SlideShare a Scribd company logo

OAuth 2.0 for developers - the technology you need but never really learned

Download as PPTX, PDF
Mikkel Flindt Heisterberg
Mikkel Flindt Heisterberg

This document provides an overview of OAuth 2.0 and how it can be used by developers to access user data from an API or service without requiring the user's credentials. It begins with explaining the problem that OAuth solves by allowing access to user data without sharing usernames and passwords. It then demonstrates the OAuth flow through diagrams and descriptions of the steps. These include generating an authorization URL, exchanging the authorization code for tokens, making requests with the access token, and refreshing tokens. The document concludes by noting that a demonstration of OAuth will be shown.

Software
1 of 49
OAuth 2.0 for developers - the technology you need but never really learned Mikkel Flindt Heisterberg OnTime® by IntraVision
Agenda • The problem we are trying to solve • Demo (OAuth for users i.e. almost real people) • The flow… • OAuth for administrators • OAuth for developers i.e. real people • Demo w/ code • Q&A Mikkel Flindt Heisterberg Twitter: @lekkim E-mail: mfh@intravision.dk http://lekkimworld.com http://slideshare.net/lekkim
The problem we are trying to solve
The problem we are trying to solve Give me your Social site username and password and we can play…
The problem we are trying to solve Doesn’t really trust that shiny new site – or IBM Connections for that matter… Give me your Social site username and password and we can play…
The problem we are trying to solve I support OAuth 2.0 and don’t want your credentials – just authorize me to work on your behalf…
The problem we are trying to solve 1 2 3
it’s about letting a service access user data without knowing the users credentials... - or without the user being there...
Demo safety
it’s not as simple as that but almost...
The flow… CLIENT PROVIDER USER 1
The flow… CLIENT PROVIDER USER 2
The flow… CLIENT PROVIDER USER 3
The flow… CLIENT PROVIDER USER 4
The flow… CLIENT PROVIDER USER 5
The flow… CLIENT PROVIDER USER 6
The flow… CLIENT PROVIDER USER 7
The flow… CLIENT PROVIDER USER 8
The flow… CLIENT PROVIDER USER 9
but less cartoony and with real words this time...
1) User accesses site and logs in CLIENT PROVIDER USER 1
2) The site checks to see if it has Tokens for the Provider in its credential store CLIENT PROVIDER USER 2
3) The site sends a redirection to the client telling it to go authorize it at the Provider. The URL contains the Client redirect_uri and client_id CLIENT PROVIDER USER 3
4) The user use the redirect URL and go the Provider and logs in if not already logged in. Then he authorizes the Client CLIENT PROVIDER USER 4
5) The Provider returns a time limited authorization_code in a redirection URL to the user CLIENT PROVIDER USER 5
6) The User sends the authorization_code to the Client CLIENT PROVIDER USER 6
7) Out-of-band the Client sends the authorization_code, it’s client_id, redirect_uri and secret to the Provider CLIENT PROVIDER USER 7
8) The Provider exchange the authorization_code for a short lived access_token (yellow) and a longer lived refresh_token (blue) CLIENT PROVIDER USER 8
9) When the User now access the site it can use the access_token to work as the User. Even if the user is not there i.e. not logged into the site… CLIENT PROVIDER USER 9
If not you should ask now…
Application registration
WSADMIN COMING UP On-premises
OAuth for administrators •IBM Connections use the built in OAuth provider from WebSphere Application Server •Administrators are responsible for registering the app with the OAuth provider •You use – you guessed it – wsadmin commands to do it… On-premises
OAuth for administrators execfile(”oauthAdmin.py”) OAuthApplicationRegistrationService.addApplication( ”myapp1”, ”My App1", "https://www.renovations.com/oauth/redirect") OAuthApplicationRegistrationService.browseApplications()[{display_name= My App1, client_id=myapp1, client_secret=xxxxxxxxxxxxxxxxxxxxxxxxxx, redirect_uri= https://www.renovations.com/oauth/redirect}] OAuthApplicationRegistrationService.deleteApplication(”myapp1”) The application with the id myapp1 was deleted successfully. https://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/r_admin_co mmon_oauth_manage_list.dita On-premises
IBM Connections Cloud Cloud
IBM Connections Cloud Cloud
I’M A DEVELOPER
OAuth for developers Generate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_ty pe=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/connectionsProvider/authorize?resp onse_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb
OAuth for developers Generate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_ty pe=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/connectionsProvider/authorize?resp onse_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb Must match exactly what the Provider have on record…
OAuth for developers The user logs in to the Provider (if not already) and authorizes your app… Hopefully...
OAuth for developers The Provider sends back a redirection URL to the User containing an authorization code causing the User to send it to the Client Syntax https://<client_redirection_uri>?code=<authorization_code> https://<client_redirection_uri>?oauth_error=<error_code> Example https://myapp.shinysite.com/oauth20_cb ?code=user_specific_auth_code
OAuth for developers Client POST’s the authorization code, client ID, redirection URI and client secret to the Provider out-of-band (server to server, not through User) Syntax POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: <hostname> Content-Length: <length> Connection: Close client_secret=<client_secret>&client_id=<client_id>&grant_type=authorization_code&code=<auth_code >&callback_uri=<callback_uri> Example POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: social.example.com Content-Length: 161 Connection: Close client_secret=my_secret_string&client_id=myapp1 &grant_type=authorization_code&code=user_specific_auth_code &callback_uri=https://myapp.shinysite.com/oauth20_cb
OAuth for developers Provider responds with (JSON) response with access token, refresh token and expiry info. It would be wise that the client saves the tokens… Example { "access_token”: "d86o7UP0gj2c...GVzTPADsFv7”, "token_type": "Bearer", "expires_in": 43200, "scope": "", "refresh_token": "EWcVt5uaaXC9Pc...pTTgvrLRrs56gR” } Response format is Provider specific i.e. IBM Connections Cloud returns tokens in plain text format…
OAuth for developers To make requests on behalf of the User the Client needs to set the access token in an Authorization header Example GET /connections/opensocial/oauth/rest /activitystreams/@me/@all/@all HTTP/1.0 Host: social.example.com Authorization: Bearer d86o7UP0gj2c...GVzTPADsFv7 Connection: Close If the Client use an access token and receive a 401 back from the Provider it should attempt to refresh the access token.
OAuth for developers You can refresh the tokens i.e. if a call using the access token returns a 401 from the Provider by using the refresh_token. If that also fails the user probably revoked your authorization. Syntax POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: <hostname> Content-Length: <length> Connection: Close client_secret=<client_secret>&client_id=<client_id>&grant_type=refresh_token&refresh_token=<refresh_ token> Example POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: social.example.com Content-Length: 104 Connection: Close client_secret=my_secret_string&client_id=myapp1 &grant_type=refresh_token&refresh_token=my_refresh_token
Demo
Mikkel Flindt Heisterberg Twitter: @lekkim E-mail: mfh@intravision.dk http://lekkimworld.com http://slideshare.net/lekkim Dev04 – XPages & Office 365 by Marky Roden

