ADUG 21-Oct 2013 Grahame Grieve
description
Transcript of ADUG 21-Oct 2013 Grahame Grieve
ADUG 21-Oct 2013Grahame Grieve
The OAuth Protocol
• Allows an application to login users using someone else’s login details (without seeing their password)
• Protocol is web based– Web sites– Mobile Applications– Desktop Applications
What are User Resources?
• User Information– Email Address– Real world Identifying Information (name, etc)– Google/Facebook friend list
• User specific services– Post to facebook wall– Storage (e.g. DropBox)– Health Care information
OAuth Parties
• User– User who wants to achieve something
• Service Provider– Can authenticate the user (password etc)– Has things the user owns
• Service Consumer– Needs to use User’s resources (e.g. for the user)– Trusted by the service provider and the user
OAuth Parties
• User– User who wants to achieve something
• Service Provider– Can authenticate the user (password etc)– Has things the user owns
• Service Consumer– Needs to use User’s resources (e.g. for the user)– Trusted by the service provider and the user
Authorization vs Authentication
• Service Consumer doesn’t know who the user is
• Just knows that the Service Provider authorises the consumer to do things on behalf of anonymous user
• Which may include identifying information… if service provider authenticated the user
OAuth Example
• Desktop Application
• Allows user to load/save application configuration to their Dropbox store
OAuth Pro’s & Cons
• Delegate User Authentication problems
• Well understood protocol
• Amazing services on offer
• Relatively Simple API
• Each implementation differs – it’s a technique
• Documentation confusing and byzantine
• Errors obtuse and misleading
• Not a full solution yet
http://www.healthintersections.com.au/?p=1554