SlideShare a Scribd company logo
OAuth: A Question of Trust
About Me

 • Lorna Jane Mitchell

 • Twitter: @lornajane

 • Web: http://lornajane.net




                               2
If OAuth is the answer, what was the
              question?
OAuth




        username: lornajane
         password: qwerty




                              4
OAuth




        Hi, I’m lornajane




                            5
Two Kinds of OAuth

 •   OAuth 1
      • in use on many systems
      • many steps: ’the oauth dance’
      • encryption overhead (so use a lib)

 • OAuth 2
      • requires SSL
      • fewer steps
      • recognises trust
      • recommended for new systems

                                             6
OAuth 2: Performance over Paranoia
OAuth2 Relationships




                       8
OAuth2 Relationships




                       9
Before We Begin

Register for an API key and capture:

  • application name

  • callback URL(s) to use

  • description


e.g. http://joind.in/user/apikey




                                       10
OAuth2 Endpoints


    Application Website        API                 Client
    api key registration       auth endpoint       callback URL
    user grant/revoke access   resource endpoint
    resources




                                                                  11
Establishing Trust

We need an authorisation grant for the assistant to be able to access
user data




                                                                        12
Authorisation Grants
Authorisation Grant: Many Choices

How we authorise a third party:

  • authorisation code

  • implicit

  • resource owner credentials

  • client credentials

  • ... potentially further extensions




                                         14
Authorisation Code

Use for: server-side apps

Flow: we send user to application to grant access, recieve a code in
return. Then exchange code for access token

Features: user never sees access token




                                                                       15
Authorisation Code Process




                  client_id
                  redirect_url
                  type
                  scope
                  state


                                 16
Authorisation Code Process




User must be able to visit the site and revoke later
                                                       17
Authorisation Code Process




                         code




                     code
                     state



                                18
Authorisation Code Process


                  client_key
                  client_secret
                  code


                       code

                    access token




                  access_token



                                   19
Implicit Grant

Use for: client-side apps

Flow: we send user to application to grant access, recieve an access
token in return

Features: super-simple




                                                                       20
Implicit Process




                   client_id
                   redirect_url
                   type
                   scope
                   state


                                  21
Implicit Process




User must be able to visit the site and revoke later
                                                       22
Implicit Process




                       access token




                   access_token
                   state



                                      23
Resource Owner Credentials

Use for: trusted consumers, such as same-provider apps or a script the
user writes themselves

Flow: user gives username and password to app, app exchanges for
access token and does not store

Features: saves sending user to the main site and back




                                                                         24
Resource Owner Credentials Process




        username,          username,
         password           password




                                       25
Resource Owner Credentials Process




                       access token




                                      26
Client Credentials

Use for: privileged consumers

Flow: client credentials act as an authorsation grant, access token is
returned

Features: ideal for applications with more than per-user-data access
rights




                                                                         27
Client Credentials Process




                        hai

                   access token




                                  28
How to Choose Grant Type

What will be consuming this data?

It isn’t unusual for applications to support some or all of these grant types




                                                                                29
You have an access token, now what?
Using Access Tokens

With the access token, include it in an Authorization header:

Authorization:        OAuth db141c50adb74b22




                                                                31
Using Access Tokens

With the access token, include it in an Authorization header:

Authorization:                       OAuth db141c50adb74b22



Everything you already knew about web APIs now applies as normal




                                                                   31
Refresh Tokens

Some applications will give you two tokens

   • access token (shorter expiry)

   • refresh token (longer expiry)


The refresh token is an authorisation grant in its own right, to be used
when the access token has expired




                                                                           32
What about access control?
Scope

Consumers will request a given set of permissions, usually called scope

Users usually only get to accept, or not




                                                                          34
HTTPS (a vital OAuth2 ingredient)
HTTPS

HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer
Security)

Basically, we encrypt the pipe!




