SlideShare una empresa de Scribd logo

OAuth 2 at Webvisions

Descargar como PPTX, PDF
Aaron Parecki
Aaron Parecki
Tecnología
1 de 33
OAuth 2: A Brief Overview Aaron Parecki • @aaronpk WebVisions • New York, January 2012
Before OAuth aka the Dark Ages If a third party wanted access to an account, you’d give them your password. aaron.pk/oauth2 @aaronpk
Before OAuth 1.0 Many sites implemented things similar to OAuth 1.0, with slight differences between them.  Flickr: “FlickrAuth” frobs and tokens  Google: “AuthSub”  Facebook: requests signed with MD5 hashes aaron.pk/oauth2 @aaronpk
aaron.pk/oauth2 @aaronpk
aaron.pk/oauth2 @aaronpk
aaron.pk/oauth2 @aaronpk
OAuth 1.0 Signatures The signature base string is composed of the HTTP method being used, followed by an ampersand ("&") and then the URL-encoded base URL being accessed, complete with path (but not query parameters), followed by an ampersand ("&"). Then, you take all query parameters and POST body parameters (when the POST body is of the URL-encoded type, otherwise the POST body is ignored), including the OAuth parameters necessary for negotiation with the request at hand, and sort oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7o them in lexicographical order by first parameter name and then dC2XJcn4XlZJqk", parameter value (for duplicate parameters), all the while ensuring that both the key and the value for each parameter are URL encoded in oauth_callback="http%3A%2F%2Flocalhost%3A300 isolation. Instead of using the equals ("=") sign to mark the key/value 5%2Fthe_dance%2Fprocess_callback%3Fservice_pr relationship, you use the URL-encoded form of "%3D". Each parameter is ovider_id%3D11", then joined by the URL-escaped ampersand sign, "%26". oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272323042", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_signature="8wUi7m5HFQy76nowoCThusfgB% aaron.pk/oauth2 2BQ%3D", oauth_version="1.0" @aaronpk
aaron.pk/oauth2 @aaronpk
OAuth 2: signatures replaced by https HMAC aaron.pk/oauth2 @aaronpk
Some Current Implementers
OAuth 2? There are 22 versions!!
Currently Implemented Drafts Provider Draft Reference Foursquare -10 http://aaron.pk/2YS Google -10 http://code.google.com/apis/accounts/docs/OAuth2.html Gowalla -8 http://gowalla.com/api/docs/oauth https://developers.facebook.com/docs/authentication/oa Facebook -10 (ish) uth2_updates/ Windows Live -10 http://aaron.pk/2YV Salesforce -10 http://aaron.pk/2YW Github -07 http://develop.github.com/p/oauth.html Geoloqi -10 http://geoloqi.org/API @aaronpk
So how does it work? aaron.pk/oauth2 @aaronpk
Definitions aaron.pk/oauth2 @aaronpk
1. Authorization aaron.pk/oauth2 @aaronpk
Create a “Log In” link Link to: https://geoloqi.com/oauth/authorize?response_ type=code&client_id=YOUR_CLIENT_ID&redirect_u ri=REDIRECT_URI aaron.pk/oauth2 @aaronpk
Send the user to the auth page https://geoloqi.com/oauth/authorize?response_t ype=code&client_id=YOUR_CLIENT_ID&redirect_uri =REDIRECT_URI aaron.pk/oauth2 @aaronpk
On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied aaron.pk/oauth2 @aaronpk
Exchange auth code for an access token Your server makes the following request POST https://api.geoloqi.com/1/oauth/token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET aaron.pk/oauth2 @aaronpk
Exchange auth code for an access token (response) Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" } aaron.pk/oauth2 @aaronpk
2. Accessing Resources aaron.pk/oauth2 @aaronpk
Use the access token to make requests Now you can make requests using the access token. GET https://api.geoloqi.com/1/account/profile Authorization: OAuth RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.geoloqi.com/1/account/profile?oauth _token=RsT5OjbzRn430zqMLgV3Ia aaron.pk/oauth2 @aaronpk
Eventually the access token will expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! aaron.pk/oauth2 @aaronpk
Get a new access token using a refresh token Your server makes the following request POST https://api.geoloqi.com/1/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } aaron.pk/oauth2 @aaronpk
OAuth 2 Clients Client libraries should handle refreshing the token automatically behind the scenes. aaron.pk/oauth2 @aaronpk
Authorization Methods  Auth Code  Refresh Token  Password Draft 10 also has  Assertion Draft 22 also has  Implicit (for browser-based apps)  Extensions (for defining custom grant types) aaron.pk/oauth2 @aaronpk
Password Grant Type Suitable for mobile or native desktop apps where a web browser flow would be awkward. This breaks the fundamental benefit of OAuth (not giving your password to third parties), so should probably be limited to your own apps. aaron.pk/oauth2
Password Grant Your server makes the following request POST https://api.geoloqi.com/1/oauth/token grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } aaron.pk/oauth2 @aaronpk
Implicit Grant (-22) For clients who can’t store a client secret in a secure way, typically Javascript-based apps. No concept of refresh tokens, and auth codes are not used either. The redirection back to your app will include an access token in the URL fragment. https://example.com/auth#access_token=FJQbwq9 aaron.pk/oauth2 @aaronpk
Security Recommendations for Clients Using Bearer Tokens  Safeguard bearer tokens  Validate SSL certificates  Always use https  Don’t store bearer tokens in plaintext cookies  Issue short-lived bearer tokens  Don’t pass bearer tokens in page URLs aaron.pk/oauth2 @aaronpk
http://code.flickr.com/blog/2011/06/21/flickr-now-supports-oauth-1-0a/ Currently, we only support OAuth 1.0a, but we have plans to eventually support OAuth 2.0. The decision was based on the fact that OAuth 2.0 is still an evolving definition that is rapidly changing.
More Info & Code Samples: http://aaron.pk/oauth2 Thanks. Aaron Parecki @aaronpk aaronparecki.com github.com/aaronpk

