OAuth

Transcript

1. View Slide

2. What is Oauth?
   Short answer: OAuth is an authentication
   protocol that allows users to approve
   application to act on their behalf without
   sharing their password.
   

   View Slide

3. View Slide

4. Long answer: OAuth provides a method for
   clients to access server resources on behalf of
   a resource owner (such as a different client or
   an end-user). It also provides a process for
   end-users to authorize third-party access to
   their server resources without sharing their
   credentials (typically, a username and
   password pair), using user-agent redirections.
   What is Oauth?
   

   View Slide

5. When the API team tries to explain why they choose Oauth1.0
   

   View Slide

6. OAuth is a service that is complementary
   to, and therefore distinct from, OpenID.
   OAuth is also distinct from OATH, which is a
   reference architecture for authentication
   (i.e. not a standard).
   

   View Slide

7. When discovering API documentation , I need to use oAuth1.0
   

   View Slide

8. OAuth 2.0
   OAuth 2.0 is the next evolution of the
   OAuth protocol and is not backward
   compatible with OAuth 1.0.
   

   View Slide

9. When I implement Oauth2.0 for my API
   

   View Slide

10. OAuth 2.0
    OAuth 2.0 focuses on client developer
    simplicity while providing specific
    authorization flows for web applications,
    desktop applications, mobile phones, and
    living room devices.
    

    View Slide

11. OAuth 2.0
    The specification and associated RFCs are
    being developed within the IETF OAuth
    WG; the main framework was published in
    October 2012.
    

    View Slide

12. OAuth 2.0
    OAuth 2.0 doesn't support signature,
    encryption, channel binding, or client
    verification. It relies completely on SSL
    for some degree of confidentiality and
    server authentication.
    

    View Slide

13. OAuth 2.0
    OAuth 2.0 has had numerous security
    flaws exposed in implementations. The
    protocol itself has been described as
    inherently insecure by security experts and
    a primary contributor to the specification
    stated that implementation mistakes are
    almost inevitable.
    

    View Slide

14. Facing Oauth problems
    

    View Slide

15. Non-interoperability
    Because OAuth 2.0 is more like a
    framework rather than a defined protocol,
    any OAuth 2.0 implementation is unlikely
    to naturally be interoperable with any
    other OAuth 2.0 implementation. Further
    deployment profiling and specification is
    required for any interoperability.
    

    View Slide

16. Facing Oauth problems
    

    View Slide

17. Uses
    OAuth can be potentially used as an
    authorizing mechanism to consume
    secured (i.e., authenticated) RSS/ATOM
    feeds. Consumption of RSS/ATOM feeds
    that requires authentication has always
    been an issue.
    

    View Slide