SlideShare a Scribd company logo

FamilySearch Authentication Options

Download as PPTX, PDF
Jimmy Zimmerman
Jimmy Zimmerman

FamilySearch uses OAuth 2 for API authentication. This presentation covers several authentication options in the context of OAuth 2.

Technology
1 of 53
1 FamilySearch Authentication Options 25 Sep 2014 © 2013 by Intellectual Reserve, Inc. All rights reserved.
2 Agenda • Access to the API • OAuth2 - Access Tokens - Authorization Grants • Special Configurations - OpenID
3 How do I gain access to the API?
4 Grant my users access to the API through my app
5 FamilySearch API access to through user Grant
6 OAuth 2.0
7 OAuth 2.0 The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
8 OAuth 2.0 • Third-party application • Obtain limited access • HTTP Service • On behalf of a resource owner Client FamilySearch API
9 OAuth 2.0 – Access Tokens • Access Tokens - Credentials used to access protected resources. - A string representing authorization issued to client.
10 FamilySearch – Access Tokens • String - USYSB839321B7082635DBDCB50AB50F0C98E_idses-int01.a.fsglobal.net • Type: Bearer Token (RFC 6750) - Sent in Authorization header - If can't use header, access_token querystring parameter • Expire after 1 hour of inactivity • Have max life of 24 hours
11 How does my client obtain an access token for its user?
12 OAuth 2.0 – Authorization Grant • Client exchanges an authorization grant for an access token ✔
13 OAuth 2.0 – Authorization Grant • A resource owner ( ) gives: - authorization ( ) - to access its protected resources ( API ) - used by client ( ) to get access token ( ) ✔ ✔
14 OAuth 2.0 – Grant Types • Grant Types ✔ - Authorization Code - Implicit - Resource Owner Password Credentials - Client Credentials - Extensions…
15 FamilySearch – Grant Types • Grant Types ✔ - Authorization Code - Implicit - Resource Owner Password Credentials - Client Credentials - Unauthenticated (Extension) • All Grant Types require an Client ID (App Key)
16 Authorization Code ✔
17 Authorization Code ✔ https://myapp.com Get FamilySearch Data
18 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
19 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
20 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
21 Authorization Code ✔ Redirect Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… myapp.com?code={} Authorization code passed to client as ?code={code}
22 Authorization Code ✔ https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔ The code ( ✔ ) is the user's ( ) authorization to access protected resources ( API )
23 Authorization Code ✔ https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔ The client needs to exchange the code ( ) for an access token ( ). Client performs POST w/ code to the Token URI which returns access token. ✔
24 Authorization Code ✔ FamilySearch OAuth2.0 Token Resource POST (code) ✔ {access_token: "token"}
25 Authorization Code • This is the required grant type for web apps. - Must not use an iframe for authorization screen. - Full-page redirect or pop-up. - Register your redirect URI. • Your web app must never prompt the user for username/password directly. ✔
Resource Owner Password Credentials ✔ 26
27 Resource Owner Password Credentials • The user's username and password are used directly as an authorization grant ( ). ✔ ✔ Login to FamilySearch Login with your FamilySearch username and password. username ********** Login! Cancel
Resource Owner Password Credentials ✔ FamilySearch OAuth2.0 28 Token Resource POST ✔ (username & password) {access_token: "token"}
29 Resource Owner Password Credentials • This may only be used by Native Clients. - Mobile or Desktop apps - Must be enabled on your app key • With user's permission, username & password may be saved via a secure mechanism (like Apple Keychain). ✔
30 Unauthenticated ✔
Unauthenticated ✔ FamilySearch OAuth2.0 31 Token Resource POST {access_token: "token"}
32 Unauthenticated • Only used for non-user specific read-only resources. - Places - Person Match • Throttled by App Key. ✔
33 Client Credentials ✔
34 Client Credentials ✔ • System-to-system authentication • Internally called "Service Accounts" • Requires secure, confidential client (Server) • Very, very rarely granted to FS partners
35 Special Configurations
How can I make it so my user doesn't have to log in so often? 36
37 Special Configurations • Refresh Tokens • OAuth2 + OpenID
38 Refresh Tokens
Special Configuration – Refresh Tokens 39 • Client receives - Access Token and Refresh Token • Client exchanges - Refresh Token for Access Token • FamilySearch supports refresh up to 2 weeks if user opts-in.
40 Authorization Code ✔ FamilySearch OAuth2.0 Token Resource POST (code) ✔ {access_token: "token", refresh_token:"r_token"} POST (r_token) ✔ {access_token: "token2", refresh_token:"r_token2"}
Special Configuration – Refresh Tokens 41 • Only available to Confidential Clients - Server that can keep a secret secure • Approved on a case-by-case basis • Talk to an account manager
42 OAuth 2 + OpenID
43 OAuth 2 + OpenID (v2) Configuration • Enables single-sign-on when obtaining Authorization Code • Doesn't require patrons to be prompted with FamilySearch credentials every time • Requires your website to have a trusted OpenID Provider - Currently supporting OpenID v2.0 - Must pass FamilySearch security review
44 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data
45 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? Redirect
46 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? Redirect Begin OpenID Dance!
47 Authorization Code w/ OpenID ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? myapp.com/openID... myapp.com/John
48 Authorization Code w/ OpenID ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? I know myapp.com/John myapp.com/openID... myapp.com/John
49 Authorization Code w/ OpenID ✔ Redirect Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? myapp.com?code={} I know myapp.com/John Auth Code! myapp.com/openID... myapp.com/John
50 OAuth 2 + OpenID (v2) Configuration • In order for FamilySearch to recognize myapp.com/John - Link to existing FS account - Create a new FS account
51 Special Configurations • All special configurations require case-by-case approval. • Talk to your account manager
52 Recap of Authentication Options • Authorization Code (Web Apps) • Username Password (Mobile & Desktop) • Unauthenticated (All) • Client Credentials (Servers in rare case) • Refresh Tokens (Confidential web clients) • OAuth + OpenID (Web Apps)
53 Resources • Documentation - https://familysearch.org/developers/docs/guides/oauth2 - http://tools.ietf.org/html/rfc6749 • Questions & Account Manager Requests - devsupport@familysearch.org

