7. 7
OAuth 2.0
The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to
an HTTP service, either on behalf of a resource
owner by orchestrating an approval interaction
between the resource owner and the HTTP
service, or by allowing the third-party application to
obtain access on its own behalf.
8. 8
OAuth 2.0
• Third-party application
• Obtain limited access
• HTTP Service
• On behalf of a resource owner
Client
FamilySearch API
9. 9
OAuth 2.0 – Access Tokens
• Access Tokens
- Credentials used to access protected
resources.
- A string representing authorization issued to
client.
10. 10
FamilySearch – Access Tokens
• String
- USYSB839321B7082635DBDCB50AB50F0C98E_idses-int01.a.fsglobal.net
• Type: Bearer Token (RFC 6750)
- Sent in Authorization header
- If can't use header, access_token
querystring parameter
• Expire after 1 hour of inactivity
• Have max life of 24 hours
11. 11
How does my client obtain an
access token for its user?
12. 12
OAuth 2.0 – Authorization Grant
• Client exchanges an authorization grant for an
access token
✔
13. 13
OAuth 2.0 – Authorization Grant
• A resource owner ( ) gives:
- authorization ( )
- to access its protected resources ( API
)
- used by client ( ) to get access token ( )
✔
✔
18. 18
Authorization Code ✔
Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
19. 19
Authorization Code ✔
Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
20. 20
Authorization Code ✔
Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
21. 21
Authorization Code ✔
Redirect Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth… myapp.com?code={}
Authorization code passed
to client as ?code={code}
22. 22
Authorization Code ✔
https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔
The code ( ✔
) is the user's ( )
authorization to access
protected resources ( API
)
23. 23
Authorization Code ✔
https://myapp.com/redirect-uri?code=S3CRT-4UTH-C0D3 ✔
The client needs to exchange the code ( )
for an access token ( ).
Client performs POST w/ code to the
Token URI which returns access token.
✔
25. 25
Authorization Code
• This is the required grant type for web apps.
- Must not use an iframe for authorization
screen.
- Full-page redirect or pop-up.
- Register your redirect URI.
• Your web app must never prompt the user for
username/password directly.
✔
27. 27
Resource Owner Password Credentials
• The user's username and password are used
directly as an authorization grant ( ).
✔
✔
Login to FamilySearch
Login with your FamilySearch
username and password.
username
**********
Login!
Cancel
29. 29
Resource Owner Password Credentials
• This may only be used by Native Clients.
- Mobile or Desktop apps
- Must be enabled on your app key
• With user's permission, username & password
may be saved via a secure mechanism (like
Apple Keychain).
✔
41. Special Configuration – Refresh Tokens
41
• Only available to Confidential Clients
- Server that can keep a secret secure
• Approved on a case-by-case basis
• Talk to an account manager
43. 43
OAuth 2 + OpenID (v2) Configuration
• Enables single-sign-on when obtaining
Authorization Code
• Doesn't require patrons to be prompted with
FamilySearch credentials every time
• Requires your website to have a trusted
OpenID Provider
- Currently supporting OpenID v2.0
- Must pass FamilySearch security review
45. 45
Authorization Code w/ OpenID ✔
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
Who?
Redirect
46. 46
Authorization Code w/ OpenID ✔
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
Who?
Redirect
Begin OpenID Dance!
47. 47
Authorization Code w/ OpenID ✔
Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
Who?
myapp.com/openID...
myapp.com/John
48. 48
Authorization Code w/ OpenID ✔
Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
Who?
I know
myapp.com/John
myapp.com/openID...
myapp.com/John
49. 49
Authorization Code w/ OpenID ✔
Redirect Redirect
https://myapp.com
Get FamilySearch Data
https://fs.org/auth…
Who?
myapp.com?code={}
I know
myapp.com/John Auth Code!
myapp.com/openID...
myapp.com/John
50. 50
OAuth 2 + OpenID (v2) Configuration
• In order for FamilySearch to recognize
myapp.com/John
- Link to existing FS account
- Create a new FS account
51. 51
Special Configurations
• All special configurations require case-by-case
approval.
• Talk to your account manager
iPhone: https://openclipart.org/detail/183646/iphone-5s-gold-by-jhnri4-183646
hTC phone: https://openclipart.org/detail/182327/new-htc-one-silver-by-belier-182327
Laptop and Server: Microsoft Clipart
Coin: MS Clipart
----- Meeting Notes (9/23/14 10:22) -----
Data via the API
----- Meeting Notes (9/23/14 10:22) -----
Data via the API