26
The How of OAuth OAuth Hackathon – 4/26 @ Six Apart http://icanhaz.com/oauth

The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Embed Size (px)

Citation preview

Page 1: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

The How of OAuth

OAuth Hackathon – 4/26 @ Six Aparthttp://icanhaz.com/oauth

Page 2: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

The How of OAuth

or: How I learned to stop worrying and fall in love with Factory Joe

Page 3: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

OAuth’s Goal

• Website X can access your protected data at API Y– All without sharing your password off-site – especially when there isn’t one like with OpenID

Page 4: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

OAuth gives you:

• Signed HTTP Requests• Safe, Password-less Token Exchange

• Signed HTTP Requests• Safe, Password-less Token Exchange

Page 5: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

The Three Actors

• User – My Buddy (not me)• Service Provider – Chuck E. Cheese• Consumer – 10 yr old kids

Page 6: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

The Three Tokens

• Access Tokens – Chuck E. Cheese Tickets• Request Tokens – Chuck E. Cheese Tokens• Consumer Keys

Page 7: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

The Three URLS

• Request Token Issuer• Authorization Page• Access Token Exchanger

Page 8: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Building a Consumer

Page 9: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Get a consumer key and secret

Page 10: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Simple enough, eh?

Page 11: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Get a Request Token

Page 12: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Authorize the Request Token

Page 13: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Exchange for an Access Token

Page 14: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Making Authenticated Calls

Page 15: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Building a Service Provider

Page 16: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Data to store

• Consumers: – key, secret, callback_url

• Request Token: – token, secret, consumer, authorizing_user

• Access Token:– token, secret, consumer, user

Page 17: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Registering Consumers

Page 18: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Issuing Request Tokens

• Verify using only the consumer credential

Page 19: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Issuing Request Tokens

• Issue the request token

Page 20: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Authorizing Request Tokens

• Ask the user to accept the authorization

Page 21: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Authorizing Request Tokens• Connecting the logged in user• go back to consumer

Page 22: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Exchange for an Access Token

• Validate using Request Token and Consumer

Page 23: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Exchange for an Access Token

• Issue the Access Token• Destroy the Request Token

Page 24: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Protecting Resources

• Validate Access Token

Page 25: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

OAuth Hackathon – 4/26 @ Six Apart

http://icanhaz.com/oauth

Page 26: The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Thanks!