Kent Tong, profile picture
Uploaded byKent Tong
PDF, PPTX439 views

OAuth2 in simple words

1) OAuth2 allows web apps to access user data from authentication services like Google and Facebook by redirecting the user's browser to those services for authentication. 2) When a user grants permission, the authentication service provides an access token to the web app, which it can use to make API requests and access the user's data on the user's behalf. 3) To prevent access token theft, the authentication service provides an authorization code instead, which the web app exchanges for an access token on the backend without exposing it to the browser.

Embed presentation

Download as PDF, PPTX
OAuth2 Kent Tong, TipTec Development © 2018
OAuth2: Using your Google or Facebook account with other web apps
Redirecting the user to authentication server Your web app Browser Google Redirect to: https://auth.google.com http://localhost/myapp https://auth.google.com https://auth.google.com Redirect the user to Google, Facebook, etc.
User logging in and granting permission to the app Google Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc Using the access token, the web app can do things as the user. Redirect the browser to the web app. ... access_token=abc
But wait! Google Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc How does Google know the URL of your web app? How does Google know the name of your web app (app 123)?
Your web app needs to tell Google its name & resume URL at the beginning Your web app Browser Google Redirect to: https://auth.google.com ? client_id=app123& redirect_url=http://localhost/myapp/resume http://localhost/myapp https://auth.google.com ? client_id=...& redirect_url=... Your web app provides its name and resume URL to Google via the browser.
User logging in and granting permission to the app Google https://auth.google.com Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc ... access_token=abc
Acting as the user to do things (e.g., retrieve his profile info) Google https://profile.google.com Your web app https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... } May be a dedicated server for retrieving user profile.
However, the token is for the web app but handed to the browser Google Grant permission to app 123? Browser OK Redirect to: http://localhost/myapp/resume? access_token=abc If the browser has been hacked, the hacker can use the access token and pretend to be your web app. Your web app ... access_token=abc
Sending an authorization code instead of the access token Google Grant permission to app 123? Browser OK Your web app Redirect to: http://localhost/myapp/resume? code=xyz ...?code=xyz
The authorization code CANNOT be used to do things as the user Google https://profile.google.com Browser or hacker https://profile.google.com? clientId=app123& access_token=xyz "invalid access token"
The app can get an access token with the authorization code Google https://token.google.com Grant permission to app 123? Browser OK Your web app ...?code=xyz https://token.google.com? client_id=app123& client_secret=aaa code=xyz { "access_token":"abc", ... } Google Only the web app and Google know this client secret. Allow? Redirect. May be a dedicated server for getting an access token.
Acting as the user to do things Google https://profile.google.com Your web app http://localhost/myapp https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... }
The app wants everything or just simple things like email? Your web app Browser Google Redirect to: https://auth.google.com? client_id=app123& scope=public_info& redirect_url=http://localhost/myapp/resume https://auth.google.comhttps://auth.google.com? client_id=app123& scope=public_info& ... The available scope values and meanings are decided by the auth server.
app wants everything or just simple things like email? Google https://auth.google.com Grant permission to read your public info to app 123? Browser OK Your web app Redirect

More Related Content

PDF
Don't let your WordPress site get hacked
byVictoria Darling
 
PDF
Twitter4R OAuth
bySusan Potter
 
PDF
OAuth2 Authentication
byIsmael Costa
 
PPTX
Rubyconf
byAditya Prakash
 
PPTX
Social login integration
byMicroPyramid .
 
PDF
Search engine assistance
bybuisness supportive company
 
PPTX
[Step-by-Step Guide] How To Launch A Self-Hosted WordPress Blog In 27 Minutes...
byWilliam Marco Locañas
 
PPT
Meta tags1
byhapy
 
Don't let your WordPress site get hacked
byVictoria Darling
 
Twitter4R OAuth
bySusan Potter
 
OAuth2 Authentication
byIsmael Costa
 
Rubyconf
byAditya Prakash
 
Social login integration
byMicroPyramid .
 
