SlideShare una empresa de Scribd logo

Introduction to OAuth 2.0 - Part 1

N
Nabeel Yoosuf

This is the first presentation on the series "Introduction to OAuth 2.0". OAuth 2.0 solves the pressing security problem of avoiding password anti-pattern when allowing delegated authorization.

Tecnología
1 de 18
@nabeelxy 10/26/2014
Wouldn’t it be cool when I tweet, it automatically gets posted in my FB wall? Tweet Bob Twitter App Automatically post in Bob’s FB wall
How does the Twitter App writes in Bob’s FB wall? I mean how does it get write access to Bob’s FB wall? Tom, Twitter App Manager Jim, Twitter App Dev Let’s store Bob’s FB username and password in his Twitter App account. Then the app can login and post in his FB wall. The problem solved!
It works. But it is not a good idea to store username and password as it involves a lot of risks. Besides, Bob won’t like to give his username/password to our app considering the fact that it take a while for users to trust our app. Jill, App Dev I totally agree. This is actually called Password Anti-Pattern! At all cost, we should avoid it. Sam, App Dev
We get more access than we want with username/password as well. Users will not like it. Further, this is bad from the point of view of liability when things go wrong. Sam, App Dev Further, if users change their FB password, it breaks our app. If users want to stop cross posting in FB, they will always have to come to our app or change their FB password.
Alright, asking for username and password is not good for Bob as well as us. So, what can we do about it? Tom, Twitter App Manager Basically the problem is that we need a way for our users to give us write authorization to their FB walls?
Ali, App Dev I was thinking that this problem is strikingly similar to the valet parking situation. I want to get my new car valet parked but I am at the same time hesitant to give my car key to them. The car industry came with this idea of valet keys that has limited capabilities. For example, that valet key allows to drive a car only a short distance and most of the add-on functions in the car are disabled for that special key. So, now I can give my valet key (instead of the original key) to valet park without worrying too much about it.
So, this sounds like a valet key would map to a short-lived token just like those in Kerberos protocol, even though Kerberos is for authentication? Jim, Twitter App Dev Yes, indeed. There is in fact a token based delegated authorization mechanism called OAuth. Good news is that FB is actually supporting OAuth for such access. Sam, App Dev
OAuth sounds great. Sam, could you give us some details of it? Tom, Twitter App Manager Sam, App Dev Sure.
 Password Anti-Pattern  Give resource owner’s username and password to client in order to access the resource server on behalf of the resource owner  Dangers of using this pattern  Expanded access and risk (exposure of username/password to third-party client)  Limited reliability when passwords are changed  Revocation challenges  First Solutions  Google’s AuthSub  Yahoo’s BBAuth
 A delegated authorization protocol  Provides the ability for these applications to access a user’s data securely, without requiring the user to take the scary step of handing over an account password  Introduced in 2007  Increased developer experience and increased confidence in security due to a common protocol for handling API authorization
 Not backward compatible with OAuth 1.0  New flows  Signatures are replaced by HTTPS (bearer tokens)  Simplified signatures  Short-lived tokens  Separation of roles for authorization server and resource server
 Resource server  The server that hosts user owned resources protected by OAuth  An API provider such as Google, Facebook, etc.  Resource owner  An application user  Has the ability to grant access to their own data hosted on a resource server  Client  An application making API calls to perform certain action on protected resources on behalf of the resource owner with resource owner’s authorization  Authentication server  Often, it is same as the resource server
Tweet Bob Twitter App Automatically post in Bob’s FB wall CLIENT RESOURCE SERVER RESOURCE OWNER AUTHORIZATION SERVER
 Server-side web application  Client side web application running in the web browser  Native application
 Authorization code  For apps with backend servers  Implicit grant for browser based client side applications (no backend server)  Resource owner password based grants  Only for very trusted applications (usually for first-party applications only)  Client credentials  For application access (i.e. client is an application)
 Authorization flow sequence diagrams  Implementing authorization code flow  OAuth for mobile applications
 Getting Started with OAuth 2.0

