ADUG 21-Oct 2013Grahame Grieve

The OAuth Protocol

• Allows an application to login users using someone else’s login details (without seeing their password)

• Protocol is web based– Web sites– Mobile Applications– Desktop Applications

What are User Resources?

• User Information– Email Address– Real world Identifying Information (name, etc)– Google/Facebook friend list

• User specific services– Post to facebook wall– Storage (e.g. DropBox)– Health Care information

OAuth Parties

• User– User who wants to achieve something

• Service Provider– Can authenticate the user (password etc)– Has things the user owns

• Service Consumer– Needs to use User’s resources (e.g. for the user)– Trusted by the service provider and the user

OAuth Parties

• User– User who wants to achieve something

• Service Provider– Can authenticate the user (password etc)– Has things the user owns

• Service Consumer– Needs to use User’s resources (e.g. for the user)– Trusted by the service provider and the user

Authorization vs Authentication

• Service Consumer doesn’t know who the user is

• Just knows that the Service Provider authorises the consumer to do things on behalf of anonymous user

• Which may include identifying information… if service provider authenticated the user

OAuth Example

• Desktop Application

• Allows user to load/save application configuration to their Dropbox store

OAuth Pro’s & Cons

• Delegate User Authentication problems

• Well understood protocol

• Amazing services on offer

• Relatively Simple API

• Each implementation differs – it’s a technique

• Documentation confusing and byzantine

• Errors obtuse and misleading

• Not a full solution yet

http://www.healthintersections.com.au/?p=1554