Recommended

Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthMikkel Flindt Heisterberg
 
There’s an API for that! Why and how to build on the IBM Connections PLATFORM
There’s an API for that! Why and how to build on the IBM Connections PLATFORMThere’s an API for that! Why and how to build on the IBM Connections PLATFORM
There’s an API for that! Why and how to build on the IBM Connections PLATFORMMikkel Flindt Heisterberg
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Mikkel Flindt Heisterberg
 
BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...Mikkel Flindt Heisterberg
 
BP301 - An introduction to working with the activity stream
BP301 - An introduction to working with the activity streamBP301 - An introduction to working with the activity stream
BP301 - An introduction to working with the activity streamMikkel Flindt Heisterberg
 
OAuth 2.0 for developers – the technology you need but never really learned
OAuth 2.0 for developers – the technology you need but never really learnedOAuth 2.0 for developers – the technology you need but never really learned
OAuth 2.0 for developers – the technology you need but never really learnedLetsConnect
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 

Recommended

Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthMikkel Flindt Heisterberg
 
There’s an API for that! Why and how to build on the IBM Connections PLATFORM
There’s an API for that! Why and how to build on the IBM Connections PLATFORMThere’s an API for that! Why and how to build on the IBM Connections PLATFORM
There’s an API for that! Why and how to build on the IBM Connections PLATFORMMikkel Flindt Heisterberg
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Mikkel Flindt Heisterberg
 
BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...Mikkel Flindt Heisterberg
 
BP301 - An introduction to working with the activity stream
BP301 - An introduction to working with the activity streamBP301 - An introduction to working with the activity stream
BP301 - An introduction to working with the activity streamMikkel Flindt Heisterberg
 
OAuth 2.0 for developers – the technology you need but never really learned
OAuth 2.0 for developers – the technology you need but never really learnedOAuth 2.0 for developers – the technology you need but never really learned
OAuth 2.0 for developers – the technology you need but never really learnedLetsConnect
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010Petr Dvorak
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services DevelopmentVan Staub, MBA
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
OpenWebBeans/Web Beans
OpenWebBeans/Web BeansOpenWebBeans/Web Beans
OpenWebBeans/Web BeansGurkan Erdogdu
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...Mehdi Medjaoui
 
