OAuth is an open standard that allows users to authorize third party applications to access private resources like photos, videos and contacts stored on another site without sharing the user's credentials. It provides a secure way for applications to obtain limited access to a user's account on another site without needing to know the user's password.
Unblocking The Main Thread Solving ANRs and Frozen Frames
Saadhvi Summit - oAuth Standards
1. OAuth 2.0
Open Protocol Standard for Authorization
Saadhvi Summit
Nirmal Kumar
Date : 2 April 2012 - 4:00 PM IST
2. OAuth - Overview
OAuth is an open standard for authorization. It allows users to share their
private resources (e.g. photos, videos, contact lists) stored on one site
with another site without having to hand out their credentials, typically
supplying username and password tokens instead.
4. Secure Way to Access User
Resources ?
Is there a secure way to access your Flickr Photos and Albums by some
external application say example Wordpress where you already have an
account with wordpress ?.
Access user resources (photos, albums etc)
5. Secure Way to Access User
Resources ?
Is there secure way to access your Gmail Addressbook or Contact List
by some external application say Facebook where are you already own an
account in facebook?
Access user contacts from Gmail Account
6. Should i expose my Credentials?
Access user contacts from Gmail Account
should i need to expose Gmail Account
Credentials to facebook?
should i need to expose Flickr Account
Credentials to facebook?
Access user resources (photos, albums etc)
8. User Credentials Compromise
1. Applications cannot be Trusted
2. User password might be misused to access other information in that
account
3. User might use the same password for a variety application and this will
create a security threat
4. Changing password will not be reflected in the trusted applications
9. What OAuth Standard Provides
A way for an Application to interact with a service on users behalf without
requiring user account credentials.
10. The Car Valet Parking
Regular Key : Car Owner
- Full Access
- Provides necessary access to a
valet through Valet Key
- Can able to Revoke the Access in
time of threats
Valet Key : Valet
- Limited Access
- Cannot change anything without
authorization of the resource
owner.
11. How this works ?
Authorizes Owns
API Client Application++ API Provider Services
User Resources
Accesses
12. How this works ?
Import Contacts from your Google Account
13. Sample Twitter - Authorize
Revoke Access to Applications at any time.
14. How this works ?
Client Application sends Authorization Request to the API Service Provider
with the ClientId Key and Secret
User will be redirected with a Prompt " Authorize Application X to access your
Account ". User can either Authorize and Reject
User will be redirected to the Client Application if they authorized with a
Authentication Code in the Url.
API Client Web Application can use this Authentication Code and Send a
Request to the API Server to provide a Token.
Client Application uses that Token to access the Authorized data from the
users account.
16. OAuth Benefits
1. Can be integrated in Web, Mobile and Other Home Devices
2. No more Password or User Credentials sharing with other Applications ->
So no hassles for the user in terms of security
3. Developers just need to implement a redirect and a POST request ->
Flexible for developers
4. Users can revokeaccess tokens for specific clients at any time
5. Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
17. List of OAuth Service Providersw this
works ?
Facebook OAuth 2.0
Foursquare OAuth 2.0
github OAuth 2.0
Google OAuth 2.0
Microsoft (Hotmail, Messenger, Xbox) OAuth 2.0
LinkedIn 2.0
MySpace OAuth 1.0a
Netflix OAuth 1.0a
StatusNet OAuth 1.0a
Twitter OAuth 1.0a
Vimeo OAuth 1.0a
Yahoo! OAuth 1.0a