Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 101
Search
Nick Jackson
February 20, 2012
Technology
3
360
OAuth 101
A crash course on the basics of OAuth which I gave at Dev8D 2012.
Nick Jackson
February 20, 2012
Tweet
Share
More Decks by Nick Jackson
See All by Nick Jackson
It's all about the data.
jacksonj04
0
73
Development Tools
jacksonj04
0
92
Eating Your Own Dog Food
jacksonj04
0
340
LNCD and The Cloud
jacksonj04
0
110
MongoDB 101
jacksonj04
1
110
API Driven Development
jacksonj04
0
210
We Can Haz Ur Datas?!
jacksonj04
0
340
Universal Search at Lincoln
jacksonj04
0
41
Jerome Overview
jacksonj04
0
43
Other Decks in Technology
See All in Technology
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
3
18k
Webの技術とガジェットで那須の子ども達にワクワクを! / IoTLT_20250720
you
PRO
0
120
会社もクラウドも違うけど 通じたコスト削減テクニック/Cost optimization strategies effective regardless of company or cloud provider
aeonpeople
2
130
OTel 公式ドキュメント翻訳 PJ から始めるコミュニティ活動/Community activities starting with the OTel official document translation project
msksgm
0
200
P2P通信の標準化 WebRTCを知ろう
faithandbrave
6
2.2k
データ駆動経営の道しるべ:プロダクト開発指標の戦略的活用法
ham0215
2
230
Semantic Machine Intelligence for Vision, Language, and Actions
keio_smilab
PRO
2
380
「現場で活躍するAIエージェント」を実現するチームと開発プロセス
tkikuchi1002
6
990
公開初日に個人環境で試した Gemini CLI 体験記など / Gemini CLI実験レポート
you
PRO
3
290
本当にわかりやすいAIエージェント入門
segavvy
10
5.8k
手動からの解放!!Strands Agents で実現する総合テスト自動化
ideaws
2
270
Talk to Someone At Delta Airlines™️ USA Contact Numbers
travelcarecenter
0
170
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
370
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Unsuck your backbone
ammeep
671
58k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
282
13k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
The Cult of Friendly URLs
andyhume
79
6.5k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Transcript
None
Nick Jackson Web Monkey University of Lincoln @jacksonj04
Story time!
I’m a user of a web service
I own resources on the web service
For example, personal details
None
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com
The resource server exposes user resources over an API
I visit a 3rd party web application
The 3rd party web app is called a client
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details
But the resource server’s API requires user authorisation
How?
Give the client my password
Give the client my password
So what then?
OAuth
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net
—˛
User Client Resources Owns Accesses Authorises
The flow
User clicks “sign in” in the client application
None
The user is redirected to the resource server and asked
to sign in
None
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
The resource server clearly tells the user the specific data
the client wants to access
None
User authorises the application and is redirected back to client
with a authorisation code in the query string
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
Client exchanges the authorisation code for an access token
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
}
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time
Advantages
No password sharing <- Happy security conscious user
Developers just need to implement a redirect and a POST
request <- Happy developers
Users can revoke access tokens for specific clients
None
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
None
None
Currently version 1.0a lncn.eu/giy
Version 2.0 is almost finished lncn.eu/bkw
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX
Who’s using OAuth?
None
And in HE?
None
None
None
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents
Internal and external authorisation
Open source 2.0 server lncn.eu/ar6
Any questions?
Thank you @jacksonj04