Recomendados

Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)Nathan Yergler
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
Bot Framework with Xamarin Forms
Bot Framework with Xamarin FormsBot Framework with Xamarin Forms
Bot Framework with Xamarin FormsCheah Eng Soon
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
DirectLineAPI - Xamarin.Forms App and Bot Framework Integration
DirectLineAPI - Xamarin.Forms App and Bot Framework IntegrationDirectLineAPI - Xamarin.Forms App and Bot Framework Integration
DirectLineAPI - Xamarin.Forms App and Bot Framework IntegrationBryan Anthony Garcia
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 

Recomendados

Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)Nathan Yergler
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
Bot Framework with Xamarin Forms
Bot Framework with Xamarin FormsBot Framework with Xamarin Forms
Bot Framework with Xamarin FormsCheah Eng Soon
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
DirectLineAPI - Xamarin.Forms App and Bot Framework Integration
DirectLineAPI - Xamarin.Forms App and Bot Framework IntegrationDirectLineAPI - Xamarin.Forms App and Bot Framework Integration
DirectLineAPI - Xamarin.Forms App and Bot Framework IntegrationBryan Anthony Garcia
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthMikkel Flindt Heisterberg
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPressMarty Thornley
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Day03 api
Day03 apiDay03 api
Day03 apiABDEL RAHMAN KARIM
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Being A Salesforce Jedi
Being A Salesforce JediBeing A Salesforce Jedi
Being A Salesforce JediBohdan Dovhań
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Mikkel Flindt Heisterberg
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Nom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsNom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsTessa Mero
 
A 4 line login - line platform
A 4 line login - line platformA 4 line login - line platform
A 4 line login - line platformLINE Corporation
 
Consuming & embedding external content in WordPress
Consuming & embedding external content in WordPressConsuming & embedding external content in WordPress
Consuming & embedding external content in WordPressAkshay Raje
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 

Más contenido relacionado

La actualidad más candente

OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPressMarty Thornley
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Being A Salesforce Jedi
Being A Salesforce JediBeing A Salesforce Jedi
Being A Salesforce JediBohdan Dovhań
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Mikkel Flindt Heisterberg
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Nom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsNom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsTessa Mero
 
A 4 line login - line platform
A 4 line login - line platformA 4 line login - line platform
A 4 line login - line platformLINE Corporation
 
Consuming & embedding external content in WordPress
Consuming & embedding external content in WordPressConsuming & embedding external content in WordPress
Consuming & embedding external content in WordPressAkshay Raje
 

La actualidad más candente (20)

OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Integrating External APIs with WordPress
Integrating External APIs with WordPressIntegrating External APIs with WordPress
Integrating External APIs with WordPress
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Day03 api
Day03 apiDay03 api
Day03 api
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Being A Salesforce Jedi
Being A Salesforce JediBeing A Salesforce Jedi
Being A Salesforce Jedi
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...Social Connections VI Prague - An introduction to ibm connections as an appde...
Social Connections VI Prague - An introduction to ibm connections as an appde...
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Nom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsNom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIs
 
A 4 line login - line platform
A 4 line login - line platformA 4 line login - line platform
A 4 line login - line platform
 
Consuming & embedding external content in WordPress
Consuming & embedding external content in WordPressConsuming & embedding external content in WordPress
Consuming & embedding external content in WordPress
 

Destacado

Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Michael Queralt
 
Securing the modern data centre
Securing the modern data centreSecuring the modern data centre
Securing the modern data centreInfront
 
Securing IaaS Applications
Securing IaaS ApplicationsSecuring IaaS Applications
Securing IaaS ApplicationsBitglass
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Deep Dive DMG (september update)
Deep Dive DMG (september update)Deep Dive DMG (september update)
Deep Dive DMG (september update)Jean-Pierre Riehl
 
Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Hannes Tschofenig
 
'Embedding' a meta state machine
'Embedding' a meta state machine'Embedding' a meta state machine
'Embedding' a meta state machineemBO_Conference
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseForgeRock
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...Morgan Simonsen
 
Java secure development part 1
Java secure development part 1Java secure development part 1
Java secure development part 1Rafel Ivgi
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 

Destacado (20)

Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
 
OAuth
OAuthOAuth
OAuth
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3
 
Securing the modern data centre
Securing the modern data centreSecuring the modern data centre
Securing the modern data centre
 
Securing IaaS Applications
Securing IaaS ApplicationsSecuring IaaS Applications
Securing IaaS Applications
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
Deep Dive DMG (september update)
Deep Dive DMG (september update)Deep Dive DMG (september update)
Deep Dive DMG (september update)
 
Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0Authorization for Internet of Things using OAuth 2.0
Authorization for Internet of Things using OAuth 2.0
 
'Embedding' a meta state machine
'Embedding' a meta state machine'Embedding' a meta state machine
'Embedding' a meta state machine
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 ReleaseThe Future is Now: The ForgeRock Identity Platform, Early 2017 Release
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
NFV SDN for carriers
NFV SDN for carriersNFV SDN for carriers
NFV SDN for carriers
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
 
Java secure development part 1
Java secure development part 1Java secure development part 1
Java secure development part 1
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 

Similar a Introduction to OAuth 2.0 - Part 1

Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
Alexa vs Google Assistant - Comparison
Alexa vs Google Assistant - ComparisonAlexa vs Google Assistant - Comparison
Alexa vs Google Assistant - ComparisonTarun Chawdhury
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2 Sean Whitesell
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedGaurav Behere
 
Mobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdfMobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdfAppdeveloper10
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Amazon Web Services
 
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...Mandi Wise
 
What are restful web services?
What are restful web services?What are restful web services?
What are restful web services?Aparna Sharma
 
Biwug1903 yammer-development
Biwug1903 yammer-developmentBiwug1903 yammer-development
Biwug1903 yammer-developmentBIWUG
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 
Architecture of RIA from JAOO
Architecture of RIA from JAOOArchitecture of RIA from JAOO
Architecture of RIA from JAOOJosh Holmes
 

Similar a Introduction to OAuth 2.0 - Part 1 (20)

Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Omniauth
OmniauthOmniauth
Omniauth
 
Omniauth
OmniauthOmniauth
Omniauth
 
Alexa vs Google Assistant - Comparison
Alexa vs Google Assistant - ComparisonAlexa vs Google Assistant - Comparison
Alexa vs Google Assistant - Comparison
 
Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + Ruby
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2
 
Facebook Coin
Facebook CoinFacebook Coin
Facebook Coin
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting Started
 
Mobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdfMobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdf
 
Mobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdfMobile API Test With Web Proxy.pdf
Mobile API Test With Web Proxy.pdf
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
 
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...
App-ifiying WordPress: Practical Tips for Using WordPress as an Application P...
 
What are restful web services?
What are restful web services?What are restful web services?
What are restful web services?
 
Biwug1903 yammer-development
Biwug1903 yammer-developmentBiwug1903 yammer-development
Biwug1903 yammer-development
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
 
Architecture of RIA from JAOO
Architecture of RIA from JAOOArchitecture of RIA from JAOO
Architecture of RIA from JAOO
 

Más de Nabeel Yoosuf

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful ApplicationsNabeel Yoosuf
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsNabeel Yoosuf
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsNabeel Yoosuf
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDNabeel Yoosuf
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyNabeel Yoosuf
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsNabeel Yoosuf
 

Más de Nabeel Yoosuf (8)

Building RESTful Applications
Building RESTful ApplicationsBuilding RESTful Applications
Building RESTful Applications
 
API Façade Pattern
API Façade PatternAPI Façade Pattern
API Façade Pattern
 
Privacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management SystemsPrivacy Preserving Access Control for Third Party Data Management Systems
Privacy Preserving Access Control for Third Party Data Management Systems
 
Efficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systemsEfficient privacy preserving publish subscribe systems
Efficient privacy preserving publish subscribe systems
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Efficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDDEfficient Filtering in Pub-Sub Systems using BDD
Efficient Filtering in Pub-Sub Systems using BDD
 
Pub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/PrivacyPub-Sub Systems and Confidentiality/Privacy
Pub-Sub Systems and Confidentiality/Privacy
 
A Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML DocumentsA Structure Preserving Approach for Securing XML Documents
A Structure Preserving Approach for Securing XML Documents
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Introduction to OAuth 2.0 - Part 1

