SlideShare a Scribd company logo

OAuth: Trust Issues

L
Lorna Mitchell

My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completeness

Technology
1 of 45
Download to read offline
OAuth: A Question of Trust
About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
If OAuth is the answer, what was the question?
OAuth username: lornajane password: qwerty 4
OAuth Hi, I’m lornajane 5
Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
OAuth 2: Performance over Paranoia
OAuth2 Relationships 8
OAuth2 Relationships 9
Before We Begin Register for an API key and capture: • application name • callback URL(s) to use • description e.g. http://joind.in/user/apikey 10
OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
Establishing Trust We need an authorisation grant for the assistant to be able to access user data 12
Authorisation Grants
Authorisation Grant: Many Choices How we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
Authorisation Code Use for: server-side apps Flow: we send user to application to grant access, recieve a code in return. Then exchange code for access token Features: user never sees access token 15
Authorisation Code Process client_id redirect_url type scope state 16
Authorisation Code Process User must be able to visit the site and revoke later 17
Authorisation Code Process code code state 18
Authorisation Code Process client_key client_secret code code access token access_token 19
Implicit Grant Use for: client-side apps Flow: we send user to application to grant access, recieve an access token in return Features: super-simple 20
Implicit Process client_id redirect_url type scope state 21
Implicit Process User must be able to visit the site and revoke later 22
Implicit Process access token access_token state 23
Resource Owner Credentials Use for: trusted consumers, such as same-provider apps or a script the user writes themselves Flow: user gives username and password to app, app exchanges for access token and does not store Features: saves sending user to the main site and back 24
Resource Owner Credentials Process username, username, password password 25
Resource Owner Credentials Process access token 26
Client Credentials Use for: privileged consumers Flow: client credentials act as an authorsation grant, access token is returned Features: ideal for applications with more than per-user-data access rights 27
Client Credentials Process hai access token 28
How to Choose Grant Type What will be consuming this data? It isn’t unusual for applications to support some or all of these grant types 29
You have an access token, now what?
Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 31
Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 Everything you already knew about web APIs now applies as normal 31
Refresh Tokens Some applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry) The refresh token is an authorisation grant in its own right, to be used when the access token has expired 32
What about access control?
Scope Consumers will request a given set of permissions, usually called scope Users usually only get to accept, or not 34
HTTPS (a vital OAuth2 ingredient)
HTTPS HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer Security) Basically, we encrypt the pipe! 36
OAuth 1
About OAuth 1 In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
OAuth Today
OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
Thanks!
Thanks https://joind.in/6232 @lornajane http://lornajane.net 44

Recommended

Best Practice in API Design
Best Practice in API DesignBest Practice in API Design
Best Practice in API DesignLorna Mitchell
 
Web services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryWeb services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryFulvio Corno
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android pptsantosh lamba
 
Easy rest service using PHP reflection api
Easy rest service using PHP reflection apiEasy rest service using PHP reflection api
Easy rest service using PHP reflection apiMatthieu Aubry
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and jsonbaabtra.com - No. 1 supplier of quality freshers
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knewLorna Mitchell
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHPZoran Jeremic
 
Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Michael Girouard
 

Recommended

Best Practice in API Design
Best Practice in API DesignBest Practice in API Design
Best Practice in API DesignLorna Mitchell
 
Web services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryWeb services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryFulvio Corno
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android pptsantosh lamba
 
Easy rest service using PHP reflection api
Easy rest service using PHP reflection apiEasy rest service using PHP reflection api
Easy rest service using PHP reflection apiMatthieu Aubry
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and jsonbaabtra.com - No. 1 supplier of quality freshers
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knewLorna Mitchell
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHPZoran Jeremic
 
Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Michael Girouard
 
Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using PhpSudheer Satyanarayana
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHPSanil Subhash Chandra Bose
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web apiMaurice De Beijer [MVP]
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB APIThang Chung
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services TutorialLorna Mitchell
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSCarol McDonald
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIRajkattamuri
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RSEzewuzie Emmanuel Okafor
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSam Brannen
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webkriszyp
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with javaVinay Gopinath
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST RightKerry Buckley
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web ServiceHoan Vu Tran
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API TrainingChalermpon Areepong
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSNeil Ghosh
 
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHilary Stohs-Krause
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorialLorna Mitchell
 

More Related Content

What's hot

Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using PhpSudheer Satyanarayana
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical ApproachMadhaiyan Muthu
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSCarol McDonald
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIRajkattamuri
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSam Brannen
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webkriszyp
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with javaVinay Gopinath
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web ServiceHoan Vu Tran
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSNeil Ghosh
 

What's hot (20)

Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHP
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RS
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RS
 

Viewers also liked

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHilary Stohs-Krause
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamJoe Ferguson
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webFrancois Zaninotto
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP DevelopersLorna Mitchell
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in AndroidDavid Truxall
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigMandakini Kumari
 
Android webservices
Android webservicesAndroid webservices
Android webservicesKrazy Koder
 
Practical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsPractical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsAdam Culp
 
La blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiLa blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiFrancois Zaninotto
 
PHP and Web Services
PHP and Web ServicesPHP and Web Services
PHP and Web ServicesBruno Pedro
 

Viewers also liked (15)

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du web
 
Join In With Joind.In
Join In With Joind.InJoin In With Joind.In
Join In With Joind.In
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP Developers
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
 
What is an API?
What is an API?What is an API?
What is an API?
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
 
