SlideShare a Scribd company logo

OAuth: Trust Issues

L
Lorna Mitchell

My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completeness

Technology
1 of 45
Download to read offline
OAuth: A Question of Trust
About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
If OAuth is the answer, what was the question?
OAuth username: lornajane password: qwerty 4
OAuth Hi, I’m lornajane 5
Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
OAuth 2: Performance over Paranoia
OAuth2 Relationships 8
OAuth2 Relationships 9
Before We Begin Register for an API key and capture: • application name • callback URL(s) to use • description e.g. http://joind.in/user/apikey 10
OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
Establishing Trust We need an authorisation grant for the assistant to be able to access user data 12
Authorisation Grants
Authorisation Grant: Many Choices How we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
Authorisation Code Use for: server-side apps Flow: we send user to application to grant access, recieve a code in return. Then exchange code for access token Features: user never sees access token 15
Authorisation Code Process client_id redirect_url type scope state 16
Authorisation Code Process User must be able to visit the site and revoke later 17
Authorisation Code Process code code state 18
Authorisation Code Process client_key client_secret code code access token access_token 19
Implicit Grant Use for: client-side apps Flow: we send user to application to grant access, recieve an access token in return Features: super-simple 20
Implicit Process client_id redirect_url type scope state 21
Implicit Process User must be able to visit the site and revoke later 22
Implicit Process access token access_token state 23
Resource Owner Credentials Use for: trusted consumers, such as same-provider apps or a script the user writes themselves Flow: user gives username and password to app, app exchanges for access token and does not store Features: saves sending user to the main site and back 24
Resource Owner Credentials Process username, username, password password 25
Resource Owner Credentials Process access token 26
Client Credentials Use for: privileged consumers Flow: client credentials act as an authorsation grant, access token is returned Features: ideal for applications with more than per-user-data access rights 27
Client Credentials Process hai access token 28
How to Choose Grant Type What will be consuming this data? It isn’t unusual for applications to support some or all of these grant types 29
You have an access token, now what?
Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 31
Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 Everything you already knew about web APIs now applies as normal 31
Refresh Tokens Some applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry) The refresh token is an authorisation grant in its own right, to be used when the access token has expired 32
What about access control?
Scope Consumers will request a given set of permissions, usually called scope Users usually only get to accept, or not 34
HTTPS (a vital OAuth2 ingredient)
HTTPS HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer Security) Basically, we encrypt the pipe! 36
OAuth 1
About OAuth 1 In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
OAuth Today
OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
Thanks!
Thanks https://joind.in/6232 @lornajane http://lornajane.net 44

Recommended

Best Practice in API Design
Best Practice in API DesignBest Practice in API Design
Best Practice in API Design
Lorna Mitchell
 
Web services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryWeb services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP library
Fulvio Corno
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android ppt
santosh lamba
 
Easy rest service using PHP reflection api
Easy rest service using PHP reflection apiEasy rest service using PHP reflection api
Easy rest service using PHP reflection api
Matthieu Aubry
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and json
baabtra.com - No. 1 supplier of quality freshers
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knew
Lorna Mitchell
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHP
Zoran Jeremic
 
Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5
Michael Girouard
 

Recommended

Best Practice in API Design
Best Practice in API DesignBest Practice in API Design
Best Practice in API Design
Lorna Mitchell
 
Web services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP libraryWeb services in PHP using the NuSOAP library
Web services in PHP using the NuSOAP library
Fulvio Corno
 
Webservice for android ppt
Webservice for android pptWebservice for android ppt
Webservice for android ppt
santosh lamba
 
Easy rest service using PHP reflection api
Easy rest service using PHP reflection apiEasy rest service using PHP reflection api
Easy rest service using PHP reflection api
Matthieu Aubry
 
Intoduction to php web services and json
Intoduction to php web services and jsonIntoduction to php web services and json
Intoduction to php web services and json
baabtra.com - No. 1 supplier of quality freshers
 
Things I wish web graduates knew
Things I wish web graduates knewThings I wish web graduates knew
Things I wish web graduates knew
Lorna Mitchell
 
