Post on 13-Apr-2017
How OAuth was born
What problem OAuth solves
Evolution of OAuth to the current 2.0
OAuth 2.0 actors, client profiles, access tokens, abstract protocol and core authorization flows
It would be great if we can familiarize the team with the concepts of OAuth
through an example client app development.
Tom, Twitter App Manager
A good suggestion! Most services like FB, Gmail, Twitter,
Dropbox provide SDK to develop clients. Let me walk through a simple Java OAuth client for accessing Dropbox.
Sam, App Dev
(1) Register dbapp_nabeel app
(2) App Key, App Secret
(3) Provide Authorization URL
(4) Request Authorization code
(5) Authorization code
(6) Authorization code; request access token
(7) Access token
(8) Access dropbox given access token
Nabeel Nabeel’s dropbox a/c
DbxAppInfo dbxAppInfo = new
DbxAppInfo(dropBoxAppKey,
dropBoxAppSecret);
DbxRequestConfig dbxRequestConfig = new
DbxRequestConfig(
"JavaDropboxExample/1.0",
Locale.getDefault().toString());
DbxWebAuthNoRedirect dbxWebAuthNoRedirect =
new DbxWebAuthNoRedirect(
dbxRequestConfig, dbxAppInfo);
String authorizeUrl =
dbxWebAuthNoRedirect.start();
DbxAuthFinish authFinish =
dbxWebAuthNoRedirect.finish(dropboxAuth
Code);
String authAccessToken =
authFinish.accessToken;
dbxClient = new
DbxClient(dbxRequestConfig,
authAccessToken);
dbxClient.getAccountInfo..
dbxClient.uploadFile..
dbxClient.createFolder..
dbxClient.getMetadataWithChildren…
bxClient.getFile..
…
Authorization code For apps with backend servers
Implicit grant for browser based client side applications (no backend server)
Resource owner password based grants Only for very trusted applications (usually for first-party
applications only)
Client credentials For application access (i.e. client is an application)
Authorization Request GET /authorize?response_type=code&client_id=s6BhdRkqt3
&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexa
mple%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
Authorization Response HTTP/1.1 302 Found|
Location:
https://client.example.com/cb?code=SplxlOBeZQQYbYS
6WxSbIA&state=xyz
Access Token Request POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS
6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexampl
e%2Ecom%2Fcb
Access Token Response HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA“,
"token_type":"example“,
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA“,
"example_parameter":"example_value”
}
Deep dive into each authorization flows Understanding Required and Optional fields
Understanding re-direction based architecture
Handling errors and failures
Examples on the last three authorization flows
Implement Authorization Code flow for full server side web application profile
OAuth 2.0 Authorization Framework (RFC 6749)
Getting Started with OAuth 2.0