OAuth you said

Post on 08-Sep-2014

8.333 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials but it became a big mess.

Transcript of OAuth you said

OAuth.io

OAUTH YOU SAID?

Why OAuth? Provide a standard way to access

protected resources, without sharing passwords.

OAuth.io OAuth, You said?

OAuth.io

AMAZING! BUT HOW?

OAuth, You said?

OAuth.io

The middle-man between the service and the OAuth provider

!Never share your Facebook credentials with a

service. !

Today, almost any app needing access or permissions relies on OAuth.

OAuth, You said?

Tokens!

OAuth.io

Users had to provide their Facebook credentials to third party services.

!Not secure. Intrusive. Inconvenient.

OAuth, You said?

Before? Basic Auth.

OAuth was first designed to be interoperable and super easy to

implement for developers.

Started as a Protocol

OAuth.io OAuth, You said?

OAuth 2.0 has been reclassified as a framework. Which means no

interoperability and no backward compatibility :/

Ended up as a Framework

OAuth.io OAuth, You said?

30+ different implementations !Two separate flows for token retrieval. !

Resources' names and parameters differ from one provider to another !

A nightmare for developers: lots of potential traps. No hope for a good learning curve…

So yes, OAuth is broken

OAuth.io OAuth, You said?

OAuth 1.0 = October 2007 OAuth 1.0a = June 2009

OAuth 2.0 first draft = early 2010OAuth 2.0 final = late 2011

Many versions in 5 years

OAuth.io OAuth, You said?

Complex signature scheme. !

Almost no control over token expiry. !

No permission management.

OAuth.io OAuth, You said?

OAuth 1.0a was limited

!More flexible but less interoperable

SSL rather than signatures Easier to implement

No backward compatibility

OAuth.io OAuth, You said?

OAuth 2.0 compromise

Resource Owner: the user who wants to share a resource, e.g. owner of the facebook photos. !Client: the application that wants to leverage a resource hosted by a third party, e.g. the photo printing website. !Authorization Server: the entity that decides to grant access to the client (application), e.g. Facebook’s authorization server. !Resource Server: the place where the third party resource is hosted, e.g. Facebook’s server where the photos to print are.

4 quick definitions

The Flow

Further reading

https://tools.ietf.org/html/rfc6749

http://tools.ietf.org/html/rfc5849OAuth 1.0 Specs

OAuth 2.0 Specs

Fuck OAuth by Eran Hammer talkhttp://vimeo.com/52882780

OAuth.io OAuth, You said?

Read our full OAuth Tutorial

https://tools.ietf.org/html/rfc6749
http://tools.ietf.org/html/rfc5849
http://vimeo.com/52882780
http://blog.oauth.io/oauth-tutorial

Credits

The Big Lebowski

Walker Texas Ranger aka Chuck (the 1st) Norris

Jackie Brown

2001: A Space Odyssey

R2D2: Star Wars (Dagobah)

C3PO: Star Wars (Tatooine)

Las Vegas Parano

Terminator

Forrest Gump

Austin Powers

OAuth.io OAuth, You said?Judge Dredd

OAuth.ioWith

Integrate any of our 100+ OAuth providers in minutes the SAME WAY

TAKE A LOOK

OAuth Popup with facebook

https://oauth.io

Top related

OAuth and why you should use it
 Technology
Google OAuth 2.0 Quick Start Guide - dl.sockettools.com · Google OAuth 2.0 Quick Start Guide This guide will show you how to obtain OAuth 2.0 bearer tokens (also called access tokens)
 Documents
Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0
 Documents
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoint 2013
 Technology
CHAPTER 4 OAUTH€¦ · 2 OBJECTIVES After completing “OAuth,” you will be able to: Identify issues of authorization for RESTful services. Explain the OAuth standard for establishing
 Documents
Twitter4R OAuth
 Technology
Incorporating OAuth: How to integrate OAuth into your mobile app
 Technology
WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,
 Documents
The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud
 Documents
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
 Technology
Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as
 Documents
[MS-XOAUTH]: OAuth 2.0 Authorization Protocol ExtensionsMS... · 5.1 Security Considerations for Implementers ... The OAuth 2.0 Authorization Protocol Extensions extend the OAuth
 Documents
[MS-OAUTH2EX]: OAuth 2.0 Authentication Protocol …...OAuth 2.0 Authentication Protocol Extensions describes extensions to the OAuth 2.0 Authentication Protocol. These extensions
 Documents
OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0
 Documents
OAuth: Trust Issues
 Technology
The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party
 Documents
The How of OAuth OAuth Hackathon – 4/26 @ Six Apart .
 Documents
OAuth Tokens
 Education
Twitter oauth
 Documents
H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional
 Documents

Copyright © 2022 FDOCUMENTS