Consuming RESTful services in PHP
Consuming RESTful services in PHPConsuming RESTful services in PHP
Consuming RESTful services in PHP
Zoran Jeremic
 
Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5Creating And Consuming Web Services In Php 5
Creating And Consuming Web Services In Php 5
Michael Girouard
 
Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
Sudheer Satyanarayana
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
Eyal Vardi
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
nbuddharaju
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHP
Sanil Subhash Chandra Bose
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
Thang Chung
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
Lorna Mitchell
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
Madhaiyan Muthu
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RS
Carol McDonald
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
Rajkattamuri
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
Ezewuzie Emmanuel Okafor
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
Sam Brannen
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
Jeelani Shaik
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
kriszyp
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
Vinay Gopinath
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
IMC Institute
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
Kerry Buckley
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
Hoan Vu Tran
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
Chalermpon Areepong
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RS
Neil Ghosh
 
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
Hilary Stohs-Krause
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
Lorna Mitchell
 

More Related Content

What's hot

Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
Sam Brannen
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
Jeelani Shaik
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
kriszyp
 

What's hot (20)

Building Restful Applications Using Php
Building Restful Applications Using PhpBuilding Restful Applications Using Php
Building Restful Applications Using Php
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Develop webservice in PHP
Develop webservice in PHPDevelop webservice in PHP
Develop webservice in PHP
 
Excellent rest using asp.net web api
Excellent rest using asp.net web apiExcellent rest using asp.net web api
Excellent rest using asp.net web api
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web services - A Practical Approach
Web services - A Practical ApproachWeb services - A Practical Approach
Web services - A Practical Approach
 
RESTful Web Services with JAX-RS
RESTful Web Services with JAX-RSRESTful Web Services with JAX-RS
RESTful Web Services with JAX-RS
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Json-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the webJson-based Service Oriented Architecture for the web
Json-based Service Oriented Architecture for the web
 
Restful web services with java
Restful web services with javaRestful web services with java
Restful web services with java
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Doing REST Right
Doing REST RightDoing REST Right
Doing REST Right
 
REST & RESTful Web Service
REST & RESTful Web ServiceREST & RESTful Web Service
REST & RESTful Web Service
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
RestFull Webservices with JAX-RS
RestFull Webservices with JAX-RSRestFull Webservices with JAX-RS
RestFull Webservices with JAX-RS
 

Viewers also liked

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
Hilary Stohs-Krause
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du web
Francois Zaninotto
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP Developers
Lorna Mitchell
 
Android webservices
Android webservicesAndroid webservices
Android webservices
Krazy Koder
 

Viewers also liked (15)

How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-DesignersHow to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
How to Make Your Website Not Ugly: 10 Simple UX Tenets for Non-Designers
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
 
Le jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du webLe jeu vidéo à la rescousse du web
Le jeu vidéo à la rescousse du web
 
Join In With Joind.In
Join In With Joind.InJoin In With Joind.In
Join In With Joind.In
 
Practical SVN for PHP Developers
Practical SVN for PHP DevelopersPractical SVN for PHP Developers
Practical SVN for PHP Developers
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
 
What is an API?
What is an API?What is an API?
What is an API?
 
Web services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGigWeb services soap and rest by mandakini for TechGig
Web services soap and rest by mandakini for TechGig
 
Android webservices
Android webservicesAndroid webservices
Android webservices
 
Practical PHP Deployment with Jenkins
Practical PHP Deployment with JenkinsPractical PHP Deployment with Jenkins
Practical PHP Deployment with Jenkins
 
La blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré luiLa blockchain, quand l'individu sert au collectif... malgré lui
La blockchain, quand l'individu sert au collectif... malgré lui
 
PHP and Web Services
PHP and Web ServicesPHP and Web Services
PHP and Web Services
 

Similar to OAuth: Trust Issues

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

Similar to OAuth: Trust Issues (20)

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Api security
Api security Api security
Api security
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 

More from Lorna Mitchell

Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source Control
Lorna Mitchell
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control Landscape
Lorna Mitchell
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_services
Lorna Mitchell
 

