Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OAuth 101
Search
Nick Jackson
February 20, 2012
Technology
3
350
OAuth 101
A crash course on the basics of OAuth which I gave at Dev8D 2012.
Nick Jackson
February 20, 2012
Tweet
Share
More Decks by Nick Jackson
See All by Nick Jackson
It's all about the data.
jacksonj04
0
68
Development Tools
jacksonj04
0
84
Eating Your Own Dog Food
jacksonj04
0
320
LNCD and The Cloud
jacksonj04
0
110
MongoDB 101
jacksonj04
1
100
API Driven Development
jacksonj04
0
200
We Can Haz Ur Datas?!
jacksonj04
0
330
Universal Search at Lincoln
jacksonj04
0
39
Jerome Overview
jacksonj04
0
40
Other Decks in Technology
See All in Technology
VPoE Meetup Vol.1 VPoEとして実践してきたことと反省点
coconala_engineer
2
120
多数のWebサービスをECS/Fargate構成で効率よく構築・運用するなら copilot-cli
interu
2
170
JAWS-UG 事務局 の「これまで」から みんなで「ここから」を考えよう
miu_crescent
2
140
ラブグラフ紹介資料 〜プロダクト解体新書〜 / Lovegraph Product Deck
lovegraph
0
14k
データ分析基盤のためにS3を深堀りする~アーキテクチャ設計の考え方のヒントに~
nrinetcom
PRO
1
760
自然言語処理を役立てるのはなぜ難しいのか
pfn
PRO
16
4.3k
生成AI入門
shukob
0
150
Microsoft 365 でデータセキュリティを強化しよう
sophiakunii
2
470
パートナー企業のテクニカルサポートエンジニアとして気になる、より良い AWS サポートの利活用について
kazzpapa3
1
220
RAG: from dumb implementation to serious results
glaforge
0
640
ゼロからはじめる生成AI〜AWS認定とハンズオンで学ぶ初心者の道〜
kenichinakamura
0
130
The road to green code (with Sonar)
bluehats
0
150
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
38
7k
Six Lessons from altMBA
skipperchong
26
3.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Designing Experiences People Love
moore
138
23k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Facilitating Awesome Meetings
lara
49
6k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Ruby is Unlike a Banana
tanoku
96
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
Optimizing for Happiness
mojombo
375
69k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Transcript
None
Nick Jackson Web Monkey University of Lincoln @jacksonj04
Story time!
I’m a user of a web service
I own resources on the web service
For example, personal details
None
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com
The resource server exposes user resources over an API
I visit a 3rd party web application
The 3rd party web app is called a client
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details
But the resource server’s API requires user authorisation
How?
Give the client my password
Give the client my password
So what then?
OAuth
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net
—˛
User Client Resources Owns Accesses Authorises
The flow
User clicks “sign in” in the client application
None
The user is redirected to the resource server and asked
to sign in
None
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld
The resource server clearly tells the user the specific data
the client wants to access
None
User authorises the application and is redirected back to client
with a authorisation code in the query string
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s
Client exchanges the authorisation code for an access token
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
}
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time
Advantages
No password sharing <- Happy security conscious user
Developers just need to implement a redirect and a POST
request <- Happy developers
Users can revoke access tokens for specific clients
None
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
None
None
Currently version 1.0a lncn.eu/giy
Version 2.0 is almost finished lncn.eu/bkw
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX
Who’s using OAuth?
None
And in HE?
None
None
None
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents
Internal and external authorisation
Open source 2.0 server lncn.eu/ar6
Any questions?
Thank you @jacksonj04