                                                                  36
OAuth 1
About OAuth 1

In a nutshell:

   • Had its own encryption: needed a library/extension

   • Involved many steps, therefore many request/response roundtrips

        • leading to the phrase ’oauth dance’

   • Solved exactly the same problem

   • Had a single oauth endpoint




                                                                       38
OAuth 1 Process

 • Step 0: Register as a consumer

 • Step 1: Get a request token

 • Step 2: Send the user to authenticate

 • Step 3: Swap their verification for an access token

 • Step 4: Consume data




                                                        39
OAuth Today
OAuth Today

 • New project? Use OAuth 2

 • OAuth 1 is complicated and needs PECL extension

 • OAuth 2 requires SSL, and decision-making




                                                     41
Resources and Further Reading

 • OAuth2 Spec:
   http://tools.ietf.org/html/draft-ietf-oauth-v2

 • Great introductory article:
   http://hueniverse.com/2010/05/introducing-oauth-2-0/

 • Images from http://thenounproject.org




                                                          42
Thanks!
Thanks




         https://joind.in/6232

              @lornajane

         http://lornajane.net




                                 44

More Related Content

What's hot

Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
Sudheer Satyanarayana
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
nbuddharaju
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHP
Sanil Subhash Chandra Bose
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
Thang Chung
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
Madhaiyan Muthu
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RS
Carol McDonald
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
Rajkattamuri
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
Ezewuzie Emmanuel Okafor
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
Sam Brannen
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
Jeelani Shaik
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
kriszyp
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
Vinay Gopinath
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
IMC Institute
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
Kerry Buckley
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
Hoan Vu Tran
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
Chalermpon Areepong
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RS
Neil Ghosh
 

What's hot (20)

Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHP
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RS
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RS
 

Viewers also liked

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
Hilary Stohs-Krause
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
Lorna Mitchell
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
Lorna Mitchell
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
Joe Ferguson
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du web
Francois Zaninotto
 
Join In With Joind.In
Join In With Joind.InJoin In With Joind.In
Join In With Joind.In
Lorna Mitchell
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP Developers
Lorna Mitchell
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
Lorna Mitchell
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
David Truxall
 
What is an API?
What is an API?What is an API?
What is an API?
Muhammad Zuhdi
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
Mandakini Kumari
 
Android webservices
Android webservicesAndroid webservices
Android webservices
Krazy Koder
 
Practical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsPractical PHP Deployment with Jenkins
Practical PHP Deployment with Jenkins
Adam Culp
 
La blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiLa blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré lui
Francois Zaninotto
 
PHP and Web Services
PHP and Web ServicesPHP and Web Services
PHP and Web Services
Bruno Pedro
 

Viewers also liked (15)

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du web
 
Join In With Joind.In
Join In With Joind.InJoin In With Joind.In
Join In With Joind.In
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP Developers
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
 
What is an API?
What is an API?What is an API?
What is an API?
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
 
Android webservices
Android webservicesAndroid webservices
Android webservices
 
Practical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsPractical PHP Deployment with Jenkins
Practical PHP Deployment with Jenkins
 
La blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiLa blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré lui
 
PHP and Web Services
PHP and Web ServicesPHP and Web Services
PHP and Web Services
 

Similar to OAuth: Trust Issues

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays  - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays  - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
Abdullah Mamun
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Api security
Api security Api security
Api security
teodorcotruta
 

Similar to OAuth: Trust Issues (20)

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays  - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays  - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
 
Api security
Api security Api security
Api security
 

More from Lorna Mitchell

Git, GitHub and Open Source
Git, GitHub and Open SourceGit, GitHub and Open Source
Git, GitHub and Open Source
Lorna Mitchell
 
Business 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyBusiness 101 for Developers: Time and Money
Business 101 for Developers: Time and Money
Lorna Mitchell
 
Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)
Lorna Mitchell
 
Going Freelance
Going FreelanceGoing Freelance
Going Freelance
Lorna Mitchell
 
Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source Control
Lorna Mitchell
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service Design
Lorna Mitchell
 
Coaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishCoaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To Fish
Lorna Mitchell
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
Lorna Mitchell
 
Object Oriented Programming in PHP
Object Oriented Programming in PHPObject Oriented Programming in PHP
Object Oriented Programming in PHP
Lorna Mitchell
 
Example Presentation
Example PresentationExample Presentation
Example Presentation
Lorna Mitchell
 
Could You Telecommute?
Could You Telecommute?Could You Telecommute?
Could You Telecommute?
Lorna Mitchell
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
Lorna Mitchell
 
Running a Project with Github
Running a Project with GithubRunning a Project with Github
Running a Project with Github
Lorna Mitchell
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better Developer
Lorna Mitchell
 
Digital Representation
Digital RepresentationDigital Representation
Digital Representation
Lorna Mitchell
 
Goodpractice
GoodpracticeGoodpractice
Goodpractice
Lorna Mitchell
 
SPL Primer
SPL PrimerSPL Primer
SPL Primer
Lorna Mitchell
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control Landscape
Lorna Mitchell
 
