2. About me!
Marvin Hoffmann (B.Sc.)
Computer Science and Media
Semester 2
Why am I here?
Security will always be a key aspect
of application development
6. Once upon a time...
you had to pass your username and
password to let applications use
one another
Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
8. That of course...
we don‘t want to be necessary!
Pass username and password?
No thanks.
There must be another way!
9. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
12. We need a standard!
many custom build solutions
before OAuth
Flickr: „FlickrAuth“
Google: „AuthSub“
Facebook: requests signed with
MD5 Hashes
Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
13. What‘s in the protocol?
OAuth 1 based on „FlickrAuth“ and
Googles „AuthSub“
OAuth2 is a completely new protocol
defines different flows, useful for
different requirements (native
Client, Website, mobile App)
we‘ll see soon how such a flow can
look like
Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
15. OAuth and Facebook
lo oks
familiar ?
Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
16. How to get there 1
register your application or website
as Facebook-Application to get
your App credentials
an App ID / API Key
an App Secret
(tokens you get are only valid for
your Facebook-App)
17. How to get there 2
add App-ID and App-Secret to your
code
example:
$facebook = new Facebook(array(
'appId' => 'YOUR_APP_KEY',
'secret' => 'YOUR_APP_SECRET'));
your App/Website will now be
identified correctly
Domain will be checked aswell!
18. How to get there 3
define what your app needs to use
e.g. „Post to Facebook as me“;
„Access basic information“
example:
<fb:login-button show-faces="true" width="500" max-
rows="1" perms="user_useralbums, read_stream,
publish_stream"></fb:login-button>
rights? See photos, read from and
write to stream
19. How to get there 4
App-ID
App-Secret
Do main
Source: https://developers.facebook.com/apps/
20. How to get there 5
You‘re good to go!
Your App/Website will know be
identified (always) and the user
has to grand specific rights (once)
23. Little more details
Request:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
scope=email,read_stream
Source: https://developers.facebook.com/docs/authentication/
24. Little more details
Request:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
scope=email,read_stream
Response:
http://YOUR_URL?
code=A_CODE_GENERATED_BY_SERVER
Source: https://developers.facebook.com/docs/authentication/
25. Little more details
Request:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
scope=email,read_stream
Response:
http://YOUR_URL?
code=A_CODE_GENERATED_BY_SERVER
Request:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&
code=THE_CODE_FROM_ABOVE
Source: https://developers.facebook.com/docs/authentication/
26. Little more details
Request:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
scope=email,read_stream
Response:
http://YOUR_URL?
code=A_CODE_GENERATED_BY_SERVER
Request:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&
code=THE_CODE_FROM_ABOVE
Response: access_token and time in seconds till token expires
Source: https://developers.facebook.com/docs/authentication/
27. Little more details
Request:
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
scope=email,read_stream
Response:
http://YOUR_URL?
code=A_CODE_GENERATED_BY_SERVER
Request:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&
code=THE_CODE_FROM_ABOVE save it!
Response: access_token and time in seconds till token expires
Source: https://developers.facebook.com/docs/authentication/
29. Environment
„Online & Performance Marketing
Agency“
a LOT of Facebook Marketing
campaigns per month
campaign creation and monitoring
via Facebook Ads Manager (web-
interface)
Task: integrate into Java Client!
Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
30. Facebook and Java
just like we learned:
register App with Facebook
get an Access-Token
RestFB:
helpful Library to speak with
GraphAPI in Java
Links: RestFB: http://restfb.com
31. The Problem we had
what if..
.. we want to access
information of a page, that only
an admin of the page can access?
.. we want to add data to an
account, but only admins are
allowed to?
33. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
34. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
35. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
36. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
37. What do we want then?
distinguish between different
applications (and us)
give different rights to each (scoping)
be able to revoke rights once they
where granted
standardized approach in granting
access
38. One more thing!
a stolen token is not as horrible as
stolen credentials!
just dedicated information or
actions can be accessed
no need to change password
it‘s easy to revoke access
&#x201E;if the user has already authorized your app, they will not be prompted to do so again&#x201C;\noffline_access -> token verliert seine g&#xFC;ltigkeit nie!\n
&#x201E;if the user has already authorized your app, they will not be prompted to do so again&#x201C;\noffline_access -> token verliert seine g&#xFC;ltigkeit nie!\n
&#x201E;if the user has already authorized your app, they will not be prompted to do so again&#x201C;\noffline_access -> token verliert seine g&#xFC;ltigkeit nie!\n
&#x201E;if the user has already authorized your app, they will not be prompted to do so again&#x201C;\noffline_access -> token verliert seine g&#xFC;ltigkeit nie!\n
&#x201E;if the user has already authorized your app, they will not be prompted to do so again&#x201C;\noffline_access -> token verliert seine g&#xFC;ltigkeit nie!\n