Recomendados

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 

Recomendados

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
G Jayendra Kartheek
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
MongoDB user group israel May
MongoDB user group israel MayMongoDB user group israel May
MongoDB user group israel May
Alon Horev
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
apidays
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 

Más contenido relacionado

La actualidad más candente

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 

La actualidad más candente (19)

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
MongoDB user group israel May
MongoDB user group israel MayMongoDB user group israel May
MongoDB user group israel May
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 

Similar a OAuth 2 at Webvisions

Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
WSO2
 

Similar a OAuth 2 at Webvisions (20)

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Centralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREdayCentralise legacy auth at the ingress gateway, SREday
Centralise legacy auth at the ingress gateway, SREday
 
Centralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gatewayCentralise legacy auth at the ingress gateway
Centralise legacy auth at the ingress gateway
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 

Más de Aaron Parecki

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Aaron Parecki
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Aaron Parecki
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer Toolkit
Aaron Parecki
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source Bridge
Aaron Parecki
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source Bridge
Aaron Parecki
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012
Aaron Parecki
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session Notes
Aaron Parecki
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011
Aaron Parecki
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
Aaron Parecki
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and Geoloqi
Aaron Parecki
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source Bridge
Aaron Parecki
 

Más de Aaron Parecki (18)

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer Toolkit
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger Service
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS Portland
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source Bridge
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source Bridge
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session Notes
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPS
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and Geoloqi
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App Tour
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source Bridge
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