Recommended

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 

Recommended

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 

More Related Content

What's hot

(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 

What's hot (20)

Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 

Similar to FamilySearch Authentication Options

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsSibtay Abbas
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorizationMithun Shanbhag
 

Similar to FamilySearch Authentication Options (20)

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Id fiware upm-dit
Id fiware upm-ditId fiware upm-dit
Id fiware upm-dit
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorization
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

FamilySearch Authentication Options

  • 1. 1 FamilySearch Authentication Options 25 Sep 2014 © 2013 by Intellectual Reserve, Inc. All rights reserved.
  • 2. 2 Agenda • Access to the API • OAuth2 - Access Tokens - Authorization Grants • Special Configurations - OpenID
  • 3. 3 How do I gain access to the API?
  • 4. 4 Grant my users access to the API through my app
  • 5. 5 FamilySearch API access to through user Grant
  • 7. 7 OAuth 2.0 The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  • 8. 8 OAuth 2.0 • Third-party application • Obtain limited access • HTTP Service • On behalf of a resource owner Client FamilySearch API
  • 9. 9 OAuth 2.0 – Access Tokens • Access Tokens - Credentials used to access protected resources. - A string representing authorization issued to client.
  • 10. 10 FamilySearch – Access Tokens • String - USYSB839321B7082635DBDCB50AB50F0C98E_idses-int01.a.fsglobal.net • Type: Bearer Token (RFC 6750) - Sent in Authorization header - If can't use header, access_token querystring parameter • Expire after 1 hour of inactivity • Have max life of 24 hours
  • 11. 11 How does my client obtain an access token for its user?
  • 12. 12 OAuth 2.0 – Authorization Grant • Client exchanges an authorization grant for an access token ✔
  • 13. 13 OAuth 2.0 – Authorization Grant • A resource owner ( ) gives: - authorization ( ) - to access its protected resources ( API ) - used by client ( ) to get access token ( ) ✔ ✔
  • 14. 14 OAuth 2.0 – Grant Types • Grant Types ✔ - Authorization Code - Implicit - Resource Owner Password Credentials - Client Credentials - Extensions…
  • 15. 15 FamilySearch – Grant Types • Grant Types ✔ - Authorization Code - Implicit - Resource Owner Password Credentials - Client Credentials - Unauthenticated (Extension) • All Grant Types require an Client ID (App Key)
  • 17. 17 Authorization Code ✔ https://myapp.com Get FamilySearch Data
  • 18. 18 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
  • 19. 19 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
  • 20. 20 Authorization Code ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth…
  • 21. 21 Authorization Code ✔ Redirect Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… myapp.com?code={} Authorization code passed to client as ?code={code}
  • 22. 22 Authorization Code ✔ https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔ The code ( ✔ ) is the user's ( ) authorization to access protected resources ( API )
  • 23. 23 Authorization Code ✔ https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔ The client needs to exchange the code ( ) for an access token ( ). Client performs POST w/ code to the Token URI which returns access token. ✔
  • 24. 24 Authorization Code ✔ FamilySearch OAuth2.0 Token Resource POST (code) ✔ {access_token: "token"}
  • 25. 25 Authorization Code • This is the required grant type for web apps. - Must not use an iframe for authorization screen. - Full-page redirect or pop-up. - Register your redirect URI. • Your web app must never prompt the user for username/password directly. ✔
  • 26. Resource Owner Password Credentials ✔ 26
