SlideShare una empresa de Scribd logo

O auth

Descargar como PPTX, PDF
F
faisalqau

O auth, OAuth API Access Delegation Protocol

SoftwareTecnología
1 de 18
URL: http://oauth.net/
 History  What is OAuth  Terminologies used for OAuth  Working of OAuth protocol  Flow  Loopholes and drawbacks of Oauth  OAuth 2.0  Consumer Implementation (Twitter & Xero) Contents
History  OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.  In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.  In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
What is OAuth  Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party  Protocol that allows to share private data hosted on x web site with y web site  A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.  A protocol for developing password less APIs  Its just a skeleton, Implementation can be vendor specific In Short “your valet key for the Web”
Terminologies used for OAuth  Consumer Application trying to access protected resource  Service Provider website or web-service hosting protected resource  User Owner of the protected data  Protected Resource Images, Videos or documents hosted on web site or web-service which are protected by the user  Tokens Random string of letters and numbers which is unique. Request Token, Access Token  Scope Set of data hosted on service provider that user wants to share with consumer
Working of OAuth protocol  Web 2.0 means sharing data, through API  Users want to access their data using many services  Developers want to satisfy their users (and make it easy for them)  Service providers need to keep their users data secure
Working of OAuth protocol A Play in 3 Acts (to exchange authorization) Actors on the scene  User  Consumer  Service Provider
Working of OAuth protocol A Play in 3 Acts (to exchange authorization) consumer has  Consumer key  Consumer secret Consumer (to Service Provider): “give me a request token”  oauth_consumer_key  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
A Play in 3 Acts (to exchange authorization) Service Provider (to consumer): “here is the request token(you can use it only once!)”  oauth_token (request token)  oauth_token_secret  [additional parameters]
A Play in 3 Acts (to exchange authorization) Second Act Where the User authorizes the Request Token Consumer (to the User): “Please go to the Service Provider and authorize this request” consumer ->user ->service provider  oauth_token (request token)  oauth_callback  [additional parameters] Service Provider (to the User): Do you authorize consumer to access your data?
A Play in 3 Acts (to exchange authorization) User (to the Service Provider):  YES!  (or maybe NO :-) ) Service Provider (to the User): “You can go back to the consumer” Service Provider-> User->Consumer  oauth_token (request token)
A Play in 3 Acts (to exchange authorization) Third Act Where the Consumer exchanges the Request Token for an Access Token Consumer (to the Service Provider): “Please give me the acces token for the user”  oauth_consumer_key  oauth_token (request token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)
A Play in 3 Acts (to exchange authorization) Service Provider (to the Consumer): “here is the access token for the user”  oauth_token (access token)  oauth_token_secret  [additional parameters] Now consumer accesses the resources Consumer (to the Service Provider): “Here i am again on behalf of the user”  oauth_consumer_key  oauth_token (access token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
Flow
Working of OAuth protocol  Site Y is the consumer and site X is service provider  Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers  User accesses site Y and wants to share private data hosted on site X  Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token  Site X returns Request Token to site Y  Site Y redirects user to site X Login service with the request token  User enters username/password or OpenID credentials to login to site X  Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token  Site Y sends the request token to site X asking for Access token  Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)
Loopholes and drawbacks of OAuth  Trust on Consumer is key  Consumer redirects user to the correct service provider  Consumer uses the private only for the specific time period  OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider  OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support
OAuth 2.0  OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0, Main framework was published in October 2012.  Focuses on client developer simplicity  Facebook's new Graph API only supports OAuth 2.0  Google and Microsoft had added OAuth 2.0 experimental support to their APIs In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"
Thank you

Recomendados

OAuth
OAuthOAuth
OAuth
Aslam Jarwar
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
Maintest2
Maintest2Maintest2
Maintest2
Mohan Kumar Tadikimalla
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
Maintest3
Maintest3Maintest3
Maintest3
Mohan Kumar Tadikimalla
 

Recomendados

OAuth
OAuthOAuth
OAuth
Aslam Jarwar
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
Maintest2
Maintest2Maintest2
Maintest2
Mohan Kumar Tadikimalla
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
Maintest3
Maintest3Maintest3
Maintest3
Mohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuth
Mohan Kumar Tadikimalla
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuth
Mohan Kumar Tadikimalla
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
Maintest
MaintestMaintest
Maintest
Mohan Kumar Tadikimalla
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
3rd-Party Authn/Authz
3rd-Party Authn/Authz3rd-Party Authn/Authz
3rd-Party Authn/Authz
philipsharp
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
 
Oauth
OauthOauth
Oauth
ehuard
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
Arpit Suthar
 

Más contenido relacionado

La actualidad más candente

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 

La actualidad más candente (19)

OAuth
OAuthOAuth
OAuth
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuth
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
Maintest
MaintestMaintest
Maintest
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
3rd-Party Authn/Authz
3rd-Party Authn/Authz3rd-Party Authn/Authz
3rd-Party Authn/Authz
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 

Similar a O auth

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
eSAT Journals
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
Mehdi Medjaoui
 
Oauth tutorial
Oauth tutorialOauth tutorial
Oauth tutorial
乐费 胡
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 

Similar a O auth (20)

Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Oauth
OauthOauth
Oauth
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...A technical insight into the concepts and terminologies behind oauth – an ope...
A technical insight into the concepts and terminologies behind oauth – an ope...
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
 