Search engine assistance
bybuisness supportive company
 
[Step-by-Step Guide] How To Launch A Self-Hosted WordPress Blog In 27 Minutes...
byWilliam Marco Locañas
 
Meta tags1
byhapy
 

What's hot

PPTX
How Do Search Engines Work
byPromozSEO
 
PDF
VRAD INFO
bybrake02waste
 
PPTX
Search Engine Optimization - Fundamentals - SEO
byNeeraj Reddy
 
PDF
Api
byrandyhoyt
 
PPTX
Web Services
bySHC
 
PDF
3 Quick accessibility wins for your site
byRian Rietveld
 
PPT
Mystery of Alexa and ways to Increase your Alexa Ranking
byYogesh Kumar
 
PDF
automatisering
byplough23pan
 
KEY
Intro to developing for @twitterapi (updated)
byRaffi Krikorian
 
KEY
What's happening here?
byRaffi Krikorian
 
PDF
Intro to developing for @twitterapi
byRaffi Krikorian
 
PPTX
Consuming & embedding external content in WordPress
byAkshay Raje
 
TXT
Hack a Facebook password
bykasiomberce kasiomberce
 
PDF
The Good, The Bad & The Spammy IONsearch 2012
bySteve Lock
 
How Do Search Engines Work
byPromozSEO
 
VRAD INFO
bybrake02waste
 
Search Engine Optimization - Fundamentals - SEO
byNeeraj Reddy
 
Api
byrandyhoyt
 
Web Services
bySHC
 
3 Quick accessibility wins for your site
byRian Rietveld
 
Mystery of Alexa and ways to Increase your Alexa Ranking
byYogesh Kumar
 
automatisering
byplough23pan
 
Intro to developing for @twitterapi (updated)
byRaffi Krikorian
 
What's happening here?
byRaffi Krikorian
 
Intro to developing for @twitterapi
byRaffi Krikorian
 
Consuming & embedding external content in WordPress
byAkshay Raje
 
Hack a Facebook password
bykasiomberce kasiomberce
 
The Good, The Bad & The Spammy IONsearch 2012
bySteve Lock
 

Similar to OAuth2 in simple words

PPTX
Integrating OAuth and Social Login Into Wordpress
byWilliam Tam
 
PPTX
OAuth 2.0
byMihir Shah
 
PDF
Securing APIs with OAuth 2.0
byKai Hofstetter
 
PDF
OAuth 2.0
bymarcwan
 
PDF
AdWords API & OAuth 2.0, Advanced
bymarcwan
 
PDF
AdWords API and OAuth 2.0
bymarcwan
 
PDF
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
byMatt Raible
 
PDF
What the Heck is OAuth and OIDC - UberConf 2018
byMatt Raible
 
PDF
Authentication with OAuth and Connected Apps
bySalesforce Developers
 
PPTX
Oauth
byRob Paok
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
Introduction to Web APIs and the Google+ API - BarCamp Phnom Penh 2011
bytraactivity
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
Demystifying OAuth2 for PHP
bySWIFTotter Solutions
 
PPTX
OAuth and Open-id
byParisa Moosavinezhad
 
PPTX
Introduction to OAuth2
byKumaresh Chandra Baruri
 
PDF
Digging Deeper into Desktop and Mobile App Security
bySalesforce Developers
 
PDF
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
bywesley chun
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
PPTX
O auth with facebook and google using .net
bySathyaish Chakravarthy
 
Integrating OAuth and Social Login Into Wordpress
byWilliam Tam
 
OAuth 2.0
byMihir Shah
 
Securing APIs with OAuth 2.0
byKai Hofstetter
 
OAuth 2.0
bymarcwan
 
AdWords API & OAuth 2.0, Advanced
bymarcwan
 
AdWords API and OAuth 2.0
bymarcwan
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
byMatt Raible
 
