Find out how today’s authorization experts are getting maximum value from OAuth
OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.
31. OAuth 1.0/1.a
- Released in October 2007
- Revised in June 2009 (Revision A)
- Hard to implement with signatures, no expiration of tokens, no control the level
of access requested.
Some implementations have tried to get around these problems, which
causes interoperability issues
OAuth.io@medjawii
32. OAuth 2.0
- Non-backward compatible alternative.
- Several drafts from January 2010 and October 2012 where published as RFC 6749
- Facebook and many others implemented it when not final
- OAuth 2.0 is more flexible, wide range of non-interoperable implementations
- less secure than OAuth 1.0, relying on SSL connections rather than signatures to
protect the user’s access token,
- Easier to install when developing clients
OAuth.io@medjawii
36. Facebook :
Refresh_token
grant_type: "refresh_token" => grant_type: "fb_exchange_token"
refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}"
scope “notation”: friends_actions.music, friends_actions.video
Separator is a “,” instead of “%20“
OAuth.io@medjawii
37. Deezer
client_id -> app_id=...
scope -> perms=email,read_friendlists...
state=... [non documented]
response_type=code [useless]
“Facebook is the standard”
OAuth.io@medjawii
38. Google :
More parameters options for the authorization form:
access_type: to choose to send a refresh_token or not
approval_prompt to force the popup even if we are already connected
login_hint to select an account or prefill the email address
include_granted_scopes to add more authorizations “incremental
authorization”
OAuth.io@medjawii
39. Foursquare :
- Some OAuth libraries expect to pass the OAuth token as access_token
instead of oauth_token, since this is the expectation created by Facebook, at
odds with earlier versions of the OAuth spec. We may add support for both
parameter names, depending on feedback, but for now know that this may
come up.
- No scope.
OAuth.io@medjawii
40. Salesforce :
Added custom authorization parameters:
immediate: whether the user should be prompted for login and approval
display: template web, mobile, popup
login_hint: to prefill an email
prompt: prompt the user for reauthorization or reapproval
the authorization returns custom fields:
- “instance_url”: the api url binded to a resource server, this is the only way to receive the domain
- a signature: can be used to verify the identity URL was not modified (id & date signed with a private
key)
- issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration
duration
- id_token: to support openid
UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form)
OAuth.io@medjawii
41. VK:
Added authorizations parameters v: API version
The authorization returns the user id, that is needed to call the api relative to
the authorized user (there is no /me/..., /self/... or so)
Instead of
access_token: xxx
/user/me?access_token=xxx
You have
access_token: xxx
user_id: yyy
/user/yyy?access_token=xxx
OAuth.io@medjawii
43. Tencent weibo:
Authorization parameters : chinese language only
oauth_version=2.a (useless parameter)
Extra : Chinese/English documentation for OAuth1.0 but Chinese
documentation only for OAuth2.0
OAuth.io@medjawii
47. The "state" param
● inexistent (dailymotion, eventbrite...) so you
have to put it in the callback
● undocumented (wordpress, deezer...)
● impossible (angelist.co) “fixed callback url”
OAuth.io@medjawii
48. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
49. April fool: Introducing OAuth 3:0
- “0 token” paradigm
- No more secret key, everything public
The huge majority did not understand...
OAuth.io@medjawii
50. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
51. Even if you are right,
3rd party developers will be lost…
because of others providers already
did it wrong before you
OAuth.io@medjawii
52. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
53. “In a design perspective,
documentation is a bug, not a feature”
It is the most important but the last place to find information
OAuth.io@medjawii
59. OAuth.io@medjawii
- Register on oauth.io
- Click on the OAuth provider you want in the list
- Share you credentials
- Click on “try me“
That’s it, you have your token.
90seconds after signup.
67. OAuth.io@medjawii
OAuth.popup('twitter', function(err, res) {
if (err) {
// do something with error
}
res.get('/1.1/account/verify_credentials.json')
.done(function(data) {
alert('Hello ' + data.name)
})
})
No need to call your own
server and to sign your
API request and send it
back
No more access token
management, it’s now
completely abstracted
It feels lighter right?
69. Open source : oauthd for on premises
implementation to consume your own oauth
https://github.com/oauth-io/oauthd
Easy contributions process,
with a small JSON to fill on github