SlideShare une entreprise Scribd logo

Understanding OAuth 2.0: Authorization Flows and Best Practices

Télécharger en tant que PPT, PDF
Yasmine Gaber
Yasmine Gaber

Presentation that explains the main concept of OAUTH 2.0 and its authorization flows.

Technologie
1  sur  39
OAUTH 2.0 Open Authorization 2.0 Yasmine M. Gaber 4 October 2012
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
What is OAuth  “OAuth is an open standard for authorization. It allows users to share their private resources stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site for specific resources and for a defined duration. This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.” − Source: Wikipedia
What is OAuth
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
History  HTTP basic authentication  APIs as google calendat API used ClientLogin protocol. – Flicker (acquired by Yahoo!) used Blogger ( acquired by Google).  Specific protocols e.g. Google's AuthSub and Yahoo!'s BBAuth  OAuth Standards – OAuth 1.0 – OAuth 1.0a – OAuth 2.0
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Terminology  Authentication  Federated Authentication  Authorization  Delegated Authorization  Roles – Resource server (API provider) – Resource owner (user of an application) – Client – Authorization server
Terminology  Client Profiles – Server-side web application – Client-side application – Native application  Access Token – Authorization Header – Query parameter
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Why to use OAuth 2.0  Developer's point of view – Many Functionality: • Getting access to a user’s social graph • Posting to user's Facebook wall or Twitter stream • Store data in users' online filesystem of choice e.g. Google Docs or Dropbox account – Integrating business applications to drive smarter decisions.
Why to use OAuth 2.0  User's point of view – Increase trust – Decreased user sensitivity to phishing – No more expanded access and risk – No limited reliability – Easy service revocation – Passwords isn't required anymore – Easier to implement stronger authentication
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
Server-Side Web Application Flow
Server-Side Web Application Flow  When should it be used? − Long-lived access is required. − The OAuth client is a web application server. − Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.  Security Properties
Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
Client-Side Web Applications Flow
Client-Side Web Applications Flow  When should it be used? − Only temporary access to data is required. − The user is regularly logged into the API provider. − The OAuth client is running in the browser (using JavaScript, Flash, etc.). − The browser is strongly trusted and there is limited concern that the access token will leak to untrusted users or applications.  Security Properties
Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
Resource Owner Password Flow
Resource Owner Password Flow  When should it be used? – Recommended only for first-party “official” applications released by the API provider, and not opened up to wider third-party developer communities.  Security Properties – Better than regular HTTP Authentication as the application only needs access to the user’s credentials once. – When password changes, no need to reenter the password for every application that uses it.
Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
Client Credentials Flow
Client Credentials Flow  When should it be used? – When acting on behalf of the app itself rather than on behalf of any individual user.  Security Properties – A single set of credentials for a client could provide access to a large amount of data. – It is extremely critical that the credentials used to authenticate the client be kept highly confidential.
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
What about Mobile Apps ?  Mobile-optimized web Apps using HTML5 – Use traditional OAuth client-side or Web Application flows  Native Mobile Apps – Access to your own APIs – Access to APIs from other providers
What about Mobile Apps ?  Authentication Flows for Native Mobile Apps ? – Have a Mobile Backend Web Server ? • YES: – Client-side flow or Server-side web apps flow • NO: – Client-side flow or Server-side web apps flow with redirect URL is custom URI scheme – Native client flow
What about Mobile Apps ?  Embedded Web View – Advantages – Disadvantages  System Web Browser – Advantages – Disadvantages
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Tools and Libraries  Tools: − Google’s OAuth 2.0 Playground − Google’s TokenInfo Endpoint − Apigee’s Console − Facebook’s Access Token Tool and Access Token Debugger  Libraries: − Google APIs Client Libraries for Java, Objective-C, PHP, Python, Ruby, JavaScript − Facebook SDKs for JavaScript, Android, iOS, PHP − Foursquare has community-contributed libraries
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Demo Code available on https://github.com/Yasmine-Gaber/OAUTH2.0-Demo
Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
Resources  Getting Started with OAuth 2.0  OAuth.Net  OAuth - The Big Picture  OAuth 2.0 draft  OpenID Connect Basic, Standard and Messages  Google APIs Client Libraries  Facebook SDKs  Foursquare's community-contributed libraries
Questions ?
Thank You Contact at: Email: Yasmine.Gaber@espace.com.eg Twitter: Twitter.com/yasmine_mohamed