Teach a Man To Fish
Teach a Man To FishTeach a Man To Fish
Teach a Man To Fish
Lorna Mitchell
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_services
Lorna Mitchell
 

More from Lorna Mitchell (20)

Git, GitHub and Open Source
Git, GitHub and Open SourceGit, GitHub and Open Source
Git, GitHub and Open Source
 
Business 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyBusiness 101 for Developers: Time and Money
Business 101 for Developers: Time and Money
 
Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)
 
Going Freelance
Going FreelanceGoing Freelance
Going Freelance
 
Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source Control
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service Design
 
Coaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishCoaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To Fish
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
Object Oriented Programming in PHP
Object Oriented Programming in PHPObject Oriented Programming in PHP
Object Oriented Programming in PHP
 
Example Presentation
Example PresentationExample Presentation
Example Presentation
 
Could You Telecommute?
Could You Telecommute?Could You Telecommute?
Could You Telecommute?
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 
Running a Project with Github
Running a Project with GithubRunning a Project with Github
Running a Project with Github
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better Developer
 
Digital Representation
Digital RepresentationDigital Representation
Digital Representation
 
Goodpractice
GoodpracticeGoodpractice
Goodpractice
 
SPL Primer
SPL PrimerSPL Primer
SPL Primer
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control Landscape
 
Teach a Man To Fish
Teach a Man To FishTeach a Man To Fish
Teach a Man To Fish
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_services
 

Recently uploaded

Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 

Recently uploaded (20)

Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 

OAuth: Trust Issues

  • 1. OAuth: A Question of Trust
  • 2. About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
  • 3. If OAuth is the answer, what was the question?
  • 4. OAuth username: lornajane password: qwerty 4
  • 5. OAuth Hi, I’m lornajane 5
  • 6. Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
  • 7. OAuth 2: Performance over Paranoia
  • 10. Before We Begin Register for an API key and capture: • application name • callback URL(s) to use • description e.g. http://joind.in/user/apikey 10
  • 11. OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
  • 12. Establishing Trust We need an authorisation grant for the assistant to be able to access user data 12
  • 14. Authorisation Grant: Many Choices How we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
  • 15. Authorisation Code Use for: server-side apps Flow: we send user to application to grant access, recieve a code in return. Then exchange code for access token Features: user never sees access token 15
  • 16. Authorisation Code Process client_id redirect_url type scope state 16
  • 17. Authorisation Code Process User must be able to visit the site and revoke later 17
  • 18. Authorisation Code Process code code state 18
  • 19. Authorisation Code Process client_key client_secret code code access token access_token 19
  • 20. Implicit Grant Use for: client-side apps Flow: we send user to application to grant access, recieve an access token in return Features: super-simple 20
  • 21. Implicit Process client_id redirect_url type scope state 21
  • 22. Implicit Process User must be able to visit the site and revoke later 22
  • 23. Implicit Process access token access_token state 23
  • 24. Resource Owner Credentials Use for: trusted consumers, such as same-provider apps or a script the user writes themselves Flow: user gives username and password to app, app exchanges for access token and does not store Features: saves sending user to the main site and back 24
  • 25. Resource Owner Credentials Process username, username, password password 25
  • 26. Resource Owner Credentials Process access token 26
  • 27. Client Credentials Use for: privileged consumers Flow: client credentials act as an authorsation grant, access token is returned Features: ideal for applications with more than per-user-data access rights 27
  • 28. Client Credentials Process hai access token 28
  • 29. How to Choose Grant Type What will be consuming this data? It isn’t unusual for applications to support some or all of these grant types 29
  • 30. You have an access token, now what?
  • 31. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 31
  • 32. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 Everything you already knew about web APIs now applies as normal 31
  • 33. Refresh Tokens Some applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry) The refresh token is an authorisation grant in its own right, to be used when the access token has expired 32
  • 34. What about access control?
  • 35. Scope Consumers will request a given set of permissions, usually called scope Users usually only get to accept, or not 34
  • 36. HTTPS (a vital OAuth2 ingredient)
  • 37. HTTPS HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer Security) Basically, we encrypt the pipe! 36
  • 39. About OAuth 1 In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
  • 40. OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
  • 42. OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
  • 43. Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
  • 45. Thanks https://joind.in/6232 @lornajane http://lornajane.net 44