OAuthSimone Tripodi - Asemantics S.r.l.

stripodi@asemantics.com

What’s OAuth?• An Open Protocol to allow secure API

authorization in a simple and standard method for mobile, desktop and web application;

• a protocol for developing password less APIs;

• a way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.

Hypothetical Scenarios

End User End User

ConsumerServiceProvider

ConsumerServiceProvider

“Import pictures from Picasainto Virgilio Photo Album”

“Allow Dailymotion readVirgilio’s User data”

Authorization flow

B2B shared information• Consumer Key: a value used by the

Consumer to identify itself to the Service Provider;

• Consumer Secret: a secret used by the Consumer to establish ownership of the Consumer Key;

• The Consumer establishes a Consumer Key and a Consumer Secret with the Service Provider to be authenticated; the Consumer needs to be registered!

OpenID & OAuth

• OpenID: helps determine who you are - AUTHENTICATION;

• OAuth: defines how to give access to protected data - AUTHORIZATION;

• They are complementary; a site that supports OAuth could also support OpenID for authentication!!!

OpenID & OAuth:Example integration

OAuth isProduction Ready!!!

• Google

• Yahoo!

• MySpace

• Digg

• Twitter

• Magnolia

• Plaxo

• ... and much more!

OAuth community

• Leaded by Brian Cook & Chris Messina;

• Active Google-group:http://groups.google.com/group/oauth/

• Blog: http://blog.oauth.net/

• Many available implementations from OS communities:Java - C# - JavaScript - Perl - PHP ...

Where are we?

here