Five Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase AuthFive Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase AuthPeter Friese
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 

More Related Content

What's hot

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)We4IT Group
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services DevelopmentVan Staub, MBA
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
OpenWebBeans/Web Beans
OpenWebBeans/Web BeansOpenWebBeans/Web Beans
OpenWebBeans/Web BeansGurkan Erdogdu
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...Mehdi Medjaoui
 
Five Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase AuthFive Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase AuthPeter Friese
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 

What's hot (20)

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services Development
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
OpenWebBeans/Web Beans
OpenWebBeans/Web BeansOpenWebBeans/Web Beans
OpenWebBeans/Web Beans
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
 
Five Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase AuthFive Things You Didn't Know About Firebase Auth
Five Things You Didn't Know About Firebase Auth
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 

Viewers also liked

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Michael Queralt
 
Securing the modern data centre
Securing the modern data centreSecuring the modern data centre
Securing the modern data centreInfront
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
 
Securing IaaS Applications
Securing IaaS ApplicationsSecuring IaaS Applications
Securing IaaS ApplicationsBitglass
 
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!René Winkelmeyer
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Deep Dive DMG (september update)
Deep Dive DMG (september update)Deep Dive DMG (september update)
Deep Dive DMG (september update)Jean-Pierre Riehl
 
'Embedding' a meta state machine
'Embedding' a meta state machine'Embedding' a meta state machine
'Embedding' a meta state machineemBO_Conference
 
Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Hannes Tschofenig
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...Morgan Simonsen
 
Java secure development part 1
Java secure development part 1Java secure development part 1
Java secure development part 1Rafel Ivgi
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 

Viewers also liked (20)

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3
 
Securing the modern data centre
Securing the modern data centreSecuring the modern data centre
Securing the modern data centre
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
 
Securing IaaS Applications
Securing IaaS ApplicationsSecuring IaaS Applications
Securing IaaS Applications
 
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!
engage 2016 - Get ready for moving from Java 6 to Java 8 - Now!
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
Deep Dive DMG (september update)
Deep Dive DMG (september update)Deep Dive DMG (september update)
Deep Dive DMG (september update)
 
'Embedding' a meta state machine
'Embedding' a meta state machine'Embedding' a meta state machine
'Embedding' a meta state machine
 
Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
NFV SDN for carriers
NFV SDN for carriersNFV SDN for carriers
NFV SDN for carriers
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
 
Java secure development part 1
Java secure development part 1Java secure development part 1
Java secure development part 1
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 

Similar to OAuth 2.0 for developers - the technology you need but never really learned

Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteDavid Keener
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...apidays
 

Similar to OAuth 2.0 for developers - the technology you need but never really learned (20)

Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
 

More from Mikkel Flindt Heisterberg

BP309 Project Management Inside and Outside the Box
BP309 Project Management Inside and Outside the BoxBP309 Project Management Inside and Outside the Box
BP309 Project Management Inside and Outside the BoxMikkel Flindt Heisterberg
 
An Introduction to Working With the Activity Stream
An Introduction to Working With the Activity StreamAn Introduction to Working With the Activity Stream
An Introduction to Working With the Activity StreamMikkel Flindt Heisterberg
 
Creating a keystore for plugin signing the easy way
Creating a keystore for plugin signing the easy wayCreating a keystore for plugin signing the easy way
Creating a keystore for plugin signing the easy wayMikkel Flindt Heisterberg
 
BP207 - Easy as pie creating widgets for ibm connections
BP207 - Easy as pie creating widgets for ibm connectionsBP207 - Easy as pie creating widgets for ibm connections
BP207 - Easy as pie creating widgets for ibm connectionsMikkel Flindt Heisterberg
 
Plug yourself in and your app will never be the same (2 hr editon)
Plug yourself in and your app will never be the same (2 hr editon)Plug yourself in and your app will never be the same (2 hr editon)
Plug yourself in and your app will never be the same (2 hr editon)Mikkel Flindt Heisterberg
 
Plug yourself in and your app will never be the same (2 hour edition)
Plug yourself in and your app will never be the same (2 hour edition)Plug yourself in and your app will never be the same (2 hour edition)
Plug yourself in and your app will never be the same (2 hour edition)Mikkel Flindt Heisterberg
 
Plug yourself in and your app will never be the same (1 hr edition)
Plug yourself in and your app will never be the same (1 hr edition)Plug yourself in and your app will never be the same (1 hr edition)
Plug yourself in and your app will never be the same (1 hr edition)Mikkel Flindt Heisterberg
 

