Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Introduction to OAuth
Search
Alex Bilbie
May 30, 2012
Technology
6
2.1k
Introduction to OAuth
Delivered at the Eduserv Federated Access Management conference 2011 on 9th November 2011
Alex Bilbie
May 30, 2012
Tweet
Share
More Decks by Alex Bilbie
See All by Alex Bilbie
12 Factor Laravel Apps
alexbilbie
1
600
The Joy of Open Data
alexbilbie
0
180
API Driven Development
alexbilbie
8
4.8k
Linkey Project
alexbilbie
0
1.5k
Linking You
alexbilbie
2
710
Introduction to HTML5 and CSS3
alexbilbie
3
1.6k
The @lncd toolchain
alexbilbie
2
1.4k
Introduction to MongoDB
alexbilbie
2
330
Other Decks in Technology
See All in Technology
Cloud Native PG 使ってみて気づいたことと最新機能の紹介 - 第52回PostgreSQLアンカンファレンス
seinoyu
2
250
Amazon EKS Auto ModeでKubernetesの運用をシンプルにする
sshota0809
0
130
Lightdashの利活用状況 ー導入から2年経った現在地_20250409
hirokiigeta
0
180
チームの性質によって変わる ADR との向き合い方と、生成 AI 時代のこれから / How to deal with ADR depends on the characteristics of the team
mh4gf
4
360
大規模プロジェクトにおける 品質管理の要点と実践 / 20250327 Suguru Ishii
shift_evolve
0
310
新卒1年目のフロントエンド開発での取り組み/New grad front-end efforts
kaonavi
0
130
Proxmox VE超入門 〜 無料で作れるご自宅仮想化プラットフォームブックマークする
devops_vtj
0
230
こんなデータマートは嫌だ。どんな? / waiwai-data-meetup-202504
shuntak
0
160
TopAppBar Composableをカスタムする
hunachi
0
160
コード品質向上で得られる効果と実践的取り組み
ham0215
2
220
30 代子育て SRE が考える SRE ナレッジマネジメントの現在と将来
kworkdev
PRO
0
170
「家族アルバム みてね」を支えるS3ライフサイクル戦略
fanglang
4
540
Featured
See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
490
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
118
51k
Building an army of robots
kneath
304
45k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
The Language of Interfaces
destraynor
157
24k
BBQ
matthewcrist
88
9.6k
Faster Mobile Websites
deanohume
306
31k
Code Reviewing Like a Champion
maltzj
522
39k
Facilitating Awesome Meetings
lara
53
6.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
22
2.6k
Making the Leap to Tech Lead
cromwellryan
133
9.2k
Agile that works and the tools we love
rasmusluckow
328
21k
Transcript
Wednesday, 30 May 12
Alex Bilbie University of Lincoln @alexbilbie Wednesday, 30 May 12
Story time! Wednesday, 30 May 12
I’m a user of a web service Wednesday, 30 May
12
I own resources on the web service Wednesday, 30 May
12
For example, personal details Wednesday, 30 May 12
Wednesday, 30 May 12
These resources1 are stored on a resource server 2 1.
personal details 2. facebook.com Wednesday, 30 May 12
The resource server exposes user resources over an API Wednesday,
30 May 12
I visit a 3rd party web application Wednesday, 30 May
12
The 3rd party web app is called a client Wednesday,
30 May 12
The client1 wants to use my resources2 1. 3rd party
web app 2. personal details Wednesday, 30 May 12
But the resource server’s API requires user authorisation Wednesday, 30
May 12
How? Wednesday, 30 May 12
Give the client my password Wednesday, 30 May 12
Give the client my password Wednesday, 30 May 12
So what then? Wednesday, 30 May 12
OAuth Wednesday, 30 May 12
“An open protocol to allow secure API authorisation in a
simple and standard method from desktop and web applications.” oauth.net Wednesday, 30 May 12
—˛ Wednesday, 30 May 12
User Client Resources Owns Accesses OWNS OWNS S Authorises Wednesday,
30 May 12
The flow Wednesday, 30 May 12
User clicks “sign in” in the client application Wednesday, 30
May 12
Wednesday, 30 May 12
The user is redirected to the resource server and asked
to sign in Wednesday, 30 May 12
Wednesday, 30 May 12
GET /authorise? response_type=code&client_id=12345&redirect_uri= http://client.tld/ redirect&scope=name,email,birthday HTTP/1.1 Host: resource-server.tld Wednesday, 30
May 12
The resource server clearly tells the user the specific data
the client wants to access Wednesday, 30 May 12
Wednesday, 30 May 12
User authorises the application and is redirected back to client
with a authorisation code in the query string Wednesday, 30 May 12
HTTP/1.1 302 Found Location: http://client.tld/redirect?code=78dsf9sudfo9s Wednesday, 30 May 12
Client exchanges the authorisation code for an access token Wednesday,
30 May 12
POST /token HTTP/1.1 Host: resource-server.tld Content-type: application/x-www-form-urlencoded code=78dsf9sudfo9s&client_id=12345&client_secret =12345&redirect_uri=http://client.tld/redirect Wednesday,
30 May 12
HTTP/1.1 200 OK Content-type: application/json { access_token: “aLKJHskjhda8s13jsi9sis”, valid_until: 1320759526
} Wednesday, 30 May 12
The access token can then be used as authorisation by
the client to access the specified resources for a specific length of time Wednesday, 30 May 12
Advantages Wednesday, 30 May 12
No password sharing <- Happy security conscious user Wednesday, 30
May 12
Developers just need to implement a redirect and a POST
request <- Happy developers Wednesday, 30 May 12
Users can revoke access tokens for specific clients Wednesday, 30
May 12
Wednesday, 30 May 12
Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately Wednesday, 30 May 12
Wednesday, 30 May 12
Wednesday, 30 May 12
Currently version 1.0a lncn.eu/giy Wednesday, 30 May 12
Version 2.0 is almost finished lncn.eu/bkw Wednesday, 30 May 12
OAuth 2.0 •Simpler •Requires all communication over SSL •New flows
•Better UX Wednesday, 30 May 12
Who’s using OAuth? Wednesday, 30 May 12
Wednesday, 30 May 12
v1.0a and v2.0 v1.0a v1.0a v2.0 (prev v1.0a) v2.0 v2.0
(prev v1.0a) v2.0 (prev v1.0a) v2.0 Wednesday, 30 May 12
And in HE? Wednesday, 30 May 12
Wednesday, 30 May 12
Wednesday, 30 May 12
Wednesday, 30 May 12
data.lincoln.ac.uk people energy location printing events calendars bibliographic documents Wednesday,
30 May 12
Internal and external authorisation Wednesday, 30 May 12
Single Sign-On Wednesday, 30 May 12
Blackboard (SAML) Zendesk (SAML) Get Satisfaction (OAuth) WordPress (OAuth) Exchange
(ADFS) Sharepoint (ADFS) Gmail (SAML) + OAuth clients (internal + external) Wednesday, 30 May 12
Open source 2.0 server lncn.eu/ar6 Wednesday, 30 May 12
Any questions? Wednesday, 30 May 12
Thank you @alexbilbie Wednesday, 30 May 12