Recommandé

OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 

Recommandé

OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Event-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online ConferenceEvent-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online ConferenceLaunchAny
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
API Presentation
API PresentationAPI Presentation
API Presentationnityakulkarni
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
API Basics
API BasicsAPI Basics
API BasicsRitul Chaudhary
 
Building RESTful applications using Spring MVC
Building RESTful applications using Spring MVCBuilding RESTful applications using Spring MVC
Building RESTful applications using Spring MVCIndicThreads
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Web API Basics
Web API BasicsWeb API Basics
Web API BasicsLearnNowOnline
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to SwaggerKnoldus Inc.
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 

Contenu connexe

Tendances

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Event-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online ConferenceEvent-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online ConferenceLaunchAny
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Building RESTful applications using Spring MVC
Building RESTful applications using Spring MVCBuilding RESTful applications using Spring MVC
Building RESTful applications using Spring MVCIndicThreads
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to SwaggerKnoldus Inc.
 

Tendances (20)

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Rest API
Rest APIRest API
Rest API
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Event-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online ConferenceEvent-based API Patterns and Practices - AsyncAPI Online Conference
Event-based API Patterns and Practices - AsyncAPI Online Conference
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
API Presentation
API PresentationAPI Presentation
API Presentation
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
API Basics
API BasicsAPI Basics
API Basics
 
Building RESTful applications using Spring MVC
Building RESTful applications using Spring MVCBuilding RESTful applications using Spring MVC
Building RESTful applications using Spring MVC
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Web API Basics
Web API BasicsWeb API Basics
Web API Basics
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to Swagger
 

En vedette

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case StudyEbizon
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceCA API Management
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSOAshish Jain
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]inucreative
 

En vedette (20)

Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Single Sign On - Case Study
Single Sign On - Case StudySingle Sign On - Case Study
Single Sign On - Case Study
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
SSO - SIngle Sign On
SSO - SIngle Sign OnSSO - SIngle Sign On
SSO - SIngle Sign On
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected Apps
 
CIS 2015 Mobile SSO
CIS 2015 Mobile SSOCIS 2015 Mobile SSO
CIS 2015 Mobile SSO
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]분산형 컴퓨팅 플랫폼 [에테리움]
분산형 컴퓨팅 플랫폼 [에테리움]
 

Similaire à Understanding OAuth 2.0: Authorization Flows and Best Practices

OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 

Similaire à Understanding OAuth 2.0: Authorization Flows and Best Practices (20)

OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
OAuth
OAuthOAuth
OAuth
 
OAuth
OAuthOAuth
OAuth
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth
OAuthOAuth
OAuth
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Id fiware upm-dit
Id fiware upm-ditId fiware upm-dit
Id fiware upm-dit
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 

Plus de Yasmine Gaber

Why_do i_hate_shopping
Why_do i_hate_shoppingWhy_do i_hate_shopping
Why_do i_hate_shoppingYasmine Gaber
 

Plus de Yasmine Gaber (8)

Capistrano
CapistranoCapistrano
Capistrano
 
Ionic
IonicIonic
Ionic
 
Dyna trace
Dyna traceDyna trace
Dyna trace
 
Mahout part2
Mahout part2Mahout part2
Mahout part2
 
Mahout part1
Mahout part1Mahout part1
Mahout part1
 
Ibn Sina
Ibn SinaIbn Sina
Ibn Sina
 
Home Bowling
Home BowlingHome Bowling
Home Bowling
 
Why_do i_hate_shopping
Why_do i_hate_shoppingWhy_do i_hate_shopping
Why_do i_hate_shopping
 

Dernier

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Understanding OAuth 2.0: Authorization Flows and Best Practices

