don‘t want to be necessary! Pass username and password?
  • 8. That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
  • 9. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 10. What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
  • 11. OAuth
  • 12. We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
  • 13. What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
  • 15. OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
  • 16. How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
  • 17. How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
  • 18. How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
  • 19. How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
  • 20. How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
  • 21. HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
  • 22. Little more details Source: https://developers.facebook.com/docs/authentication/
  • 23. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
  • 24. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
  • 25. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
  • 26. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 27. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 28. Project Reference no code :(
  • 29. Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
  • 30. Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
  • 31. The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
  • 33. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 34. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 35. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 36. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 37. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 38. One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. 1.0 -&gt; 2006 / 2007\n2.0 -&gt; 2010\n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  22. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  23. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  24. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  25. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n