Android webservices
Android webservicesAndroid webservices
Android webservices
 
Practical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsPractical PHP Deployment with Jenkins
Practical PHP Deployment with Jenkins
 
La blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiLa blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré lui
 
PHP and Web Services
PHP and Web ServicesPHP and Web Services
PHP and Web Services
 

Similar to OAuth: Trust Issues

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 

Similar to OAuth: Trust Issues (20)

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Api security
Api security Api security
Api security
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 

More from Lorna Mitchell

Git, GitHub and Open Source
Git, GitHub and Open SourceGit, GitHub and Open Source
Git, GitHub and Open SourceLorna Mitchell
 
Business 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyBusiness 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyLorna Mitchell
 
Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Lorna Mitchell
 
Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source ControlLorna Mitchell
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service DesignLorna Mitchell
 
Coaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishCoaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishLorna Mitchell
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
Object Oriented Programming in PHP
Object Oriented Programming in PHPObject Oriented Programming in PHP
Object Oriented Programming in PHPLorna Mitchell
 
Could You Telecommute?
Could You Telecommute?Could You Telecommute?
Could You Telecommute?Lorna Mitchell
 
Running a Project with Github
Running a Project with GithubRunning a Project with Github
Running a Project with GithubLorna Mitchell
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better DeveloperLorna Mitchell
 
Digital Representation
Digital RepresentationDigital Representation
Digital RepresentationLorna Mitchell
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control LandscapeLorna Mitchell
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_servicesLorna Mitchell
 

More from Lorna Mitchell (20)

Git, GitHub and Open Source
Git, GitHub and Open SourceGit, GitHub and Open Source
Git, GitHub and Open Source
 
Business 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyBusiness 101 for Developers: Time and Money
Business 101 for Developers: Time and Money
 
Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)
 
Going Freelance
Going FreelanceGoing Freelance
Going Freelance
 
Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source Control
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service Design
 
Coaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishCoaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To Fish
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
Object Oriented Programming in PHP
Object Oriented Programming in PHPObject Oriented Programming in PHP
Object Oriented Programming in PHP
 
Example Presentation
Example PresentationExample Presentation
Example Presentation
 
Could You Telecommute?
Could You Telecommute?Could You Telecommute?
Could You Telecommute?
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 
Running a Project with Github
Running a Project with GithubRunning a Project with Github
Running a Project with Github
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better Developer
 
Digital Representation
Digital RepresentationDigital Representation
Digital Representation
 
Goodpractice
GoodpracticeGoodpractice
Goodpractice
 
SPL Primer
SPL PrimerSPL Primer
SPL Primer
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control Landscape
 
Teach a Man To Fish
Teach a Man To FishTeach a Man To Fish
Teach a Man To Fish
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_services
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

OAuth: Trust Issues

  • 1. OAuth: A Question of Trust
  • 2. About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
  • 3. If OAuth is the answer, what was the question?
  • 4. OAuth username: lornajane password: qwerty 4
  • 5. OAuth Hi, I’m lornajane 5
  • 6. Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
  • 7. OAuth 2: Performance over Paranoia
  • 10. Before We Begin Register for an API key and capture: • application name • callback URL(s) to use • description e.g. http://joind.in/user/apikey 10
  • 11. OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
  • 12. Establishing Trust We need an authorisation grant for the assistant to be able to access user data 12
  • 14. Authorisation Grant: Many Choices How we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
  • 15. Authorisation Code Use for: server-side apps Flow: we send user to application to grant access, recieve a code in return. Then exchange code for access token Features: user never sees access token 15
  • 16. Authorisation Code Process client_id redirect_url type scope state 16
  • 17. Authorisation Code Process User must be able to visit the site and revoke later 17
  • 18. Authorisation Code Process code code state 18
  • 19. Authorisation Code Process client_key client_secret code code access token access_token 19
  • 20. Implicit Grant Use for: client-side apps Flow: we send user to application to grant access, recieve an access token in return Features: super-simple 20
  • 21. Implicit Process client_id redirect_url type scope state 21
  • 22. Implicit Process User must be able to visit the site and revoke later 22
  • 23. Implicit Process access token access_token state 23
  • 24. Resource Owner Credentials Use for: trusted consumers, such as same-provider apps or a script the user writes themselves Flow: user gives username and password to app, app exchanges for access token and does not store Features: saves sending user to the main site and back 24
  • 25. Resource Owner Credentials Process username, username, password password 25
  • 26. Resource Owner Credentials Process access token 26
  • 27. Client Credentials Use for: privileged consumers Flow: client credentials act as an authorsation grant, access token is returned Features: ideal for applications with more than per-user-data access rights 27
  • 28. Client Credentials Process hai access token 28
  • 29. How to Choose Grant Type What will be consuming this data? It isn’t unusual for applications to support some or all of these grant types 29
  • 30. You have an access token, now what?
  • 31. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 31
  • 32. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 Everything you already knew about web APIs now applies as normal 31
  • 33. Refresh Tokens Some applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry) The refresh token is an authorisation grant in its own right, to be used when the access token has expired 32
  • 34. What about access control?
  • 35. Scope Consumers will request a given set of permissions, usually called scope Users usually only get to accept, or not 34
  • 36. HTTPS (a vital OAuth2 ingredient)
  • 37. HTTPS HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer Security) Basically, we encrypt the pipe! 36
  • 39. About OAuth 1 In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
  • 40. OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
  • 42. OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
  • 43. Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
  • 45. Thanks https://joind.in/6232 @lornajane http://lornajane.net 44