  • 27. 27 Resource Owner Password Credentials • The user's username and password are used directly as an authorization grant ( ). ✔ ✔ Login to FamilySearch Login with your FamilySearch username and password. username ********** Login! Cancel
  • 28. Resource Owner Password Credentials ✔ FamilySearch OAuth2.0 28 Token Resource POST ✔ (username & password) {access_token: "token"}
  • 29. 29 Resource Owner Password Credentials • This may only be used by Native Clients. - Mobile or Desktop apps - Must be enabled on your app key • With user's permission, username & password may be saved via a secure mechanism (like Apple Keychain). ✔
  • 31. Unauthenticated ✔ FamilySearch OAuth2.0 31 Token Resource POST {access_token: "token"}
  • 32. 32 Unauthenticated • Only used for non-user specific read-only resources. - Places - Person Match • Throttled by App Key. ✔
  • 34. 34 Client Credentials ✔ • System-to-system authentication • Internally called "Service Accounts" • Requires secure, confidential client (Server) • Very, very rarely granted to FS partners
  • 36. How can I make it so my user doesn't have to log in so often? 36
  • 37. 37 Special Configurations • Refresh Tokens • OAuth2 + OpenID
  • 39. Special Configuration – Refresh Tokens 39 • Client receives - Access Token and Refresh Token • Client exchanges - Refresh Token for Access Token • FamilySearch supports refresh up to 2 weeks if user opts-in.
  • 40. 40 Authorization Code ✔ FamilySearch OAuth2.0 Token Resource POST (code) ✔ {access_token: "token", refresh_token:"r_token"} POST (r_token) ✔ {access_token: "token2", refresh_token:"r_token2"}
  • 41. Special Configuration – Refresh Tokens 41 • Only available to Confidential Clients - Server that can keep a secret secure • Approved on a case-by-case basis • Talk to an account manager
  • 42. 42 OAuth 2 + OpenID
  • 43. 43 OAuth 2 + OpenID (v2) Configuration • Enables single-sign-on when obtaining Authorization Code • Doesn't require patrons to be prompted with FamilySearch credentials every time • Requires your website to have a trusted OpenID Provider - Currently supporting OpenID v2.0 - Must pass FamilySearch security review
  • 44. 44 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data
  • 45. 45 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? Redirect
  • 46. 46 Authorization Code w/ OpenID ✔ https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? Redirect Begin OpenID Dance!
  • 47. 47 Authorization Code w/ OpenID ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? myapp.com/openID... myapp.com/John
  • 48. 48 Authorization Code w/ OpenID ✔ Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? I know myapp.com/John myapp.com/openID... myapp.com/John
  • 49. 49 Authorization Code w/ OpenID ✔ Redirect Redirect https://myapp.com Get FamilySearch Data https://fs.org/auth… Who? myapp.com?code={} I know myapp.com/John Auth Code! myapp.com/openID... myapp.com/John
  • 50. 50 OAuth 2 + OpenID (v2) Configuration • In order for FamilySearch to recognize myapp.com/John - Link to existing FS account - Create a new FS account
  • 51. 51 Special Configurations • All special configurations require case-by-case approval. • Talk to your account manager
  • 52. 52 Recap of Authentication Options • Authorization Code (Web Apps) • Username Password (Mobile & Desktop) • Unauthenticated (All) • Client Credentials (Servers in rare case) • Refresh Tokens (Confidential web clients) • OAuth + OpenID (Web Apps)
  • 53. 53 Resources • Documentation - https://familysearch.org/developers/docs/guides/oauth2 - http://tools.ietf.org/html/rfc6749 • Questions & Account Manager Requests - devsupport@familysearch.org

Editor's Notes

  1. iPhone: https://openclipart.org/detail/183646/iphone-5s-gold-by-jhnri4-183646 hTC phone: https://openclipart.org/detail/182327/new-htc-one-silver-by-belier-182327 Laptop and Server: Microsoft Clipart
  2. Coin: MS Clipart
  3. ----- Meeting Notes (9/23/14 10:22) ----- Data via the API
  4. ----- Meeting Notes (9/23/14 10:22) ----- Data via the API