OAuth is a real mess and developers can really get crazy by being to much exposed! Poorly documented and badly designed APIs is what we encounter everyday. Enter the craziness of the OAuth World!
6. OAuth 1.0
3 calls need to be
made by the Client
Call the OAuth server
and ask for temporary credentials.
!
Open a webpage dialog
using those credentials, so the user can
sign in and give access.
!
Call the OAuth server again
combining the temporary credentials
with the temporary token to get the final
access token.
OAuth.io
7. OAuth 2.0
Only 2 calls
Call the OAuth server!!!!
Open a webpage dialog
OAuth 1.0 has one more step
THANKS Cpt. OBVIOUS
OAuth.io
11. Need an example?
They say it uses OAuth 2.0
Which is surprising as in a server to
server flow, you expect the flow to
be 3-legged.
OAuth.io
12. Need an example?
To do anything else than the server
side flow you have to search for it!
The steps are documented but only
in the API reference
Even the webpage dialog and the code
exchange endpoints are described in
different sections
You will become that guy
OAuth.io
17. CARDINALITY DEGREE
Kill them all Bill
Read only, read and write
for Disqus / Heroku...
Read access for X, write access
for X, read access for Y...
for Others...
Google scopes are URLs
TOKEN RESPONSES
OAuth.io
19. TOKEN MANAGEMENT
TOKEN EXPIRY
A wild variation
between services
Sometimes you can
control it sometimes
not
Always in movement
the expiry isOAuth.io
20. TOKEN MANAGEMENT
EXPIRY: METHODS DIFFER
Google adds a field
!
to the authorization url
that can be
Others add options in the
scope
access_type
online offlineor
StackExchange: no_expiry
Soundcloud: no-expiring
Meetup.com: ageless
OAuth.io
21. TOKEN MANAGEMENT
REFRESH TOKEN
The standard proposes a
refresh token flow
followed by few
!
Facebook instead adds the
grant
type
fb_exchange_token
Github / Google ...
Unleash the ChuckOAuth.io
22. OAuth.ioWith
Integrate any of our 100+ OAuth
providers in minutes the SAME WAY
TAKE A LOOK
OAuth Popup
with facebook