OAuth 2.0Open Protocol Standard for Authorization

Saadhvi SummitNirmal KumarDate : 2 April 2012 - 4:00 PM IST

OAuth - Overview

OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. 

      

Need for Authorization Standard

Secure Way to Access User Resources ?

  

Is there a secure way to access your Flickr Photos and Albums by some external application say example Wordpress where you already have an account with wordpress ?.

 Access user resources (photos, albums etc)

Secure Way to Access User Resources ?

 

Is there secure way to access your Gmail Addressbook or Contact List by some external application say Facebook where are you already own an account in facebook?   

Access user contacts from Gmail Account

  

Should i expose my Credentials?

Access user resources (photos, albums etc)

Access user contacts from Gmail Account

should i need to expose Flickr Account Credentials to facebook?

should i need to expose Gmail Account Credentials to facebook?

User Credentials Compromise

 

User Credentials Compromise 1. Applications cannot be Trusted 2. User password might be misused to access other information in that

account 3. User might use the same password for a variety application and this will

create a security threat 4. Changing password will not be reflected in the trusted applications

 

What OAuth Standard Provides

      A way for an Application to interact with a service on users behalf without requiring user account credentials.  

 

 

The Car Valet Parking

 

     Regular Key : Car Owner- Full Access- Provides necessary access to a valet through Valet Key- Can able to Revoke the Access in time of threats Valet Key : Valet- Limited Access- Cannot change anything without authorization of the resource owner. 

How this works ?

API Provider Services User Resources

API Client Application++

OwnsAuthorizes

Accesses

How this works ?

  Import Contacts from your Google Account

Sample Twitter - Authorize      

Revoke Access to Applications at any time.

 

How this works ?

Client Application sends Authorization Request to the API Service Provider with the ClientId Key and Secret User will be redirected with a Prompt " Authorize Application X to access your Account ". User can either Authorize and Reject User will be redirected to the Client Application if they authorized with a Authentication Code in the Url. API Client Web Application can use this Authentication Code and Send a Request to the API Server to provide a Token. Client Application uses that Token to access the Authorized data from the users account.

How this works ?

OAuth Benefits 1. Can be integrated in Web, Mobile and Other Home Devices

2. No more Password or User Credentials sharing with other Applications ->

So no hassles for the user in terms of security

3. Developers just need to implement a redirect and a POST request ->

Flexible for developers

4. Users can revokeaccess tokens for specific clients at any time

5. Nefarious clients can have their credentials revoked and all associated

access tokens destroyed immediately

 

 

List of OAuth Service Providersw this works ?

Facebook OAuth 2.0Foursquare OAuth 2.0github OAuth 2.0Google OAuth 2.0Microsoft (Hotmail, Messenger, Xbox) OAuth 2.0LinkedIn 2.0MySpace OAuth 1.0aNetflix OAuth 1.0aStatusNet OAuth 1.0aTwitter OAuth 1.0aVimeo OAuth 1.0aYahoo! OAuth 1.0a

References

 - http://en.wikipedia.org/wiki/OAuth#OAuth_2.0- http://oauth.net/- http://oauth.net/documentation/getting-started/- https://code.google.com/apis/console/- http://hueniverse.com/oauth/guide/workflow/- https://developers.google.com/accounts/docs/OAuth2

 

DemoAccess Google Tasks from Tracksheet

 

Questions ? 

Thank You.. 

Contact Saadhvi Summit Nirmal Kumar @nirmal_kumar