Api security
Api security Api security
Api security
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Oauth
OauthOauth
Oauth
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Oauth tutorial
Oauth tutorialOauth tutorial
Oauth tutorial
 
User Management with LastUser
User Management with LastUserUser Management with LastUser
User Management with LastUser
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 

Más de faisalqau

Más de faisalqau (10)

Mashups
Mashups Mashups
Mashups
 
Golbal history of e voting and future in pakistan
Golbal history of e voting and future in pakistanGolbal history of e voting and future in pakistan
Golbal history of e voting and future in pakistan
 
Page layout guidelines
Page layout guidelinesPage layout guidelines
Page layout guidelines
 
Shneidermna's eight rules violation
Shneidermna's eight rules violation Shneidermna's eight rules violation
Shneidermna's eight rules violation
 
Interaction patterns
Interaction patternsInteraction patterns
Interaction patterns
 
User Experience and Accessibility
User Experience and AccessibilityUser Experience and Accessibility
User Experience and Accessibility
 
Data flow and data analysis at extreme scale
Data flow and data analysis at extreme scaleData flow and data analysis at extreme scale
Data flow and data analysis at extreme scale
 
Impact of ICT (online services) on customer satisfaction: A study of Pakistan...
Impact of ICT (online services) on customer satisfaction: A study of Pakistan...Impact of ICT (online services) on customer satisfaction: A study of Pakistan...
Impact of ICT (online services) on customer satisfaction: A study of Pakistan...
 
Data flow and data analysis
Data flow and data analysis Data flow and data analysis
Data flow and data analysis
 
R language
R languageR language
R language
 

Último

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Último (20)

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 

O auth

  • 2.  History  What is OAuth  Terminologies used for OAuth  Working of OAuth protocol  Flow  Loopholes and drawbacks of Oauth  OAuth 2.0  Consumer Implementation (Twitter & Xero) Contents
  • 3. History  OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.  In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.  In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.
  • 4. What is OAuth  Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party  Protocol that allows to share private data hosted on x web site with y web site  A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.  A protocol for developing password less APIs  Its just a skeleton, Implementation can be vendor specific In Short “your valet key for the Web”
  • 5. Terminologies used for OAuth  Consumer Application trying to access protected resource  Service Provider website or web-service hosting protected resource  User Owner of the protected data  Protected Resource Images, Videos or documents hosted on web site or web-service which are protected by the user  Tokens Random string of letters and numbers which is unique. Request Token, Access Token  Scope Set of data hosted on service provider that user wants to share with consumer
  • 6. Working of OAuth protocol  Web 2.0 means sharing data, through API  Users want to access their data using many services  Developers want to satisfy their users (and make it easy for them)  Service providers need to keep their users data secure
  • 7. Working of OAuth protocol A Play in 3 Acts (to exchange authorization) Actors on the scene  User  Consumer  Service Provider
  • 8. Working of OAuth protocol A Play in 3 Acts (to exchange authorization) consumer has  Consumer key  Consumer secret Consumer (to Service Provider): “give me a request token”  oauth_consumer_key  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
  • 9. A Play in 3 Acts (to exchange authorization) Service Provider (to consumer): “here is the request token(you can use it only once!)”  oauth_token (request token)  oauth_token_secret  [additional parameters]
  • 10. A Play in 3 Acts (to exchange authorization) Second Act Where the User authorizes the Request Token Consumer (to the User): “Please go to the Service Provider and authorize this request” consumer ->user ->service provider  oauth_token (request token)  oauth_callback  [additional parameters] Service Provider (to the User): Do you authorize consumer to access your data?
  • 11. A Play in 3 Acts (to exchange authorization) User (to the Service Provider):  YES!  (or maybe NO :-) ) Service Provider (to the User): “You can go back to the consumer” Service Provider-> User->Consumer  oauth_token (request token)
  • 12. A Play in 3 Acts (to exchange authorization) Third Act Where the Consumer exchanges the Request Token for an Access Token Consumer (to the Service Provider): “Please give me the acces token for the user”  oauth_consumer_key  oauth_token (request token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)
  • 13. A Play in 3 Acts (to exchange authorization) Service Provider (to the Consumer): “here is the access token for the user”  oauth_token (access token)  oauth_token_secret  [additional parameters] Now consumer accesses the resources Consumer (to the Service Provider): “Here i am again on behalf of the user”  oauth_consumer_key  oauth_token (access token)  oauth_signature_method  oauth_signature  oauth_timestamp  oauth_nonce  oauth_version (optional)  [additional parameters]
  • 14. Flow
  • 15. Working of OAuth protocol  Site Y is the consumer and site X is service provider  Site Y has consumer ID and shared secret provided by site X to all its OAuth consumers  User accesses site Y and wants to share private data hosted on site X  Site Y sends the request to site X with Consumer ID and shared secret and asks for Request Token  Site X returns Request Token to site Y  Site Y redirects user to site X Login service with the request token  User enters username/password or OpenID credentials to login to site X  Site X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request Token  Site Y sends the request token to site X asking for Access token  Site Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)
  • 16. Loopholes and drawbacks of OAuth  Trust on Consumer is key  Consumer redirects user to the correct service provider  Consumer uses the private only for the specific time period  OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider  OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support
  • 17. OAuth 2.0  OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0, Main framework was published in October 2012.  Focuses on client developer simplicity  Facebook's new Graph API only supports OAuth 2.0  Google and Microsoft had added OAuth 2.0 experimental support to their APIs In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"