My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completeness
6. Two Kinds of OAuth
• OAuth 1
• in use on many systems
• many steps: ’the oauth dance’
• encryption overhead (so use a lib)
• OAuth 2
• requires SSL
• fewer steps
• recognises trust
• recommended for new systems
6
14. Authorisation Grant: Many Choices
How we authorise a third party:
• authorisation code
• implicit
• resource owner credentials
• client credentials
• ... potentially further extensions
14
15. Authorisation Code
Use for: server-side apps
Flow: we send user to application to grant access, recieve a code in
return. Then exchange code for access token
Features: user never sees access token
15
20. Implicit Grant
Use for: client-side apps
Flow: we send user to application to grant access, recieve an access
token in return
Features: super-simple
20
24. Resource Owner Credentials
Use for: trusted consumers, such as same-provider apps or a script the
user writes themselves
Flow: user gives username and password to app, app exchanges for
access token and does not store
Features: saves sending user to the main site and back
24
27. Client Credentials
Use for: privileged consumers
Flow: client credentials act as an authorsation grant, access token is
returned
Features: ideal for applications with more than per-user-data access
rights
27
31. Using Access Tokens
With the access token, include it in an Authorization header:
Authorization: OAuth db141c50adb74b22
31
32. Using Access Tokens
With the access token, include it in an Authorization header:
Authorization: OAuth db141c50adb74b22
Everything you already knew about web APIs now applies as normal
31
33. Refresh Tokens
Some applications will give you two tokens
• access token (shorter expiry)
• refresh token (longer expiry)
The refresh token is an authorisation grant in its own right, to be used
when the access token has expired
32
39. About OAuth 1
In a nutshell:
• Had its own encryption: needed a library/extension
• Involved many steps, therefore many request/response roundtrips
• leading to the phrase ’oauth dance’
• Solved exactly the same problem
• Had a single oauth endpoint
38
40. OAuth 1 Process
• Step 0: Register as a consumer
• Step 1: Get a request token
• Step 2: Send the user to authenticate
• Step 3: Swap their verification for an access token
• Step 4: Consume data
39
42. OAuth Today
• New project? Use OAuth 2
• OAuth 1 is complicated and needs PECL extension
• OAuth 2 requires SSL, and decision-making
41
43. Resources and Further Reading
• OAuth2 Spec:
http://tools.ietf.org/html/draft-ietf-oauth-v2
• Great introductory article:
http://hueniverse.com/2010/05/introducing-oauth-2-0/
• Images from http://thenounproject.org
42