Introduction to OAuth

Transcript

1. Wednesday, 30 May 12

2. Alex Bilbie University of Lincoln @alexbilbie Wednesday, 30 May 12

3. Story time! Wednesday, 30 May 12

4. I’m a user of a web service Wednesday, 30 May

   12

5. I own resources on the web service Wednesday, 30 May

   12

6. For example, personal details Wednesday, 30 May 12

7. Wednesday, 30 May 12

8. These resources1 are stored on a resource server 2 1.

   personal details 2. facebook.com Wednesday, 30 May 12

9. The resource server exposes user resources over an API Wednesday,

   30 May 12

10. I visit a 3rd party web application Wednesday, 30 May

    12

11. The 3rd party web app is called a client Wednesday,

    30 May 12

12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details Wednesday, 30 May 12

13. But the resource server’s API requires user authorisation Wednesday, 30

    May 12

14. How? Wednesday, 30 May 12

15. Give the client my password Wednesday, 30 May 12

16. Give the client my password Wednesday, 30 May 12

17. So what then? Wednesday, 30 May 12

18. OAuth Wednesday, 30 May 12

19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net Wednesday, 30 May 12

20. —˛ Wednesday, 30 May 12

21. User Client Resources Owns Accesses OWNS OWNS S Authorises Wednesday,

    30 May 12

22. The flow Wednesday, 30 May 12

23. User clicks “sign in” in the client application Wednesday, 30

    May 12

24. Wednesday, 30 May 12

25. The user is redirected to the resource server and asked

    to sign in Wednesday, 30 May 12

26. Wednesday, 30 May 12

27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld Wednesday, 30

    May 12

28. The resource server clearly tells the user the specific data

    the client wants to access Wednesday, 30 May 12

29. Wednesday, 30 May 12

30. User authorises the application and is redirected back to client

    with a authorisation code in the query string Wednesday, 30 May 12

31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s Wednesday, 30 May 12

32. Client exchanges the authorisation code for an access token Wednesday,

    30 May 12

33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect Wednesday,

    30 May 12

34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    } Wednesday, 30 May 12

35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time Wednesday, 30 May 12

36. Advantages Wednesday, 30 May 12

37. No password sharing <- Happy security conscious user Wednesday, 30

    May 12

38. Developers just need to implement a redirect and a POST

    request <- Happy developers Wednesday, 30 May 12

39. Users can revoke access tokens for specific clients Wednesday, 30

    May 12

40. Wednesday, 30 May 12

41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately Wednesday, 30 May 12

42. Wednesday, 30 May 12

43. Wednesday, 30 May 12

44. Currently version 1.0a lncn.eu/giy Wednesday, 30 May 12

45. Version 2.0 is almost finished lncn.eu/bkw Wednesday, 30 May 12

46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX Wednesday, 30 May 12

47. Who’s using OAuth? Wednesday, 30 May 12

48. Wednesday, 30 May 12

49. v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0

    (prev v1.0a) v2.0 (prev v1.0a) v2.0 Wednesday, 30 May 12

50. And in HE? Wednesday, 30 May 12

51. Wednesday, 30 May 12

52. Wednesday, 30 May 12

53. Wednesday, 30 May 12

54. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents Wednesday,

    30 May 12

55. Internal and external authorisation Wednesday, 30 May 12

56. Single Sign-On Wednesday, 30 May 12

57. Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange

    (ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external) Wednesday, 30 May 12

58. Open source 2.0 server lncn.eu/ar6 Wednesday, 30 May 12

59. Any questions? Wednesday, 30 May 12

60. Thank you @alexbilbie Wednesday, 30 May 12