SlideShare a Scribd company logo

OAuth Introduction

H
h_marvin
TechnologyDesign
1 of 39
OAuth Or: „Why you don‘t have to pass credentials“
About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
History and basics
Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
That of course... we don‘t want to be necessary! Pass username and password?
That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
OAuth
We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
Facebo ok
OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
Little more details Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Project Reference no code :(
Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
Conclusion
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access
Thanks! Questions?

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipMyles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linkingRamu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slidesPersonagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsSkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipMyles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linkingRamu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slidesPersonagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsSkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Colin Su
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKDimitar Danailov
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsJustin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App IndexationJustin Briggs
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersDeveloper Force - Force.com Community
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factorsSEO_adam
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesShruti Arya
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesiProspect Canada
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteAdam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant SridharanFrancisco Saez Cerda
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Suzzicks
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEOAffiliate Summit
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOSHidetoshi Mori
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-reportJim Barritt
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open SocialJulia Foxworthy
 
Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + RubyAlex Koppel
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsDavid Keener
 

More Related Content

What's hot

Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Colin Su
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKDimitar Danailov
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsJustin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App IndexationJustin Briggs
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factorsSEO_adam
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesShruti Arya
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesiProspect Canada
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteAdam Audette
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Suzzicks
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEOAffiliate Summit
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-reportJim Barritt
 

What's hot (20)

Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook api
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDK
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich Snippets
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App Indexation
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication Providers
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factors
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websites
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websites
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant Sridharan
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEO
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOS
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-report
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open Social
 

Similar to OAuth Introduction

Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsDavid Keener
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Shiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesShiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesRoy Pereira
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSalesforce Developers
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_socialRajesh Kumar
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Damon Widjaja
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsTom Johnson
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedGaurav Behere
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011Iskandar Najmuddin
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdfTomasz Kopacz
 
What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011Iskandar Najmuddin
 

Similar to OAuth Introduction (20)

Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + Ruby
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook Apps
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Shiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesShiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development Guidelines
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Google APIs
Google APIsGoogle APIs
Google APIs
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for Facebook
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_social
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting Started
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011
 
Kt 15 07-2013
Kt 15 07-2013Kt 15 07-2013
Kt 15 07-2013
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf
 
What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

OAuth Introduction

  • 1. OAuth Or: „Why you don‘t have to pass credentials“
  • 2. About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
  • 3. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
  • 4. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
  • 6. Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
  • 7. That of course... we don‘t want to be necessary! Pass username and password?
  • 8. That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
  • 9. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 10. What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
  • 11. OAuth
  • 12. We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
  • 13. What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
  • 15. OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
  • 16. How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
  • 17. How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
  • 18. How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
  • 19. How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
  • 20. How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
  • 21. HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
  • 22. Little more details Source: https://developers.facebook.com/docs/authentication/
  • 23. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
  • 24. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
  • 25. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
  • 26. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 27. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 28. Project Reference no code :(
  • 29. Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
  • 30. Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
  • 31. The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
  • 33. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 34. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 35. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 36. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 37. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 38. One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. 1.0 -&gt; 2006 / 2007\n2.0 -&gt; 2010\n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  22. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  23. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  24. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  25. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n