Oauth Behind The Scenes

download Oauth Behind The Scenes

of 13

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Oauth Behind The Scenes

  • OAuth Behind the scenes

    Tran Duc Thang Framgia Vietnam

  • Preface

    Tran Duc Thang

    2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project.

    2011 ~ 2013: Keio University.

    2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.

  • Preface

    Have you ever logged into a website using your Google, or Facebook account ?

    If yes, have you ever been afraid of losing your Google or Facebook account information ?

    Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?

  • Contents

    1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the


  • What is OAuth

    OAuth stands for Open Authorization.

    Authentication vs Authorization ?

    OAuth is An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

  • History

    OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation.

    The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol.

    The OAuth 1.0 published as RFC 5849 in April 2010.

    The OAuth 2.0 published in October 2012.

  • OAuth in the WorldOAUTH 1.0 OAUTH 2.0

  • OAuth 2: How does it work ? Resource Owner: End-user

    Authorization Server: Where the authorization occurs

    Client: An application making protected resource requests on behalf of the resource owner.

    Resource Server: Where hosts users resource.

    Instead of using the resource owner's credentials to access protected resources, the client obtains an access token.

    Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.

    The client uses the access token to access the protected resources hosted by the resource server.

  • OAuth 2: How does it work ? OAuth 2 is completely different to OAuth 1, and is not

    backwards compatible with OAuth 1 spec.

    OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses state to prevent CSRF attacks.

    OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.

  • OAuth 2: How does it work ?OAuth 2 - Authorization Code Grant in details

  • The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground

    Demo Google OAuth 2.0

    Demo Facebook Oauth 2.0

    OAuth 2 Demo

  • References RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)

    RFC 6749: The OAuth 2.0 Authorization Framework (http://tools.ietf.org/html/rfc6749)

    OAuth Community Site (http://oauth.net/)

    OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)

    OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216)

    OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/)

  • Thank you for listening!