Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 101

Avatar for Nick Jackson Nick Jackson
February 20, 2012
Technology
3
370

OAuth 101

A crash course on the basics of OAuth which I gave at Dev8D 2012.

Avatar for Nick Jackson

Nick Jackson

February 20, 2012
Tweet

More Decks by Nick Jackson

See All by Nick Jackson
It's all about the data.
Avatar for Nick Jackson jacksonj04
0
82
Development Tools
Avatar for Nick Jackson jacksonj04
0
99
Eating Your Own Dog Food
Avatar for Nick Jackson jacksonj04
0
340
LNCD and The Cloud
Avatar for Nick Jackson jacksonj04
0
120
MongoDB 101
Avatar for Nick Jackson jacksonj04
1
120
API Driven Development
Avatar for Nick Jackson jacksonj04
0
220
We Can Haz Ur Datas?!
Avatar for Nick Jackson jacksonj04
0
350
Universal Search at Lincoln
Avatar for Nick Jackson jacksonj04
0
48
Jerome Overview
Avatar for Nick Jackson jacksonj04
0
50

Other Decks in Technology

See All in Technology
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
Avatar for oracle4engineer oracle4engineer
PRO
2
14k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
1
250
(金融庁共催)第4回金融データ活用チャレンジ勉強会資料
Avatar for tak takumimukaiyama
0
120
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
Avatar for Kuniaki Moriya zepprix
0
390
2人で作ったAIダッシュボードが、開発組織の次の一手を照らした話― Cursor × SpecKit × 可視化の実践 ― Qiita AI Summit
Avatar for NOBORU ITOU noalisaai
1
370
Meshy Proプラン課金した
Avatar for henjin0 henjin0
0
240
toCプロダクトにおけるAI機能開発のしくじりと学び / ai-product-failures-and-learnings
Avatar for rince rince
6
5.5k
Amazon Bedrock AgentCore 認証・認可入門
Avatar for iganin hironobuiga
2
510
15 years with Rails and DDD (AI Edition)
Avatar for Andrzej Krzywda andrzejkrzywda
0
170
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
2
380
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
5
2.6k
なぜ今、コスト最適化(倹約)が必要なのか? ~AWSでのコスト最適化の進め方「目的編」~
Avatar for Hayato Tan htan
1
110

Featured

See All Featured
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.6k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
50
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
180
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
300
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
46
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
51k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
Building AI with AI
Avatar for Ines Montani inesmontani
PRO
1
680
Visualization
Avatar for Eitan Lees eitanlees
150
17k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.9k

Transcript

  1. None

  2. Nick Jackson Web Monkey University of Lincoln @jacksonj04

  3. Story time!

  4. I’m a user of a web service

  5. I own resources on the web service

  6. For example, personal details

  7. None

  8. These resources1 are stored on a resource server 2 1.

    personal details 2. facebook.com

  9. The resource server exposes user resources over an API

  10. I visit a 3rd party web application

  11. The 3rd party web app is called a client

  12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details

  13. But the resource server’s API requires user authorisation

  14. How?

  15. Give the client my password

  16. Give the client my password

  17. So what then?

  18. OAuth

  19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net

  20. —˛

  21. User Client Resources Owns Accesses Authorises

  22. The flow

  23. User clicks “sign in” in the client application

  24. None

  25. The user is redirected to the resource server and asked

    to sign in
  26. None

  27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld

  28. The resource server clearly tells the user the specific data

    the client wants to access
  29. None

  30. User authorises the application and is redirected back to client

    with a authorisation code in the query string

  31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s

  32. Client exchanges the authorisation code for an access token

  33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect

  34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    }

  35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time

  36. Advantages

  37. No password sharing <- Happy security conscious user

  38. Developers just need to implement a redirect and a POST

    request <- Happy developers

  39. Users can revoke access tokens for specific clients

  40. None

  41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately
  42. None
  43. None

  44. Currently version 1.0a lncn.eu/giy

  45. Version 2.0 is almost finished lncn.eu/bkw

  46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX

  47. Who’s using OAuth?

  48. None

  49. And in HE?

  50. None
  51. None
  52. None

  53. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents

  54. Internal and external authorisation

  55. Open source 2.0 server lncn.eu/ar6

  56. Any questions?

  57. Thank you @jacksonj04