  • 2. Wouldn’t it be cool when I tweet, it automatically gets posted in my FB wall? Tweet Bob Twitter App Automatically post in Bob’s FB wall
  • 3. How does the Twitter App writes in Bob’s FB wall? I mean how does it get write access to Bob’s FB wall? Tom, Twitter App Manager Jim, Twitter App Dev Let’s store Bob’s FB username and password in his Twitter App account. Then the app can login and post in his FB wall. The problem solved!
  • 4. It works. But it is not a good idea to store username and password as it involves a lot of risks. Besides, Bob won’t like to give his username/password to our app considering the fact that it take a while for users to trust our app. Jill, App Dev I totally agree. This is actually called Password Anti-Pattern! At all cost, we should avoid it. Sam, App Dev
  • 5. We get more access than we want with username/password as well. Users will not like it. Further, this is bad from the point of view of liability when things go wrong. Sam, App Dev Further, if users change their FB password, it breaks our app. If users want to stop cross posting in FB, they will always have to come to our app or change their FB password.
  • 6. Alright, asking for username and password is not good for Bob as well as us. So, what can we do about it? Tom, Twitter App Manager Basically the problem is that we need a way for our users to give us write authorization to their FB walls?
  • 7. Ali, App Dev I was thinking that this problem is strikingly similar to the valet parking situation. I want to get my new car valet parked but I am at the same time hesitant to give my car key to them. The car industry came with this idea of valet keys that has limited capabilities. For example, that valet key allows to drive a car only a short distance and most of the add-on functions in the car are disabled for that special key. So, now I can give my valet key (instead of the original key) to valet park without worrying too much about it.
  • 8. So, this sounds like a valet key would map to a short-lived token just like those in Kerberos protocol, even though Kerberos is for authentication? Jim, Twitter App Dev Yes, indeed. There is in fact a token based delegated authorization mechanism called OAuth. Good news is that FB is actually supporting OAuth for such access. Sam, App Dev
  • 9. OAuth sounds great. Sam, could you give us some details of it? Tom, Twitter App Manager Sam, App Dev Sure.
  • 10.  Password Anti-Pattern  Give resource owner’s username and password to client in order to access the resource server on behalf of the resource owner  Dangers of using this pattern  Expanded access and risk (exposure of username/password to third-party client)  Limited reliability when passwords are changed  Revocation challenges  First Solutions  Google’s AuthSub  Yahoo’s BBAuth
  • 11.  A delegated authorization protocol  Provides the ability for these applications to access a user’s data securely, without requiring the user to take the scary step of handing over an account password  Introduced in 2007  Increased developer experience and increased confidence in security due to a common protocol for handling API authorization
  • 12.  Not backward compatible with OAuth 1.0  New flows  Signatures are replaced by HTTPS (bearer tokens)  Simplified signatures  Short-lived tokens  Separation of roles for authorization server and resource server
  • 13.  Resource server  The server that hosts user owned resources protected by OAuth  An API provider such as Google, Facebook, etc.  Resource owner  An application user  Has the ability to grant access to their own data hosted on a resource server  Client  An application making API calls to perform certain action on protected resources on behalf of the resource owner with resource owner’s authorization  Authentication server  Often, it is same as the resource server
  • 14. Tweet Bob Twitter App Automatically post in Bob’s FB wall CLIENT RESOURCE SERVER RESOURCE OWNER AUTHORIZATION SERVER
  • 15.  Server-side web application  Client side web application running in the web browser  Native application
  • 16.  Authorization code  For apps with backend servers  Implicit grant for browser based client side applications (no backend server)  Resource owner password based grants  Only for very trusted applications (usually for first-party applications only)  Client credentials  For application access (i.e. client is an application)
  • 17.  Authorization flow sequence diagrams  Implementing authorization code flow  OAuth for mobile applications
  • 18.  Getting Started with OAuth 2.0

Notas del editor

  1. http://hueniverse.com/2010/05/15/introducing-oauth-2-0/ When OAuth 1.0 was developed in 2007, it was decided that cryptographic signatures were necessary to support the security of APIs. At the time, many top API providers hosted their APIs at vanilla HTTP endpoints, without SSL/TLS protection. Over the years, SSL/TLS became a more common way of protecting APIs and the need for signatures decreased in the eyes of some members of the security community. In Oauth 2.0 - transition: Signature  HTTPS Combining the perception of low API adoption due to the complexity of cryptography in OAuth 1.0 and the greater prevalence of SSL/TLS support for APIs led to the development of the OAuth Web Resource Authorization Profiles (WRAP) specification. OAuth WRAP is the predecessor to OAuth 2.0—it eliminated the complex signature requirements and introduced the use of bearer tokens.