Upgrade to Pro — share decks privately, control downloads, hide ads and more …



a bit of 1.0 and 2.0

Aleksandrs Cudars

April 07, 2013

More Decks by Aleksandrs Cudars

Other Decks in Technology


  1. What is Oauth? Short answer: OAuth is an authentication protocol

    that allows users to approve application to act on their behalf without sharing their password.
  2. Long answer: OAuth provides a method for clients to access

    server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections. What is Oauth?
  3. OAuth is a service that is complementary to, and therefore

    distinct from, OpenID. OAuth is also distinct from OATH, which is a reference architecture for authentication (i.e. not a standard).
  4. OAuth 2.0 OAuth 2.0 is the next evolution of the

    OAuth protocol and is not backward compatible with OAuth 1.0.
  5. OAuth 2.0 OAuth 2.0 focuses on client developer simplicity while

    providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
  6. OAuth 2.0 The specification and associated RFCs are being developed

    within the IETF OAuth WG; the main framework was published in October 2012.
  7. OAuth 2.0 OAuth 2.0 doesn't support signature, encryption, channel binding,

    or client verification. It relies completely on SSL for some degree of confidentiality and server authentication.
  8. OAuth 2.0 OAuth 2.0 has had numerous security flaws exposed

    in implementations. The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable.
  9. Non-interoperability Because OAuth 2.0 is more like a framework rather

    than a defined protocol, any OAuth 2.0 implementation is unlikely to naturally be interoperable with any other OAuth 2.0 implementation. Further deployment profiling and specification is required for any interoperability.
  10. Uses OAuth can be potentially used as an authorizing mechanism

    to consume secured (i.e., authenticated) RSS/ATOM feeds. Consumption of RSS/ATOM feeds that requires authentication has always been an issue.