More from Mikkel Flindt Heisterberg (13)

An Introduction to Lightning Web Components
An Introduction to Lightning Web ComponentsAn Introduction to Lightning Web Components
An Introduction to Lightning Web Components
 
IBM Connections 5 Gæstemodel
IBM Connections 5 GæstemodelIBM Connections 5 Gæstemodel
IBM Connections 5 Gæstemodel
 
BP309 Project Management Inside and Outside the Box
BP309 Project Management Inside and Outside the BoxBP309 Project Management Inside and Outside the Box
BP309 Project Management Inside and Outside the Box
 
An Introduction to Working With the Activity Stream
An Introduction to Working With the Activity StreamAn Introduction to Working With the Activity Stream
An Introduction to Working With the Activity Stream
 
Creating a keystore for plugin signing the easy way
Creating a keystore for plugin signing the easy wayCreating a keystore for plugin signing the easy way
Creating a keystore for plugin signing the easy way
 
BP207 - Easy as pie creating widgets for ibm connections
BP207 - Easy as pie creating widgets for ibm connectionsBP207 - Easy as pie creating widgets for ibm connections
BP207 - Easy as pie creating widgets for ibm connections
 
OnTime Partner Webinar September 2011
OnTime Partner Webinar September 2011OnTime Partner Webinar September 2011
OnTime Partner Webinar September 2011
 
Plug yourself in and your app will never be the same (2 hr editon)
Plug yourself in and your app will never be the same (2 hr editon)Plug yourself in and your app will never be the same (2 hr editon)
Plug yourself in and your app will never be the same (2 hr editon)
 
Plug yourself in and your app will never be the same (2 hour edition)
Plug yourself in and your app will never be the same (2 hour edition)Plug yourself in and your app will never be the same (2 hour edition)
Plug yourself in and your app will never be the same (2 hour edition)
 
Lotusphere Comes To You 2011
Lotusphere Comes To You 2011Lotusphere Comes To You 2011
Lotusphere Comes To You 2011
 
Lotus Community Call - 22 March 2011
Lotus Community Call - 22 March 2011Lotus Community Call - 22 March 2011
Lotus Community Call - 22 March 2011
 
Plug yourself in and your app will never be the same (1 hr edition)
Plug yourself in and your app will never be the same (1 hr edition)Plug yourself in and your app will never be the same (1 hr edition)
Plug yourself in and your app will never be the same (1 hr edition)
 
Lotus Notes Plugin Installation For Dummies
Lotus Notes Plugin Installation For DummiesLotus Notes Plugin Installation For Dummies
Lotus Notes Plugin Installation For Dummies
 

