SlideShare una empresa de Scribd logo

UC2013 Speed Geeking: Intro to OAuth2

Descargar como PPTX, PDF
Aaron Parecki
Aaron Parecki

The document is a presentation on OAuth 2 that: 1) Explains the key concepts of OAuth 2 including resource owners, authorization servers, clients, and scopes. 2) Describes the common OAuth 2 grant types including authorization code, implicit, password, and client credentials and how they apply to different use cases like web apps, mobile apps, and application access. 3) Provides examples of implementing each grant type with code snippets and diagrams of the authorization flows.

Tecnología
1 de 42
Esri UC2013 . Technical Workshop . Speed Geeking 2013 Esri International User Conference July 8–12, 2013 | San Diego, California An Introduction to OAuth 2 Aaron Parecki @aaronpk
Esri UC2013 . Technical Workshop . Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . The OAuth 2 Spec http://oauth.net/2/
Esri UC2013 . Technical Workshop . Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Use Cases • Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password access – password • Application access – client_credentials • Mobile apps – implicit Use Cases – Grant Types An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Web Server Apps Authorization Code Grant
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=code&client_id=28653682475872&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server makes the following request POST https://graph.facebook.com/oauth/ access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Browser-Based Apps Implicit Grant
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?respon se_type=token&client_id=CLIENT_ID &redirect_uri=REDIRECT_URI&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=token&client_id=2865368247587&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Username/Password Password Grant
Esri UC2013 . Technical Workshop . Password Grant Password grant is only appropriate for trusted clients, most likely first-party apps only. If you build your own website as a client of your API, then this is a great way to handle logging in. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant Type Only appropriate for your service’s website or your service’s mobile apps. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant • User exchanges username and password for a token • No server-side code needed • Client secret only used from confidential clients - (Don’t send client secret from a mobile app!) • Useful for developing a first-party login system An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Application Access Client Credentials Grant
Esri UC2013 . Technical Workshop . Client Credentials Grant POST https://api.example.com/1/oauth/t oken Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Accessing Resources So you have an access token. Now what?
Esri UC2013 . Technical Workshop . Use the access token to make requests Now you can make requests using the access token. GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzR n430zqMLgV3Ia An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Get a new access token using a refresh token Your server makes the following request POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Scope Limiting access to resouces
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . oauth.net/2 An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . oauth.net Website • Source code available on Github - github.com/aaronpk/oauth.net • Please feel free to contribute to the website • Contribute new lists of libraries, or help update information An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Thanks. @aaronpk aparecki@esri.com github.com/aaronpk An Introduction to OAuth 2

Recomendados

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 

Recomendados

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 

Más contenido relacionado

La actualidad más candente

Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 

La actualidad más candente (20)

Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 

Similar a UC2013 Speed Geeking: Intro to OAuth2

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 

Similar a UC2013 Speed Geeking: Intro to OAuth2 (20)

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 

Más de Aaron Parecki

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Aaron Parecki
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Aaron Parecki
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitAaron Parecki
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceAaron Parecki
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Aaron Parecki
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandAaron Parecki
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source BridgeAaron Parecki
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISAaron Parecki
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeAaron Parecki
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Aaron Parecki
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesAaron Parecki
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPSAaron Parecki
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Aaron Parecki
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsAaron Parecki
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAaron Parecki
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App TourAaron Parecki
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9Aaron Parecki
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeAaron Parecki
 

Más de Aaron Parecki (18)

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer Toolkit
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger Service
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS Portland
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source Bridge
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source Bridge
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session Notes
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPS
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and Geoloqi
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App Tour
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source Bridge
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

UC2013 Speed Geeking: Intro to OAuth2

  • 1. Esri UC2013 . Technical Workshop . Speed Geeking 2013 Esri International User Conference July 8–12, 2013 | San Diego, California An Introduction to OAuth 2 Aaron Parecki @aaronpk
  • 2. Esri UC2013 . Technical Workshop . Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
  • 3. Esri UC2013 . Technical Workshop . Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) An Introduction to OAuth 2
  • 4. Esri UC2013 . Technical Workshop . The OAuth 2 Spec http://oauth.net/2/
  • 5. Esri UC2013 . Technical Workshop . Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
  • 6. Esri UC2013 . Technical Workshop . Use Cases • Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps An Introduction to OAuth 2
  • 7. Esri UC2013 . Technical Workshop . • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password access – password • Application access – client_credentials • Mobile apps – implicit Use Cases – Grant Types An Introduction to OAuth 2
  • 8. Esri UC2013 . Technical Workshop . Web Server Apps Authorization Code Grant
  • 9. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 10. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 11. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 12. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 13. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 14. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=code&client_id=28653682475872&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  • 15. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
  • 16. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server makes the following request POST https://graph.facebook.com/oauth/ access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
  • 17. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" }An Introduction to OAuth 2
  • 18. Esri UC2013 . Technical Workshop . Browser-Based Apps Implicit Grant
  • 19. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?respon se_type=token&client_id=CLIENT_ID &redirect_uri=REDIRECT_URI&scope=email An Introduction to OAuth 2
  • 20. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=token&client_id=2865368247587&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  • 21. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
  • 22. Esri UC2013 . Technical Workshop . Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
  • 23. Esri UC2013 . Technical Workshop . Username/Password Password Grant
  • 24. Esri UC2013 . Technical Workshop . Password Grant Password grant is only appropriate for trusted clients, most likely first-party apps only. If you build your own website as a client of your API, then this is a great way to handle logging in. An Introduction to OAuth 2
  • 25. Esri UC2013 . Technical Workshop . Password Grant Type Only appropriate for your service’s website or your service’s mobile apps. An Introduction to OAuth 2
  • 26. Esri UC2013 . Technical Workshop . Password Grant POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"An Introduction to OAuth 2
  • 27. Esri UC2013 . Technical Workshop . Password Grant • User exchanges username and password for a token • No server-side code needed • Client secret only used from confidential clients - (Don’t send client secret from a mobile app!) • Useful for developing a first-party login system An Introduction to OAuth 2
  • 28. Esri UC2013 . Technical Workshop . Application Access Client Credentials Grant
  • 29. Esri UC2013 . Technical Workshop . Client Credentials Grant POST https://api.example.com/1/oauth/t oken Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  • 30. Esri UC2013 . Technical Workshop . Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
  • 31. Esri UC2013 . Technical Workshop . Accessing Resources So you have an access token. Now what?
  • 32. Esri UC2013 . Technical Workshop . Use the access token to make requests Now you can make requests using the access token. GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzR n430zqMLgV3Ia An Introduction to OAuth 2
  • 33. Esri UC2013 . Technical Workshop . Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
  • 34. Esri UC2013 . Technical Workshop . Get a new access token using a refresh token Your server makes the following request POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  • 35. Esri UC2013 . Technical Workshop . Scope Limiting access to resouces
  • 36. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 37. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 38. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 39. Esri UC2013 . Technical Workshop . OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists. An Introduction to OAuth 2
  • 40. Esri UC2013 . Technical Workshop . oauth.net/2 An Introduction to OAuth 2
  • 41. Esri UC2013 . Technical Workshop . oauth.net Website • Source code available on Github - github.com/aaronpk/oauth.net • Please feel free to contribute to the website • Contribute new lists of libraries, or help update information An Introduction to OAuth 2
  • 42. Esri UC2013 . Technical Workshop . Thanks. @aaronpk aparecki@esri.com github.com/aaronpk An Introduction to OAuth 2