OAuth 2.0

Simplified

Presented By Vanjikumaran

Image is in this Slides are taken from the internet and the base concept taken on [1]

[1] https://www.tbray.org/ongoing/When/201x/2013/05/24/Access-Token-Hotel-Key

On the way to Vacation!

And they found the HOTEL

HOTEL has RESOURCES

Security!!

Security!!!!!!!

Security!!!!!!!!!!!!!!!!!!!!!!!

Formal Request to HOTEL

VANJI’s Identity Card

HOTEL TOKEN

Finally Vanji got Access 2 * @ HOTEL

VANJI has access to RESOURCES

VANJI has access to room

Brid view Idea!

OAuth 2 Access Token

● An OAuth 2 access token is like a hotel-

room key card. It gives access, all by itself

without further checking, to a particular

resource!

● It’s issued to a particular person, who has to

be authenticated first (like by showing my

driver’s license at the check-in.)

OAuth 2 Access Token

● Nothing on the outside tells you who it’s

been issued to or what it’s for!

● It’s issued to a particular person, who has to

be authenticated first (like by showing my

driver’s license at the check-in.)

But!! 2 friends of him next to him!

TOM borrowed the HOTEL CARD

TOM has access to RESOURCES

TOM has access to VANJIs room

OAuth 2 Access Token

● It’s not encrypted, so you have to take care

of it (if a bad guy got it and knew what it was

for, he could get into my hotel room and rob

me blind.) Check.

● You can give it to someone else and have

them access the resource for you!

REVOKE HOTEL TOKEN!!!!!!!

OAuth 2 Access Token

● If you lose it, you can go back to the issuer

and get another one which is functionally

identical.

● It expires after a while.

READ MORE on OAuth 2.0

● http://oauth.net/2/

● http://tools.ietf.org/html/rfc6749