OAuth 2.0

By- Manish Singh

What is oauth?Valet Key For the Web.

Authorization framework to grant restricted access to any third party app.

No need for user password.

Requires User Consent in most of the cases.

Allows different applications or servers to share user data.

Today the systems or applications need to work in harmony with each other by means of sharing application specific data and information.

Who All Use Oauth??Facebook

Google

Twitter

Microsoft

Flickr

Yahoo! And many more internet giants.

Scenarios of oauthFacebook became popular because of third party

apps and games. All of these require you to provide some kind of access to your profile.

Similar third party apps are available for twitter etc.

Eg: you can publish your linked in status simultaneously on twitter as well.

Many sites provide facility to login with your Facebook, Google or Twitter a/c.

Oauth2 TerminologiesResource Server or the Resource Provider is

a web site or web services API where User keeps his/her protected data.

Authorization Server is the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

User or the Resource Owner is a member of the Resource Provider, wanting to share certain resources with a third-party app.

Continued…Client or Consumer Application is typically a

web-based or mobile application that wants to access User's Protected Resources.

Client Credentials are the consumer key and consumer secret used to authenticate the Client.

Tokens are the access token generated by server after request from client using which a client app access certain portion of user data.

High level flow of Oauth 2.0

The third party app developer/client registers himself on oauth service provider( like FB etc).

He Can add His apps there then. He gets app key/secret for each app he registers.

Whenever Uses any app, it asks for user’s permission to grant acccess for some of his personal data.

If User approves then a token is issued to the client app for a limited time.

The client uses the token to access the resource.

Example of twitter Oauth

Oauth2 flowsBases on apps and use cases there are multiple

flows in oauth2. Some of the widely used are:

Authorization Code Grant is used if app is server side and needs user consent to access his data.

Implicit Grant flow is for client side apps ( HTML5 or Javascript based) which need user consent.

Client Credentials Grant is used when app client and secret is needed and no user consent required

Oauth2 Request ParamsClient id

Secret ( used in auth code flow and client cred flow)

Redirect url

Scope ( optional)

Response type/grant type

state

Auth Code Grant Flow

Implicit Grant Flow

Client Credentials Flow

Oauth 2.0 AdvantagesIntegration of third party apps to any sites. Win

win situation for the oauth provider and app developers.

By using OAuth 2.0, access can be granted for limited scope or duration.

No Need for users to give password on third party site.

OAuth 2.0 DrawbacksWriting an authorization server is somewhat

complex.

Interoperability issues. Like Facebook oauth can be used only for Facebook APIs.

Sometimes unknowingly user can provide access for too much of his personal profile data which can be misused

Sometimes due to bad implementation there can be security issues in oauth2.

Thank YouPresentation by: Manish Singh

Website: http://immanish4u.comEmail: immanish4u@gmail.com