Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Wednesday, 30 May 12
Slide 2
Slide 2 text
Alex Bilbie University of Lincoln @alexbilbie Wednesday, 30 May 12
Slide 3
Slide 3 text
Story time! Wednesday, 30 May 12
Slide 4
Slide 4 text
I’m a user of a web service Wednesday, 30 May 12
Slide 5
Slide 5 text
I own resources on the web service Wednesday, 30 May 12
Slide 6
Slide 6 text
For example, personal details Wednesday, 30 May 12
Slide 7
Slide 7 text
Wednesday, 30 May 12
Slide 8
Slide 8 text
These resources1 are stored on a resource server 2 1. personal details 2. facebook.com Wednesday, 30 May 12
Slide 9
Slide 9 text
The resource server exposes user resources over an API Wednesday, 30 May 12
Slide 10
Slide 10 text
I visit a 3rd party web application Wednesday, 30 May 12
Slide 11
Slide 11 text
The 3rd party web app is called a client Wednesday, 30 May 12
Slide 12
Slide 12 text
The client1 wants to use my resources2 1. 3rd party web app 2. personal details Wednesday, 30 May 12
Slide 13
Slide 13 text
But the resource server’s API requires user authorisation Wednesday, 30 May 12
Slide 14
Slide 14 text
How? Wednesday, 30 May 12
Slide 15
Slide 15 text
Give the client my password Wednesday, 30 May 12
Slide 16
Slide 16 text
Give the client my password Wednesday, 30 May 12
Slide 17
Slide 17 text
So what then? Wednesday, 30 May 12
Slide 18
Slide 18 text
OAuth Wednesday, 30 May 12
Slide 19
Slide 19 text
“An open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications.” oauth.net Wednesday, 30 May 12
Slide 20
Slide 20 text
—˛ Wednesday, 30 May 12
Slide 21
Slide 21 text
User Client Resources Owns Accesses OWNS OWNS S Authorises Wednesday, 30 May 12
Slide 22
Slide 22 text
The flow Wednesday, 30 May 12
Slide 23
Slide 23 text
User clicks “sign in” in the client application Wednesday, 30 May 12
Slide 24
Slide 24 text
Wednesday, 30 May 12
Slide 25
Slide 25 text
The user is redirected to the resource server and asked to sign in Wednesday, 30 May 12
Slide 26
Slide 26 text
Wednesday, 30 May 12
Slide 27
Slide 27 text
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld Wednesday, 30 May 12
Slide 28
Slide 28 text
The resource server clearly tells the user the specific data the client wants to access Wednesday, 30 May 12
Slide 29
Slide 29 text
Wednesday, 30 May 12
Slide 30
Slide 30 text
User authorises the application and is redirected back to client with a authorisation code in the query string Wednesday, 30 May 12
Slide 31
Slide 31 text
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s Wednesday, 30 May 12
Slide 32
Slide 32 text
Client exchanges the authorisation code for an access token Wednesday, 30 May 12
Slide 33
Slide 33 text
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect Wednesday, 30 May 12
Slide 34
Slide 34 text
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526 } Wednesday, 30 May 12
Slide 35
Slide 35 text
The access token can then be used as authorisation by the client to access the specified resources for a specific length of time Wednesday, 30 May 12
Slide 36
Slide 36 text
Advantages Wednesday, 30 May 12
Slide 37
Slide 37 text
No password sharing <- Happy security conscious user Wednesday, 30 May 12
Slide 38
Slide 38 text
Developers just need to implement a redirect and a POST request <- Happy developers Wednesday, 30 May 12
Slide 39
Slide 39 text
Users can revoke access tokens for specific clients Wednesday, 30 May 12
Slide 40
Slide 40 text
Wednesday, 30 May 12
Slide 41
Slide 41 text
Nefarious clients can have their credentials revoked and all associated access tokens destroyed immediately Wednesday, 30 May 12
Slide 42
Slide 42 text
Wednesday, 30 May 12
Slide 43
Slide 43 text
Wednesday, 30 May 12
Slide 44
Slide 44 text
Currently version 1.0a lncn.eu/giy Wednesday, 30 May 12
Slide 45
Slide 45 text
Version 2.0 is almost finished lncn.eu/bkw Wednesday, 30 May 12
Slide 46
Slide 46 text
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows •Better UX Wednesday, 30 May 12
Slide 47
Slide 47 text
Who’s using OAuth? Wednesday, 30 May 12
Slide 48
Slide 48 text
Wednesday, 30 May 12
Slide 49
Slide 49 text
v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0 (prev v1.0a) v2.0 (prev v1.0a) v2.0 Wednesday, 30 May 12
Slide 50
Slide 50 text
And in HE? Wednesday, 30 May 12
Slide 51
Slide 51 text
Wednesday, 30 May 12
Slide 52
Slide 52 text
Wednesday, 30 May 12
Slide 53
Slide 53 text
Wednesday, 30 May 12
Slide 54
Slide 54 text
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents Wednesday, 30 May 12
Slide 55
Slide 55 text
Internal and external authorisation Wednesday, 30 May 12
Slide 56
Slide 56 text
Single Sign-On Wednesday, 30 May 12
Slide 57
Slide 57 text
Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange (ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external) Wednesday, 30 May 12
Slide 58
Slide 58 text
Open source 2.0 server lncn.eu/ar6 Wednesday, 30 May 12
Slide 59
Slide 59 text
Any questions? Wednesday, 30 May 12
Slide 60
Slide 60 text
Thank you @alexbilbie Wednesday, 30 May 12