Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to OAuth

Avatar for Alex Bilbie Alex Bilbie
May 30, 2012
Technology
6
2.2k

Introduction to OAuth

Delivered at the Eduserv Federated Access Management conference 2011 on 9th November 2011

Avatar for Alex Bilbie

Alex Bilbie

May 30, 2012
Tweet

More Decks by Alex Bilbie

See All by Alex Bilbie
12 Factor Laravel Apps
Avatar for Alex Bilbie alexbilbie
1
620
The Joy of Open Data
Avatar for Alex Bilbie alexbilbie
0
180
API Driven Development
Avatar for Alex Bilbie alexbilbie
8
5k
Linkey Project
Avatar for Alex Bilbie alexbilbie
0
1.6k
Linking You
Avatar for Alex Bilbie alexbilbie
2
780
Introduction to HTML5 and CSS3
Avatar for Alex Bilbie alexbilbie
3
1.6k
The @lncd toolchain
Avatar for Alex Bilbie alexbilbie
2
1.5k
Introduction to MongoDB
Avatar for Alex Bilbie alexbilbie
2
370

Other Decks in Technology

See All in Technology
[JAWSDAYS2026][D8]その起票、愛が足りてますか?AWSサポートを味方につける、技術的「ラブレター」の書き方
Avatar for hirosys hirosys_
3
110
Shifting from MCP to Skills / ベストプラクティスの変遷を辿る
Avatar for Okuto Oyama yamanoku
4
760
JAWS FESTA 2025でリリースしたほぼリアルタイム文字起こし/翻訳機能の構成について
Avatar for 木村直紀 naoki8408
1
190
情シスのための生成AI実践ガイド2026 / Generative AI Practical Guide for Business Technology 2026
Avatar for Akira Maeda glidenote
0
170
When an innocent-looking ListOffsets Call Took Down Our Kafka Cluster
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
120
Abuse report だけじゃない。AWS から緊急連絡が来る状況とは?昨今の攻撃や被害の事例の紹介と備えておきたい考え方について
Avatar for kazzpapa3 kazzpapa3
1
330
マルチアカウント環境でSecurity Hubの運用!導入の苦労とポイント / JAWS DAYS 2026
Avatar for GENDA genda
0
240
Ultra Ethernet (UEC) v1.0 仕様概説
Avatar for Masayuki Kobayashi markunet
3
240
クラウド × シリコンの Mashup - AWS チップ開発で広がる AI 基盤の選択肢
Avatar for Hiroshi Tokoyo htokoyo
2
140
決済サービスを支えるElastic Cloud - Elastic Cloudの導入と推進、決済サービスのObservability
Avatar for suzukij suzukij
1
530
A Gentle Introduction to Transformers
Avatar for Semantic Machine Intelligence Lab., Keio Univ. keio_smilab
PRO
2
1k
わたしがセキュアにAWSを使えるわけないじゃん、ムリムリ!(※ムリじゃなかった!?)
Avatar for cm-usuda-keisuke cmusudakeisuke
1
460

Featured

See All Featured
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
3
360
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.8k
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
1
74
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
130
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.5k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.2k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
515
110k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
0
2.4k

Transcript

  1. Wednesday, 30 May 12

  2. Alex Bilbie University of Lincoln @alexbilbie Wednesday, 30 May 12

  3. Story time! Wednesday, 30 May 12

  4. I’m a user of a web service Wednesday, 30 May

    12

  5. I own resources on the web service Wednesday, 30 May

    12

  6. For example, personal details Wednesday, 30 May 12

  7. Wednesday, 30 May 12

  8. These resources1 are stored on a resource server 2 1.

    personal details 2. facebook.com Wednesday, 30 May 12

  9. The resource server exposes user resources over an API Wednesday,

    30 May 12

  10. I visit a 3rd party web application Wednesday, 30 May

    12

  11. The 3rd party web app is called a client Wednesday,

    30 May 12

  12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details Wednesday, 30 May 12

  13. But the resource server’s API requires user authorisation Wednesday, 30

    May 12

  14. How? Wednesday, 30 May 12

  15. Give the client my password Wednesday, 30 May 12

  16. Give the client my password Wednesday, 30 May 12

  17. So what then? Wednesday, 30 May 12

  18. OAuth Wednesday, 30 May 12

  19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net Wednesday, 30 May 12

  20. —˛ Wednesday, 30 May 12

  21. User Client Resources Owns Accesses OWNS OWNS S Authorises Wednesday,

    30 May 12

  22. The flow Wednesday, 30 May 12

  23. User clicks “sign in” in the client application Wednesday, 30

    May 12

  24. Wednesday, 30 May 12

  25. The user is redirected to the resource server and asked

    to sign in Wednesday, 30 May 12

  26. Wednesday, 30 May 12

  27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld Wednesday, 30

    May 12

  28. The resource server clearly tells the user the specific data

    the client wants to access Wednesday, 30 May 12

  29. Wednesday, 30 May 12

  30. User authorises the application and is redirected back to client

    with a authorisation code in the query string Wednesday, 30 May 12

  31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s Wednesday, 30 May 12

  32. Client exchanges the authorisation code for an access token Wednesday,

    30 May 12

  33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect Wednesday,

    30 May 12

  34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    } Wednesday, 30 May 12

  35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time Wednesday, 30 May 12

  36. Advantages Wednesday, 30 May 12

  37. No password sharing <- Happy security conscious user Wednesday, 30

    May 12

  38. Developers just need to implement a redirect and a POST

    request <- Happy developers Wednesday, 30 May 12

  39. Users can revoke access tokens for specific clients Wednesday, 30

    May 12

  40. Wednesday, 30 May 12

  41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately Wednesday, 30 May 12

  42. Wednesday, 30 May 12

  43. Wednesday, 30 May 12

  44. Currently version 1.0a lncn.eu/giy Wednesday, 30 May 12

  45. Version 2.0 is almost finished lncn.eu/bkw Wednesday, 30 May 12

  46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX Wednesday, 30 May 12

  47. Who’s using OAuth? Wednesday, 30 May 12

  48. Wednesday, 30 May 12

  49. v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0

    (prev v1.0a) v2.0 (prev v1.0a) v2.0 Wednesday, 30 May 12

  50. And in HE? Wednesday, 30 May 12

  51. Wednesday, 30 May 12

  52. Wednesday, 30 May 12

  53. Wednesday, 30 May 12

  54. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents Wednesday,

    30 May 12

  55. Internal and external authorisation Wednesday, 30 May 12

  56. Single Sign-On Wednesday, 30 May 12

  57. Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange

    (ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external) Wednesday, 30 May 12

  58. Open source 2.0 server lncn.eu/ar6 Wednesday, 30 May 12

  59. Any questions? Wednesday, 30 May 12

  60. Thank you @alexbilbie Wednesday, 30 May 12