Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth at Logos

Ian Duncan
December 14, 2012
Programming
3
140

OAuth at Logos

Ian Duncan

December 14, 2012
Tweet

More Decks by Ian Duncan

See All by Ian Duncan
Make frontend development radical with Angular
iand675
4
220

Other Decks in Programming

See All in Programming
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
290
Contemporary Test Cases
maaretp
0
140
Amazon Qを使ってIaCを触ろう!
maruto
0
430
Jakarta EE meets AI
ivargrimstad
0
930
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
130
@nifty天気予報のフロントエンドを 実装するまで - NIFTY Tech Talk #22
niftycorp
PRO
0
110
React への依存を最小にするフロントエンド設計
takonda
20
7k
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
3
1.3k
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
490
[KR] Open-Source Ecosystems
skydoves
0
100
Jakarta EE meets AI
ivargrimstad
0
490

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Writing Fast Ruby
sferik
627
61k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Building Adaptive Systems
keathley
38
2.3k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
4 Signs Your Business is Dying
shpigford
180
21k
BBQ
matthewcrist
85
9.3k
Navigating Team Friction
lara
183
14k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Designing the Hi-DPI Web
ddemaree
280
34k
Designing for humans not robots
tammielis
250
25k
Unsuck your backbone
ammeep
668
57k

Transcript

  1. OAuth all the things

  2. What is OAuth? In a nutshell: A secure way for

    3rd parties to use our APIs without ever handling our users’ username & password.

  3. Is that it? Yes! (mostly) Using OAuth gives us some

    other advantages: Remote kill-switch in case a user is hacked Rate Limiting Analytics. Who is using what apps?

  4. How does it work? There are three participants: The User

    The App The Server The goal is to never share private credentials between the user & the app.

  5. Here we go! Marty McFly wants users to comment on

    his church’s blog using Faithlife. He registers his app, Hill Valley Baptist Church Blog at developer.faithlife.com, and hooks comments into his site.

  6. The Consumer Key & Consumer Secret are like the ‘username’

    and ‘password’ for the app itself.

  7. A wild user appears! And they want to post an

    angry comment at their pastor on the blog. So they click on the ‘sign in with Faithlife!’ button. blog.hillvalley.com sends a message to our server saying “I have a user that wants to sign in, but I don’t know who they are yet.”

  8. We say, no problem. And we give the app a

    temporary identifier to substitute for the user information until the user signs in. The App sends The User to a sign-in page that we provide. We tell the user what The App is allowed to do.

  9. Meanwhile... The App is doing other stuff while waiting for

    The User to sign in. When The User gives permission, we send a Verifier that says that everything checks out OK.

  10. Finally... The App sends the verifier to The Server along

    with the temporary token, and the server sends The App an Access Token & Access Secret. These substitute for the user’s username & password, and The App signs all of its API requests with these credentials.

  11. A happy ending. The User may be angry at his

    pastor, but he won’t have to be angry about his Faithlife account being hacked.

  12. The nitty gritty The OAuth server runs at: https://auth.logos.com/oauth/v1/ You

    can start building apps using the documentation and app registration facilities at: https://developer.faithlife.com/

  13. Plug it in. We have OAuth clients implemented for Objective-C

    and C# in the OAuth repository. I built a small website written in Haskell that uses OAuth. The developer portal is written using Node, and uses OAuth for sign-in & registration.

  14. Questions?