What the Heck is OAuth and OIDC - UberConf 2018
byMatt Raible
 
Authentication with OAuth and Connected Apps
bySalesforce Developers
 
Oauth
byRob Paok
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
Introduction to Web APIs and the Google+ API - BarCamp Phnom Penh 2011
bytraactivity
 
OAuth2
bySPARK MEDIA
 
Demystifying OAuth2 for PHP
bySWIFTotter Solutions
 
OAuth and Open-id
byParisa Moosavinezhad
 
Introduction to OAuth2
byKumaresh Chandra Baruri
 
Digging Deeper into Desktop and Mobile App Security
bySalesforce Developers
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
bywesley chun
 
Oauth 2.0 security
byvinoth kumar
 
O auth with facebook and google using .net
bySathyaish Chakravarthy
 

Recently uploaded

PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 

OAuth2 in simple words

  • 1.
    OAuth2 Kent Tong, TipTecDevelopment © 2018
  • 2.
    OAuth2: Using yourGoogle or Facebook account with other web apps
  • 3.
    Redirecting the userto authentication server Your web app Browser Google Redirect to: https://auth.google.com http://localhost/myapp https://auth.google.com https://auth.google.com Redirect the user to Google, Facebook, etc.
  • 4.
    User logging inand granting permission to the app Google Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc Using the access token, the web app can do things as the user. Redirect the browser to the web app. ... access_token=abc
  • 5.
    But wait! Google Grant permissionto app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc How does Google know the URL of your web app? How does Google know the name of your web app (app 123)?
  • 6.
    Your web appneeds to tell Google its name & resume URL at the beginning Your web app Browser Google Redirect to: https://auth.google.com ? client_id=app123& redirect_url=http://localhost/myapp/resume http://localhost/myapp https://auth.google.com ? client_id=...& redirect_url=... Your web app provides its name and resume URL to Google via the browser.
  • 7.
    User logging inand granting permission to the app Google https://auth.google.com Grant permission to app 123? Browser OK Your web app http://localhost/myapp Redirect to: http://localhost/myapp/resume? access_token=abc ... access_token=abc
  • 8.
    Acting as theuser to do things (e.g., retrieve his profile info) Google https://profile.google.com Your web app https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... } May be a dedicated server for retrieving user profile.
  • 9.
    However, the tokenis for the web app but handed to the browser Google Grant permission to app 123? Browser OK Redirect to: http://localhost/myapp/resume? access_token=abc If the browser has been hacked, the hacker can use the access token and pretend to be your web app. Your web app ... access_token=abc
  • 10.
    Sending an authorizationcode instead of the access token Google Grant permission to app 123? Browser OK Your web app Redirect to: http://localhost/myapp/resume? code=xyz ...?code=xyz
  • 11.
    The authorization codeCANNOT be used to do things as the user Google https://profile.google.com Browser or hacker https://profile.google.com? clientId=app123& access_token=xyz "invalid access token"
  • 12.
    The app canget an access token with the authorization code Google https://token.google.com Grant permission to app 123? Browser OK Your web app ...?code=xyz https://token.google.com? client_id=app123& client_secret=aaa code=xyz { "access_token":"abc", ... } Google Only the web app and Google know this client secret. Allow? Redirect. May be a dedicated server for getting an access token.
  • 13.
    Acting as theuser to do things Google https://profile.google.com Your web app http://localhost/myapp https://profile.google.com? clientId=app123& access_token=abc { "user_name":"kent", ... }
  • 14.
    The app wantseverything or just simple things like email? Your web app Browser Google Redirect to: https://auth.google.com? client_id=app123& scope=public_info& redirect_url=http://localhost/myapp/resume https://auth.google.comhttps://auth.google.com? client_id=app123& scope=public_info& ... The available scope values and meanings are decided by the auth server.
  • 15.
    app wants everythingor just simple things like email? Google https://auth.google.com Grant permission to read your public info to app 123? Browser OK Your web app Redirect