Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
OAuth 101
Nick Jackson
February 20, 2012
Technology
3
320
OAuth 101
A crash course on the basics of OAuth which I gave at Dev8D 2012.
Nick Jackson
February 20, 2012
Tweet
Share
More Decks by Nick Jackson
See All by Nick Jackson
It's all about the data.
jacksonj04
0
59
Development Tools
jacksonj04
0
75
Eating Your Own Dog Food
jacksonj04
0
290
LNCD and The Cloud
jacksonj04
0
97
MongoDB 101
jacksonj04
1
93
API Driven Development
jacksonj04
0
190
We Can Haz Ur Datas?!
jacksonj04
0
250
Universal Search at Lincoln
jacksonj04
0
26
Jerome Overview
jacksonj04
0
29
Other Decks in Technology
See All in Technology
Implementing Kubernetes operators in Java with Micronaut - TechWeek Java Summit 2022
alvarosanchez
0
120
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
18k
SlackBotで あらゆる業務を自動化。問い合わせ〜DevOpsまで #CODT2022
kogatakanori
0
850
HoloLens2とMetaQuest2どちらも動くWebXRアプリをBabylon.jsで作る
iwaken71
0
190
JJUG2022_spring_Keycloak (Red Hat Single Sign-on)
tinoue
0
200
JUnit5.7, 5.8の新機能紹介 #jjug_ccc #jjug_ccc_b / junit 5.7, 5.8 new features
kyonmm
PRO
2
420
DOM Invader - prototype pollution対応の衝撃 - / DOM Invader - prototype pollution
okuken
0
150
覗いてみよう!現場のスクラムチーム
tkredman
0
1.1k
組織の崩壊と再生、その中で何を考え、感じたのか。 そして本当に必要だったもの
kosako
10
4.2k
UIKitのアップデート #WWDC22
akatsuki174
4
330
誰が正解を知っているのか / Who knows the right answer
takaking22
1
240
セキュリティ 開運研修2022 / security 2022
cybozuinsideout
PRO
3
3.8k
Featured
See All Featured
The Mythical Team-Month
searls
209
39k
GitHub's CSS Performance
jonrohan
1020
420k
Building Flexible Design Systems
yeseniaperezcruz
310
34k
Build The Right Thing And Hit Your Dates
maggiecrowley
19
1.2k
Web development in the modern age
philhawksworth
197
9.3k
Designing for Performance
lara
597
63k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1M
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
127
8.5k
The World Runs on Bad Software
bkeepers
PRO
57
5.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
5
2.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
15
36k
VelocityConf: Rendering Performance Case Studies
addyosmani
316
22k
Transcript
None
Nick Jackson Web Monkey University of Lincoln @jacksonj04
Story time!
I’m a user of a web service
I own resources on the web service
For example, personal details
None
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com
The resource server exposes user resources over an API
I visit a 3rd party web application
The 3rd party web app is called a client
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details
But the resource server’s API requires user authorisation
How?
Give the client my password
Give the client my password
So what then?
OAuth
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net
—˛
User Client Resources Owns Accesses Authorises
The flow
User clicks “sign in” in the client application
None
The user is redirected to the resource server and asked
to sign in
None
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
The resource server clearly tells the user the specific data
the client wants to access
None
User authorises the application and is redirected back to client
with a authorisation code in the query string
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
Client exchanges the authorisation code for an access token
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
}
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time
Advantages
No password sharing <- Happy security conscious user
Developers just need to implement a redirect and a POST
request <- Happy developers
Users can revoke access tokens for specific clients
None
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
None
None
Currently version 1.0a lncn.eu/giy
Version 2.0 is almost finished lncn.eu/bkw
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX
Who’s using OAuth?
None
And in HE?
None
None
None
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents
Internal and external authorisation
Open source 2.0 server lncn.eu/ar6
Any questions?
Thank you @jacksonj04