Recently uploaded

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 

Recently uploaded (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

OAuth 2.0 for developers - the technology you need but never really learned

  • 1. OAuth 2.0 for developers - the technology you need but never really learned Mikkel Flindt Heisterberg OnTime® by IntraVision
  • 2. Agenda • The problem we are trying to solve • Demo (OAuth for users i.e. almost real people) • The flow… • OAuth for administrators • OAuth for developers i.e. real people • Demo w/ code • Q&A Mikkel Flindt Heisterberg Twitter: @lekkim E-mail: mfh@intravision.dk http://lekkimworld.com http://slideshare.net/lekkim
  • 3. The problem we are trying to solve
  • 4. The problem we are trying to solve Give me your Social site username and password and we can play…
  • 5. The problem we are trying to solve Doesn’t really trust that shiny new site – or IBM Connections for that matter… Give me your Social site username and password and we can play…
  • 6. The problem we are trying to solve I support OAuth 2.0 and don’t want your credentials – just authorize me to work on your behalf…
  • 7. The problem we are trying to solve 1 2 3
  • 8. it’s about letting a service access user data without knowing the users credentials... - or without the user being there...
  • 9.
  • 11. it’s not as simple as that but almost...
  • 21. but less cartoony and with real words this time...
  • 22. 1) User accesses site and logs in CLIENT PROVIDER USER 1
  • 23. 2) The site checks to see if it has Tokens for the Provider in its credential store CLIENT PROVIDER USER 2
  • 24. 3) The site sends a redirection to the client telling it to go authorize it at the Provider. The URL contains the Client redirect_uri and client_id CLIENT PROVIDER USER 3
  • 25. 4) The user use the redirect URL and go the Provider and logs in if not already logged in. Then he authorizes the Client CLIENT PROVIDER USER 4
  • 26. 5) The Provider returns a time limited authorization_code in a redirection URL to the user CLIENT PROVIDER USER 5
  • 27. 6) The User sends the authorization_code to the Client CLIENT PROVIDER USER 6
  • 28. 7) Out-of-band the Client sends the authorization_code, it’s client_id, redirect_uri and secret to the Provider CLIENT PROVIDER USER 7
  • 29. 8) The Provider exchange the authorization_code for a short lived access_token (yellow) and a longer lived refresh_token (blue) CLIENT PROVIDER USER 8
  • 30. 9) When the User now access the site it can use the access_token to work as the User. Even if the user is not there i.e. not logged into the site… CLIENT PROVIDER USER 9
  • 31. If not you should ask now…
  • 34. OAuth for administrators •IBM Connections use the built in OAuth provider from WebSphere Application Server •Administrators are responsible for registering the app with the OAuth provider •You use – you guessed it – wsadmin commands to do it… On-premises
  • 35. OAuth for administrators execfile(”oauthAdmin.py”) OAuthApplicationRegistrationService.addApplication( ”myapp1”, ”My App1", "https://www.renovations.com/oauth/redirect") OAuthApplicationRegistrationService.browseApplications()[{display_name= My App1, client_id=myapp1, client_secret=xxxxxxxxxxxxxxxxxxxxxxxxxx, redirect_uri= https://www.renovations.com/oauth/redirect}] OAuthApplicationRegistrationService.deleteApplication(”myapp1”) The application with the id myapp1 was deleted successfully. https://www- 01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/r_admin_co mmon_oauth_manage_list.dita On-premises
  • 39.
  • 40. OAuth for developers Generate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_ty pe=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/connectionsProvider/authorize?resp onse_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb
  • 41. OAuth for developers Generate the authorization redirection URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/authorize?response_ty pe=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/connectionsProvider/authorize?resp onse_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb Must match exactly what the Provider have on record…
  • 42. OAuth for developers The user logs in to the Provider (if not already) and authorizes your app… Hopefully...
  • 43. OAuth for developers The Provider sends back a redirection URL to the User containing an authorization code causing the User to send it to the Client Syntax https://<client_redirection_uri>?code=<authorization_code> https://<client_redirection_uri>?oauth_error=<error_code> Example https://myapp.shinysite.com/oauth20_cb ?code=user_specific_auth_code
  • 44. OAuth for developers Client POST’s the authorization code, client ID, redirection URI and client secret to the Provider out-of-band (server to server, not through User) Syntax POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: <hostname> Content-Length: <length> Connection: Close client_secret=<client_secret>&client_id=<client_id>&grant_type=authorization_code&code=<auth_code >&callback_uri=<callback_uri> Example POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: social.example.com Content-Length: 161 Connection: Close client_secret=my_secret_string&client_id=myapp1 &grant_type=authorization_code&code=user_specific_auth_code &callback_uri=https://myapp.shinysite.com/oauth20_cb
  • 45. OAuth for developers Provider responds with (JSON) response with access token, refresh token and expiry info. It would be wise that the client saves the tokens… Example { "access_token”: "d86o7UP0gj2c...GVzTPADsFv7”, "token_type": "Bearer", "expires_in": 43200, "scope": "", "refresh_token": "EWcVt5uaaXC9Pc...pTTgvrLRrs56gR” } Response format is Provider specific i.e. IBM Connections Cloud returns tokens in plain text format…
  • 46. OAuth for developers To make requests on behalf of the User the Client needs to set the access token in an Authorization header Example GET /connections/opensocial/oauth/rest /activitystreams/@me/@all/@all HTTP/1.0 Host: social.example.com Authorization: Bearer d86o7UP0gj2c...GVzTPADsFv7 Connection: Close If the Client use an access token and receive a 401 back from the Provider it should attempt to refresh the access token.
  • 47. OAuth for developers You can refresh the tokens i.e. if a call using the access token returns a 401 from the Provider by using the refresh_token. If that also fails the user probably revoked your authorization. Syntax POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: <hostname> Content-Length: <length> Connection: Close client_secret=<client_secret>&client_id=<client_id>&grant_type=refresh_token&refresh_token=<refresh_ token> Example POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: social.example.com Content-Length: 104 Connection: Close client_secret=my_secret_string&client_id=myapp1 &grant_type=refresh_token&refresh_token=my_refresh_token
  • 48. Demo
  • 49. Mikkel Flindt Heisterberg Twitter: @lekkim E-mail: mfh@intravision.dk http://lekkimworld.com http://slideshare.net/lekkim Dev04 – XPages & Office 365 by Marky Roden