Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 101
Search
Nick Jackson
February 20, 2012
Technology
3
350
OAuth 101
A crash course on the basics of OAuth which I gave at Dev8D 2012.
Nick Jackson
February 20, 2012
Tweet
Share
More Decks by Nick Jackson
See All by Nick Jackson
It's all about the data.
jacksonj04
0
67
Development Tools
jacksonj04
0
82
Eating Your Own Dog Food
jacksonj04
0
310
LNCD and The Cloud
jacksonj04
0
110
MongoDB 101
jacksonj04
1
100
API Driven Development
jacksonj04
0
200
We Can Haz Ur Datas?!
jacksonj04
0
310
Universal Search at Lincoln
jacksonj04
0
35
Jerome Overview
jacksonj04
0
38
Other Decks in Technology
See All in Technology
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
3
6.4k
Building Dashboards as a Hobby
egmc
0
220
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
私が trocco を推す理由
__allllllllez__
1
230
生成AIの変革の時代に、直近1年で直面した課題とその解決策
ktc_wada
0
290
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
210
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
620
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
220
競技としてのKaggle、役に立つKaggle
yu4u
3
1.7k
Janus
bkuhlmann
1
490
Featured
See All Featured
4 Signs Your Business is Dying
shpigford
175
21k
Debugging Ruby Performance
tmm1
70
11k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Automating Front-end Workflow
addyosmani
1356
200k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
A Tale of Four Properties
chriscoyier
151
22k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
The Cult of Friendly URLs
andyhume
74
5.7k
RailsConf 2023
tenderlove
4
540
The Invisible Side of Design
smashingmag
294
49k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
Transcript
None
Nick Jackson Web Monkey University of Lincoln @jacksonj04
Story time!
I’m a user of a web service
I own resources on the web service
For example, personal details
None
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com
The resource server exposes user resources over an API
I visit a 3rd party web application
The 3rd party web app is called a client
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details
But the resource server’s API requires user authorisation
How?
Give the client my password
Give the client my password
So what then?
OAuth
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net
—˛
User Client Resources Owns Accesses Authorises
The flow
User clicks “sign in” in the client application
None
The user is redirected to the resource server and asked
to sign in
None
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
The resource server clearly tells the user the specific data
the client wants to access
None
User authorises the application and is redirected back to client
with a authorisation code in the query string
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
Client exchanges the authorisation code for an access token
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
}
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time
Advantages
No password sharing <- Happy security conscious user
Developers just need to implement a redirect and a POST
request <- Happy developers
Users can revoke access tokens for specific clients
None
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
None
None
Currently version 1.0a lncn.eu/giy
Version 2.0 is almost finished lncn.eu/bkw
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX
Who’s using OAuth?
None
And in HE?
None
None
None
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents
Internal and external authorisation
Open source 2.0 server lncn.eu/ar6
Any questions?
Thank you @jacksonj04