Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 101

Avatar for Nick Jackson Nick Jackson
February 20, 2012
Technology
3
360

OAuth 101

A crash course on the basics of OAuth which I gave at Dev8D 2012.
Avatar for Nick Jackson

Nick Jackson

February 20, 2012
Tweet

More Decks by Nick Jackson

See All by Nick Jackson
It's all about the data.
Avatar for Nick Jackson jacksonj04
0
73
Development Tools
Avatar for Nick Jackson jacksonj04
0
92
Eating Your Own Dog Food
Avatar for Nick Jackson jacksonj04
0
330
LNCD and The Cloud
Avatar for Nick Jackson jacksonj04
0
110
MongoDB 101
Avatar for Nick Jackson jacksonj04
1
110
API Driven Development
Avatar for Nick Jackson jacksonj04
0
210
We Can Haz Ur Datas?!
Avatar for Nick Jackson jacksonj04
0
340
Universal Search at Lincoln
Avatar for Nick Jackson jacksonj04
0
41
Jerome Overview
Avatar for Nick Jackson jacksonj04
0
43

Other Decks in Technology

See All in Technology
Witchcraft for Memory
Avatar for pocke pocke
1
220
A2Aのクライアントを自作する
Avatar for Ryunosuke Iwai rynsuke
1
170
Liquid Glass革新とSwiftUI/UIKit進化
Avatar for Fumiya Sakai fumiyasac0921
0
180
_第3回__AIxIoTビジネス共創ラボ紹介資料_20250617.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
150
標準技術と独自システムで作る「つらくない」SaaS アカウント管理 / Effortless SaaS Account Management with Standard Technologies & Custom Systems
Avatar for Yuya Takeyama yuyatakeyama
3
1.2k
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
Avatar for you(@youtoy) you
PRO
0
110
Кто отправит outbox? Валентин Удальцов, автор канала Пых
Avatar for Lamoda Tech lamodatech
0
330
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
Avatar for t-hiroto tiltmax3
0
300
2年でここまで成長!AWSで育てたAI Slack botの軌跡
Avatar for iwamot iwamot
PRO
4
650
Model Mondays S2E02: Model Context Protocol
Avatar for Nitya Narasimhan, PhD nitya
0
220
第9回情シス転職ミートアップ_テックタッチ株式会社
Avatar for forester3003 forester3003
0
220
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
110

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
Done Done
Avatar for chrislema chrislema
184
16k
Navigating Team Friction
Avatar for Lara Hogan lara
187
15k
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
It's Worth the Effort
Avatar for 3n 3n
185
28k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
3k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
277
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
281
13k

Transcript

  1. None

  2. Nick Jackson Web Monkey University of Lincoln @jacksonj04

  3. Story time!

  4. I’m a user of a web service

  5. I own resources on the web service

  6. For example, personal details

  7. None

  8. These resources1 are stored on a resource server 2 1.

    personal details 2. facebook.com

  9. The resource server exposes user resources over an API

  10. I visit a 3rd party web application

  11. The 3rd party web app is called a client

  12. The client1 wants to use my resources2 1. 3rd party

    web app 2. personal details

  13. But the resource server’s API requires user authorisation

  14. How?

  15. Give the client my password

  16. Give the client my password

  17. So what then?

  18. OAuth

  19. “An open protocol to allow secure API authorisation in a

    simple and standard method from desktop and web applications.” oauth.net

  20. —˛

  21. User Client Resources Owns Accesses Authorises

  22. The flow

  23. User clicks “sign in” in the client application

  24. None

  25. The user is redirected to the resource server and asked

    to sign in
  26. None

  27. GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld

  28. The resource server clearly tells the user the specific data

    the client wants to access
  29. None

  30. User authorises the application and is redirected back to client

    with a authorisation code in the query string

  31. HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s

  32. Client exchanges the authorisation code for an access token

  33. POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect

  34. HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526

    }

  35. The access token can then be used as authorisation by

    the client to access the specified resources for a specific length of time

  36. Advantages

  37. No password sharing <- Happy security conscious user

  38. Developers just need to implement a redirect and a POST

    request <- Happy developers

  39. Users can revoke access tokens for specific clients

  40. None

  41. Nefarious clients can have their credentials revoked and all associated

    access tokens destroyed immediately
  42. None
  43. None

  44. Currently version 1.0a lncn.eu/giy

  45. Version 2.0 is almost finished lncn.eu/bkw

  46. OAuth 2.0 •Simpler •Requires all communication over SSL •New flows

    •Better UX

  47. Who’s using OAuth?

  48. None

  49. And in HE?

  50. None
  51. None
  52. None

  53. data.lincoln.ac.uk people energy location printing events calendars bibliographic documents

  54. Internal and external authorisation

  55. Open source 2.0 server lncn.eu/ar6

  56. Any questions?

  57. Thank you @jacksonj04