Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 101
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Nick Jackson
February 20, 2012
Technology
370
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
OAuth 101
A crash course on the basics of OAuth which I gave at Dev8D 2012.
Nick Jackson
February 20, 2012
More Decks by Nick Jackson
See All by Nick Jackson
It's all about the data.
jacksonj04
0
93
Development Tools
jacksonj04
0
110
Eating Your Own Dog Food
jacksonj04
0
350
LNCD and The Cloud
jacksonj04
0
130
MongoDB 101
jacksonj04
1
120
API Driven Development
jacksonj04
0
220
We Can Haz Ur Datas?!
jacksonj04
0
360
Universal Search at Lincoln
jacksonj04
0
55
Jerome Overview
jacksonj04
0
55
Other Decks in Technology
See All in Technology
水を運ぶ人としてのリーダーシップ
izumii19
4
1.1k
コミュニティの有益性 ~JAWS Days 2026 での体験を通して~ / The Benefits of a Community ~Through My Experience at JAWS Days 2026~
seike460
PRO
0
310
從觀望到全公司落地:AI Agentic Coding 導入實戰 — 流程整合與安全治理
appleboy
0
250
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
1
440
SRE歴2ヶ月でも開発6年の知見を活かして、チームで止まっていた環境改善を前に進めた話
a_ono
0
140
LiDAR SLAMの実装とセンサ融合 ~Lie群からContinuous-Time LIOまで~
naokiakai
1
410
4人目のSREはAgent
tanimuyk
0
310
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
7.8k
Terraform 101 (初心者向け) 資料
shuadachi
0
100
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
420
Agile and AI Redmine Japan 2026
hiranabe
4
550
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
150
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.8k
Become a Pro
speakerdeck
PRO
31
6k
First, design no harm
axbom
PRO
2
1.2k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
55k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
Building Adaptive Systems
keathley
44
3.1k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
230
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Believing is Seeing
oripsolob
1
160
Prompt Engineering for Job Search
mfonobong
0
360
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
570
Transcript
None
Nick Jackson Web Monkey University of Lincoln @jacksonj04
Story time!
I’m a user of a web service
I own resources on the web service
For example, personal details
None
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com
The resource server exposes user resources over an API
I visit a 3rd party web application
The 3rd party web app is called a client
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details
But the resource server’s API requires user authorisation
How?
Give the client my password
Give the client my password
So what then?
OAuth
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net
—˛
User Client Resources Owns Accesses Authorises
The flow
User clicks “sign in” in the client application
None
The user is redirected to the resource server and asked
to sign in
None
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
The resource server clearly tells the user the specific data
the client wants to access
None
User authorises the application and is redirected back to client
with a authorisation code in the query string
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
Client exchanges the authorisation code for an access token
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
}
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time
Advantages
No password sharing <- Happy security conscious user
Developers just need to implement a redirect and a POST
request <- Happy developers
Users can revoke access tokens for specific clients
None
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
None
None
Currently version 1.0a lncn.eu/giy
Version 2.0 is almost finished lncn.eu/bkw
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX
Who’s using OAuth?
None
And in HE?
None
None
None
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents
Internal and external authorisation
Open source 2.0 server lncn.eu/ar6
Any questions?
Thank you @jacksonj04