Oauth Behind The Scenes
Embed Size (px)
Transcript of Oauth Behind The Scenes
OAuth Behind the scenes
Tran Duc Thang Framgia Vietnam
Tran Duc Thang
2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project.
2011 ~ 2013: Keio University.
2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
Have you ever logged into a website using your Google, or Facebook account ?
If yes, have you ever been afraid of losing your Google or Facebook account information ?
Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the
What is OAuth
OAuth stands for Open Authorization.
Authentication vs Authorization ?
OAuth is An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation.
The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol.
The OAuth 1.0 published as RFC 5849 in April 2010.
The OAuth 2.0 published in October 2012.
OAuth in the WorldOAUTH 1.0 OAUTH 2.0
OAuth 2: How does it work ? Resource Owner: End-user
Authorization Server: Where the authorization occurs
Client: An application making protected resource requests on behalf of the resource owner.
Resource Server: Where hosts users resource.
Instead of using the resource owner's credentials to access protected resources, the client obtains an access token.
Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.
The client uses the access token to access the protected resources hosted by the resource server.
OAuth 2: How does it work ? OAuth 2 is completely different to OAuth 1, and is not
backwards compatible with OAuth 1 spec.
OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses state to prevent CSRF attacks.
OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
OAuth 2: How does it work ?OAuth 2 - Authorization Code Grant in details
The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground
Demo Google OAuth 2.0
Demo Facebook Oauth 2.0
OAuth 2 Demo
References RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)
RFC 6749: The OAuth 2.0 Authorization Framework (http://tools.ietf.org/html/rfc6749)
OAuth Community Site (http://oauth.net/)
OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)
OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216)
OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/)
Thank you for listening!