Upload
oauthio
View
8.333
Download
0
Embed Size (px)
DESCRIPTION
OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials but it became a big mess.
Citation preview
OAuth.io
OAUTH YOU SAID?
Why OAuth? Provide a standard way to access
protected resources, without sharing passwords.
OAuth.io OAuth, You said?
OAuth.io
AMAZING! BUT HOW?
OAuth, You said?
OAuth.io
The middle-man between the service and the OAuth provider
!Never share your Facebook credentials with a
service. !
Today, almost any app needing access or permissions relies on OAuth.
OAuth, You said?
Tokens!
OAuth.io
Users had to provide their Facebook credentials to third party services.
!Not secure. Intrusive. Inconvenient.
OAuth, You said?
Before? Basic Auth.
OAuth was first designed to be interoperable and super easy to
implement for developers.
Started as a Protocol
OAuth.io OAuth, You said?
OAuth 2.0 has been reclassified as a framework. Which means no
interoperability and no backward compatibility :/
Ended up as a Framework
OAuth.io OAuth, You said?
30+ different implementations !Two separate flows for token retrieval. !
Resources' names and parameters differ from one provider to another !
A nightmare for developers: lots of potential traps. No hope for a good learning curve…
So yes, OAuth is broken
OAuth.io OAuth, You said?
OAuth 1.0 = October 2007 OAuth 1.0a = June 2009
OAuth 2.0 first draft = early 2010OAuth 2.0 final = late 2011
Many versions in 5 years
OAuth.io OAuth, You said?
Complex signature scheme. !
Almost no control over token expiry. !
No permission management.
OAuth.io OAuth, You said?
OAuth 1.0a was limited
!More flexible but less interoperable
SSL rather than signatures Easier to implement
No backward compatibility
OAuth.io OAuth, You said?
OAuth 2.0 compromise
Resource Owner: the user who wants to share a resource, e.g. owner of the facebook photos. !Client: the application that wants to leverage a resource hosted by a third party, e.g. the photo printing website. !Authorization Server: the entity that decides to grant access to the client (application), e.g. Facebook’s authorization server. !Resource Server: the place where the third party resource is hosted, e.g. Facebook’s server where the photos to print are.
4 quick definitions
The Flow
Further reading
https://tools.ietf.org/html/rfc6749
http://tools.ietf.org/html/rfc5849OAuth 1.0 Specs
OAuth 2.0 Specs
Fuck OAuth by Eran Hammer talkhttp://vimeo.com/52882780
OAuth.io OAuth, You said?
Read our full OAuth Tutorial
Credits
The Big Lebowski
Walker Texas Ranger aka Chuck (the 1st) Norris
Jackie Brown
2001: A Space Odyssey
R2D2: Star Wars (Dagobah)
C3PO: Star Wars (Tatooine)
Las Vegas Parano
Terminator
Forrest Gump
Austin Powers
OAuth.io OAuth, You said?Judge Dredd
OAuth.ioWith
Integrate any of our 100+ OAuth providers in minutes the SAME WAY
TAKE A LOOK
OAuth Popup with facebook