  • 1. OAUTH 2.0 Open Authorization 2.0 Yasmine M. Gaber 4 October 2012
  • 2. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 3. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 4. What is OAuth  “OAuth is an open standard for authorization. It allows users to share their private resources stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site for specific resources and for a defined duration. This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.” − Source: Wikipedia
  • 6. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 7. History  HTTP basic authentication  APIs as google calendat API used ClientLogin protocol. – Flicker (acquired by Yahoo!) used Blogger ( acquired by Google).  Specific protocols e.g. Google's AuthSub and Yahoo!'s BBAuth  OAuth Standards – OAuth 1.0 – OAuth 1.0a – OAuth 2.0
  • 8. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 9. Terminology  Authentication  Federated Authentication  Authorization  Delegated Authorization  Roles – Resource server (API provider) – Resource owner (user of an application) – Client – Authorization server
  • 10. Terminology  Client Profiles – Server-side web application – Client-side application – Native application  Access Token – Authorization Header – Query parameter
  • 11. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 12. Why to use OAuth 2.0  Developer's point of view – Many Functionality: • Getting access to a user’s social graph • Posting to user's Facebook wall or Twitter stream • Store data in users' online filesystem of choice e.g. Google Docs or Dropbox account – Integrating business applications to drive smarter decisions.
  • 13. Why to use OAuth 2.0  User's point of view – Increase trust – Decreased user sensitivity to phishing – No more expanded access and risk – No limited reliability – Easy service revocation – Passwords isn't required anymore – Easier to implement stronger authentication
  • 14. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 15. Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
  • 16. Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
  • 18. Server-Side Web Application Flow  When should it be used? − Long-lived access is required. − The OAuth client is a web application server. − Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.  Security Properties
  • 19. Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
  • 21. Client-Side Web Applications Flow  When should it be used? − Only temporary access to data is required. − The user is regularly logged into the API provider. − The OAuth client is running in the browser (using JavaScript, Flash, etc.). − The browser is strongly trusted and there is limited concern that the access token will leak to untrusted users or applications.  Security Properties
  • 22. Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
  • 24. Resource Owner Password Flow  When should it be used? – Recommended only for first-party “official” applications released by the API provider, and not opened up to wider third-party developer communities.  Security Properties – Better than regular HTTP Authentication as the application only needs access to the user’s credentials once. – When password changes, no need to reenter the password for every application that uses it.
  • 25. Authorization Flows  Server-Side Web Application Flow  Client-Side Web Applications Flow  Resource Owner Password Flow  Client Credentials Flow
  • 27. Client Credentials Flow  When should it be used? – When acting on behalf of the app itself rather than on behalf of any individual user.  Security Properties – A single set of credentials for a client could provide access to a large amount of data. – It is extremely critical that the credentials used to authenticate the client be kept highly confidential.
  • 28. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 29. What about Mobile Apps ?  Mobile-optimized web Apps using HTML5 – Use traditional OAuth client-side or Web Application flows  Native Mobile Apps – Access to your own APIs – Access to APIs from other providers
  • 30. What about Mobile Apps ?  Authentication Flows for Native Mobile Apps ? – Have a Mobile Backend Web Server ? • YES: – Client-side flow or Server-side web apps flow • NO: – Client-side flow or Server-side web apps flow with redirect URL is custom URI scheme – Native client flow
  • 31. What about Mobile Apps ?  Embedded Web View – Advantages – Disadvantages  System Web Browser – Advantages – Disadvantages
  • 32. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 33. Tools and Libraries  Tools: − Google’s OAuth 2.0 Playground − Google’s TokenInfo Endpoint − Apigee’s Console − Facebook’s Access Token Tool and Access Token Debugger  Libraries: − Google APIs Client Libraries for Java, Objective-C, PHP, Python, Ruby, JavaScript − Facebook SDKs for JavaScript, Android, iOS, PHP − Foursquare has community-contributed libraries
  • 34. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 35. Demo Code available on https://github.com/Yasmine-Gaber/OAUTH2.0-Demo
  • 36. Outline  What is OAuth?  History  Terminology  Why to use OAuth 2.0  Authorization Flows  What about Mobile Apps ?  Tools and Libraries  Demo  Summary
  • 37. Resources  Getting Started with OAuth 2.0  OAuth.Net  OAuth - The Big Picture  OAuth 2.0 draft  OpenID Connect Basic, Standard and Messages  Google APIs Client Libraries  Facebook SDKs  Foursquare's community-contributed libraries
  • 39. Thank You Contact at: Email: Yasmine.Gaber@espace.com.eg Twitter: Twitter.com/yasmine_mohamed