OAuth 2 at Webvisions

  • 1. OAuth 2: A Brief Overview Aaron Parecki • @aaronpk WebVisions • New York, January 2012
  • 2. Before OAuth aka the Dark Ages If a third party wanted access to an account, you’d give them your password. aaron.pk/oauth2 @aaronpk
  • 3. Before OAuth 1.0 Many sites implemented things similar to OAuth 1.0, with slight differences between them.  Flickr: “FlickrAuth” frobs and tokens  Google: “AuthSub”  Facebook: requests signed with MD5 hashes aaron.pk/oauth2 @aaronpk
  • 4. aaron.pk/oauth2 @aaronpk
  • 5. aaron.pk/oauth2 @aaronpk
  • 6. aaron.pk/oauth2 @aaronpk
  • 7. OAuth 1.0 Signatures The signature base string is composed of the HTTP method being used, followed by an ampersand ("&") and then the URL-encoded base URL being accessed, complete with path (but not query parameters), followed by an ampersand ("&"). Then, you take all query parameters and POST body parameters (when the POST body is of the URL-encoded type, otherwise the POST body is ignored), including the OAuth parameters necessary for negotiation with the request at hand, and sort oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7o them in lexicographical order by first parameter name and then dC2XJcn4XlZJqk", parameter value (for duplicate parameters), all the while ensuring that both the key and the value for each parameter are URL encoded in oauth_callback="http%3A%2F%2Flocalhost%3A300 isolation. Instead of using the equals ("=") sign to mark the key/value 5%2Fthe_dance%2Fprocess_callback%3Fservice_pr relationship, you use the URL-encoded form of "%3D". Each parameter is ovider_id%3D11", then joined by the URL-escaped ampersand sign, "%26". oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272323042", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_signature="8wUi7m5HFQy76nowoCThusfgB% aaron.pk/oauth2 2BQ%3D", oauth_version="1.0" @aaronpk
  • 8. aaron.pk/oauth2 @aaronpk
  • 9. OAuth 2: signatures replaced by https HMAC aaron.pk/oauth2 @aaronpk
  • 11. OAuth 2? There are 22 versions!!
  • 12. Currently Implemented Drafts Provider Draft Reference Foursquare -10 http://aaron.pk/2YS Google -10 http://code.google.com/apis/accounts/docs/OAuth2.html Gowalla -8 http://gowalla.com/api/docs/oauth https://developers.facebook.com/docs/authentication/oa Facebook -10 (ish) uth2_updates/ Windows Live -10 http://aaron.pk/2YV Salesforce -10 http://aaron.pk/2YW Github -07 http://develop.github.com/p/oauth.html Geoloqi -10 http://geoloqi.org/API @aaronpk
  • 13. So how does it work? aaron.pk/oauth2 @aaronpk
  • 16. Create a “Log In” link Link to: https://geoloqi.com/oauth/authorize?response_ type=code&client_id=YOUR_CLIENT_ID&redirect_u ri=REDIRECT_URI aaron.pk/oauth2 @aaronpk
  • 17. Send the user to the auth page https://geoloqi.com/oauth/authorize?response_t ype=code&client_id=YOUR_CLIENT_ID&redirect_uri =REDIRECT_URI aaron.pk/oauth2 @aaronpk
  • 18. On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied aaron.pk/oauth2 @aaronpk
  • 19. Exchange auth code for an access token Your server makes the following request POST https://api.geoloqi.com/1/oauth/token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET aaron.pk/oauth2 @aaronpk
  • 20. Exchange auth code for an access token (response) Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" } aaron.pk/oauth2 @aaronpk
  • 22. Use the access token to make requests Now you can make requests using the access token. GET https://api.geoloqi.com/1/account/profile Authorization: OAuth RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.geoloqi.com/1/account/profile?oauth _token=RsT5OjbzRn430zqMLgV3Ia aaron.pk/oauth2 @aaronpk
  • 23. Eventually the access token will expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! aaron.pk/oauth2 @aaronpk
  • 24. Get a new access token using a refresh token Your server makes the following request POST https://api.geoloqi.com/1/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } aaron.pk/oauth2 @aaronpk
  • 25. OAuth 2 Clients Client libraries should handle refreshing the token automatically behind the scenes. aaron.pk/oauth2 @aaronpk
  • 26. Authorization Methods  Auth Code  Refresh Token  Password Draft 10 also has  Assertion Draft 22 also has  Implicit (for browser-based apps)  Extensions (for defining custom grant types) aaron.pk/oauth2 @aaronpk
  • 27. Password Grant Type Suitable for mobile or native desktop apps where a web browser flow would be awkward. This breaks the fundamental benefit of OAuth (not giving your password to third parties), so should probably be limited to your own apps. aaron.pk/oauth2
  • 28. Password Grant Your server makes the following request POST https://api.geoloqi.com/1/oauth/token grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } aaron.pk/oauth2 @aaronpk
  • 29. Implicit Grant (-22) For clients who can’t store a client secret in a secure way, typically Javascript-based apps. No concept of refresh tokens, and auth codes are not used either. The redirection back to your app will include an access token in the URL fragment. https://example.com/auth#access_token=FJQbwq9 aaron.pk/oauth2 @aaronpk
  • 30. Security Recommendations for Clients Using Bearer Tokens  Safeguard bearer tokens  Validate SSL certificates  Always use https  Don’t store bearer tokens in plaintext cookies  Issue short-lived bearer tokens  Don’t pass bearer tokens in page URLs aaron.pk/oauth2 @aaronpk
  • 31.
  • 32. http://code.flickr.com/blog/2011/06/21/flickr-now-supports-oauth-1-0a/ Currently, we only support OAuth 1.0a, but we have plans to eventually support OAuth 2.0. The decision was based on the fact that OAuth 2.0 is still an evolving definition that is rapidly changing.
  • 33. More Info & Code Samples: http://aaron.pk/oauth2 Thanks. Aaron Parecki @aaronpk aaronparecki.com github.com/aaronpk

Notas del editor

  1. It was common to see third party sites asking for your Twitter or Email passwords to log you in. Obviously you should be reluctant to hand over your login information to some other site.
  2. Problem is it’s really hard to get the signatures right as a third party, and you have to have a real solid understanding of it if you’re going to implement it on your server.
  3. Problem is it’s really hard to get the signatures right as a third party, and you have to have a real solid understanding of it if you’re going to implement it on your server.
  4. OAuth 2 recognizes the challenges of requiring signatures and nonces, and moves to a model where all data is transferred using the built-in encryption of HTTPS.
  5. Many sites are adopting the new OAuth 2 spec.http://windowsteamblog.com/windows_live/b/developer/archive/2011/05/04/announcing-support-for-oauth-2-0.aspxhttp://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html
  6. Make sure to keep the refresh token around
  7. ----- Meeting Notes (2012-01-19 13:22) -----I went through an access token using the "auth code" grant type. Since OAuth is designed for more than just web apps, there are other grant types available.----- Meeting Notes (2012-01-19 13:33) -----Ther'es more than one way to get an access token