oAuth

 oAuth

Presented on NodeJS-Dilli meetup

122c67ce0fdc3f270e8cd9017dca8068?s=128

Ravi Suhag

July 25, 2015
Tweet

Transcript

  1. 2.

    OAuth The OAuth authorization framework enables a third-party application to

    obtain limited access to an HTTP service without sharing their passwords.
  2. 3.

    OAuth Flow Roles : • Consumer (client) • Service provider

    (server) • User (resource owner) Flow : • 2-Legged • 3-Legged • n-Legged
  3. 4.

    OAuth Terminology • consumer key (client credential) • consumer secret

    (client credential) • request token (temporary credential) • request secret (temporary credential) • access token (temporary credential) • access secret (token credential)
  4. 5.

    OAuth 1.0 - RFC 5849 Specification structure: • Introduction •

    Redirection-Based Authorization • Authenticated Requests • Security Considerations
  5. 7.

    OAuth 1.0 - Security framework • Beyond HTTP Basic auth

    • Primarily designed for insecure communications — mainly non-HTTPS • MITM - man-in-the-middle attack • decoupling of username and password from the access token • HMAC-SHA1 and RSA-SHA1. • Two channels: a front-channel which is used to engage the resource owner and request authorization, and a back-channel used by the client to directly interact with the server.
  6. 8.

    OAuth 1.0 - Signature and Hash • Digital signatures for

    requests • Hash algorithm + Shared secret • HMAC, RSA-SHA1 etc. • Timestamp and nonce for network sniffing protection oAuth playground : http://nouncer.com/oauth/authentication.html
  7. 9.