Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 101

Nick Jackson
February 20, 2012
Technology
3
360

OAuth 101

A crash course on the basics of OAuth which I gave at Dev8D 2012.

Nick Jackson

February 20, 2012
Tweet

More Decks by Nick Jackson

See All by Nick Jackson
It's all about the data.
jacksonj04
0
72
Development Tools
jacksonj04
0
88
Eating Your Own Dog Food
jacksonj04
0
330
LNCD and The Cloud
jacksonj04
0
110
MongoDB 101
jacksonj04
1
110
API Driven Development
jacksonj04
0
210
We Can Haz Ur Datas?!
jacksonj04
0
340
Universal Search at Lincoln
jacksonj04
0
40
Jerome Overview
jacksonj04
0
41

Other Decks in Technology

See All in Technology
Android는 어떻게 화면을 그릴까?
davidkwon7
0
100
古き良き Laravel のシステムは関数型スタイルでリファクタできるのか
leveragestech
1
630
AIで進化するソフトウェアテスト:mablの最新生成AI機能でQAを加速!
mfunaki
0
110
Vision Pro X Text to 3D Model ~How Swift and Generative Al Unlock a New Era of Spatial Computing~
igaryo0506
0
260
FinOps_Demo
tkhresk
0
130
YOLOv10~v12
tenten0727
3
850
Рекомендации с нуля: как мы в Lamoda превратили главную страницу в ключевую точку входа для персонализированного шоппинга. Данил Комаров, Data Scientist, Lamoda Tech
lamodatech
0
180
Devinで模索する AIファースト開発〜ゼロベースから始めるDevOpsの進化〜
potix2
PRO
6
2.6k
「家族アルバム みてね」を支えるS3ライフサイクル戦略
fanglang
4
650
ElixirがHW化され、最新CPU/GPU/NWを過去のものとする数万倍、高速+超省電力化されたWeb/動画配信/AIが動く日
piacerex
0
100
2025年春に見直したい、リソース最適化の基本
sogaoh
PRO
0
460
Cursor AgentによるパーソナルAIアシスタント育成入門―業務のプロンプト化・MCPの活用
os1ma
8
2.5k

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
54
5.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Gamification - CAS2011
davidbonilla
81
5.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
Typedesign – Prime Four
hannesfritz
41
2.6k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
34
2.2k
Become a Pro
speakerdeck
PRO
27
5.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
2.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
650
GitHub's CSS Performance
jonrohan
1030
460k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k

Transcript

  1. None

  2. Nick Jackson Web Monkey University of Lincoln @jacksonj04

  3. Story time!

  4. I’m a user of a web service

  5. I own resources on the web service

  6. For example, personal details

  7. None

  8. These resources1 are stored on a resource server 2 1.

    personal details 2. facebook.com

  9. The resource server exposes user resources over an API

  10. I visit a 3rd party web application

  11. The 3rd party web app is called a client

  12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details

  13. But the resource server’s API requires user authorisation

  14. How?

  15. Give the client my password

  16. Give the client my password

  17. So what then?

  18. OAuth

  19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net

  20. —˛

  21. User Client Resources Owns Accesses Authorises

  22. The flow

  23. User clicks “sign in” in the client application

  24. None

  25. The user is redirected to the resource server and asked

    to sign in
  26. None

  27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld

  28. The resource server clearly tells the user the specific data

    the client wants to access
  29. None

  30. User authorises the application and is redirected back to client

    with a authorisation code in the query string

  31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s

  32. Client exchanges the authorisation code for an access token

  33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect

  34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    }

  35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time

  36. Advantages

  37. No password sharing <- Happy security conscious user

  38. Developers just need to implement a redirect and a POST

    request <- Happy developers

  39. Users can revoke access tokens for specific clients

  40. None

  41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately
  42. None
  43. None

  44. Currently version 1.0a lncn.eu/giy

  45. Version 2.0 is almost finished lncn.eu/bkw

  46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX

  47. Who’s using OAuth?

  48. None

  49. And in HE?

  50. None
  51. None
  52. None

  53. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents

  54. Internal and external authorisation

  55. Open source 2.0 server lncn.eu/ar6

  56. Any questions?

  57. Thank you @jacksonj04