Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 101

Avatar for Nick Jackson Nick Jackson
February 20, 2012
Technology
3
360

OAuth 101

A crash course on the basics of OAuth which I gave at Dev8D 2012.

Avatar for Nick Jackson

Nick Jackson

February 20, 2012
Tweet

More Decks by Nick Jackson

See All by Nick Jackson
It's all about the data.
Avatar for Nick Jackson jacksonj04
0
75
Development Tools
Avatar for Nick Jackson jacksonj04
0
93
Eating Your Own Dog Food
Avatar for Nick Jackson jacksonj04
0
340
LNCD and The Cloud
Avatar for Nick Jackson jacksonj04
0
110
MongoDB 101
Avatar for Nick Jackson jacksonj04
1
110
API Driven Development
Avatar for Nick Jackson jacksonj04
0
210
We Can Haz Ur Datas?!
Avatar for Nick Jackson jacksonj04
0
340
Universal Search at Lincoln
Avatar for Nick Jackson jacksonj04
0
43
Jerome Overview
Avatar for Nick Jackson jacksonj04
0
44

Other Decks in Technology

See All in Technology
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
46k
SRE × マネジメントレイヤーが挑戦した組織・会社のオブザーバビリティ改革 ― ビジネス価値と信頼性を両立するリアルな挑戦
Avatar for coconala_engineer coconala_engineer
0
290
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
Avatar for piyonakajima piyonakajima
0
150
CREが作る自己解決サイクルSlackワークフローに組み込んだAIによる社内ヘルプデスク改革 #cre_meetup
Avatar for 弁護士ドットコム bengo4com
0
360
ストレージエンジニアの仕事と、近年の計算機について / 第58回 情報科学若手の会
Avatar for Preferred Networks pfn
PRO
4
880
プロファイルとAIエージェントによる効率的なデバッグ / Effective debugging with profiler and AI assistant
Avatar for ymotongpoo ymotongpoo
1
510
AIでデータ活用を加速させる取り組み / Leveraging AI to accelerate data utilization
Avatar for okiyuki okiyuki99
5
1.3k
RemoteFunctionを使ったコロケーション
Avatar for Matsumoto Kazutaka mkazutaka
1
130
re:Inventに行くまでにやっておきたいこと
Avatar for nagisa_53 nagisa53
0
690
Retrospectiveを振り返ろう
Avatar for なかしょ nakasho
0
130
GraphRAG グラフDBを使ったLLM生成(自作漫画DBを用いた具体例を用いて)
Avatar for sea-turt1e seaturt1e
1
160
SOTA競争から人間を超える画像認識へ
Avatar for Yosuke Shinya shinya7y
0
610

Featured

See All Featured
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
280
24k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
33k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.6k
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
62k
A better future with KSS
Avatar for Kyle Neath kneath
239
18k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
355
21k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.3k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
11k
Visualization
Avatar for Eitan Lees eitanlees
150
16k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
209
24k

Transcript

  1. None

  2. Nick Jackson Web Monkey University of Lincoln @jacksonj04

  3. Story time!

  4. I’m a user of a web service

  5. I own resources on the web service

  6. For example, personal details

  7. None

  8. These resources1 are stored on a resource server 2 1.

    personal details 2. facebook.com

  9. The resource server exposes user resources over an API

  10. I visit a 3rd party web application

  11. The 3rd party web app is called a client

  12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details

  13. But the resource server’s API requires user authorisation

  14. How?

  15. Give the client my password

  16. Give the client my password

  17. So what then?

  18. OAuth

  19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net

  20. —˛

  21. User Client Resources Owns Accesses Authorises

  22. The flow

  23. User clicks “sign in” in the client application

  24. None

  25. The user is redirected to the resource server and asked

    to sign in
  26. None

  27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld

  28. The resource server clearly tells the user the specific data

    the client wants to access
  29. None

  30. User authorises the application and is redirected back to client

    with a authorisation code in the query string

  31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s

  32. Client exchanges the authorisation code for an access token

  33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect

  34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    }

  35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time

  36. Advantages

  37. No password sharing <- Happy security conscious user

  38. Developers just need to implement a redirect and a POST

    request <- Happy developers

  39. Users can revoke access tokens for specific clients

  40. None

  41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately
  42. None
  43. None

  44. Currently version 1.0a lncn.eu/giy

  45. Version 2.0 is almost finished lncn.eu/bkw

  46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX

  47. Who’s using OAuth?

  48. None

  49. And in HE?

  50. None
  51. None
  52. None

  53. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents

  54. Internal and external authorisation

  55. Open source 2.0 server lncn.eu/ar6

  56. Any questions?

  57. Thank you @jacksonj04