More from Lorna Mitchell (20)

Git, GitHub and Open Source
Git, GitHub and Open SourceGit, GitHub and Open Source
Git, GitHub and Open Source
 
Business 101 for Developers: Time and Money
Business 101 for Developers: Time and MoneyBusiness 101 for Developers: Time and Money
Business 101 for Developers: Time and Money
 
Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)Teach a Man To Fish (phpconpl edition)
Teach a Man To Fish (phpconpl edition)
 
Going Freelance
Going FreelanceGoing Freelance
Going Freelance
 
Understanding Distributed Source Control
Understanding Distributed Source ControlUnderstanding Distributed Source Control
Understanding Distributed Source Control
 
Best Practice in Web Service Design
Best Practice in Web Service DesignBest Practice in Web Service Design
Best Practice in Web Service Design
 
Coaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To FishCoaching Development Teams: Teach A Man To Fish
Coaching Development Teams: Teach A Man To Fish
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
Object Oriented Programming in PHP
Object Oriented Programming in PHPObject Oriented Programming in PHP
Object Oriented Programming in PHP
 
Example Presentation
Example PresentationExample Presentation
Example Presentation
 
Could You Telecommute?
Could You Telecommute?Could You Telecommute?
Could You Telecommute?
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 
Running a Project with Github
Running a Project with GithubRunning a Project with Github
Running a Project with Github
 
27 Ways To Be A Better Developer
27 Ways To Be A Better Developer27 Ways To Be A Better Developer
27 Ways To Be A Better Developer
 
Digital Representation
Digital RepresentationDigital Representation
Digital Representation
 
Goodpractice
GoodpracticeGoodpractice
Goodpractice
 
SPL Primer
SPL PrimerSPL Primer
SPL Primer
 
The Source Control Landscape
The Source Control LandscapeThe Source Control Landscape
The Source Control Landscape
 
Teach a Man To Fish
Teach a Man To FishTeach a Man To Fish
Teach a Man To Fish
 
Working with web_services
Working with web_servicesWorking with web_services
Working with web_services
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

OAuth: Trust Issues

  • 1. OAuth: A Question of Trust
  • 2. About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2
  • 3. If OAuth is the answer, what was the question?
  • 4. OAuth username: lornajane password: qwerty 4
  • 5. OAuth Hi, I’m lornajane 5
  • 6. Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6
  • 7. OAuth 2: Performance over Paranoia
  • 10. Before We Begin Register for an API key and capture: • application name • callback URL(s) to use • description e.g. http://joind.in/user/apikey 10
  • 11. OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11
  • 12. Establishing Trust We need an authorisation grant for the assistant to be able to access user data 12
  • 14. Authorisation Grant: Many Choices How we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14
  • 15. Authorisation Code Use for: server-side apps Flow: we send user to application to grant access, recieve a code in return. Then exchange code for access token Features: user never sees access token 15
  • 16. Authorisation Code Process client_id redirect_url type scope state 16
  • 17. Authorisation Code Process User must be able to visit the site and revoke later 17
  • 18. Authorisation Code Process code code state 18
  • 19. Authorisation Code Process client_key client_secret code code access token access_token 19
  • 20. Implicit Grant Use for: client-side apps Flow: we send user to application to grant access, recieve an access token in return Features: super-simple 20
  • 21. Implicit Process client_id redirect_url type scope state 21
  • 22. Implicit Process User must be able to visit the site and revoke later 22
  • 23. Implicit Process access token access_token state 23
  • 24. Resource Owner Credentials Use for: trusted consumers, such as same-provider apps or a script the user writes themselves Flow: user gives username and password to app, app exchanges for access token and does not store Features: saves sending user to the main site and back 24
  • 25. Resource Owner Credentials Process username, username, password password 25
  • 26. Resource Owner Credentials Process access token 26
  • 27. Client Credentials Use for: privileged consumers Flow: client credentials act as an authorsation grant, access token is returned Features: ideal for applications with more than per-user-data access rights 27
  • 28. Client Credentials Process hai access token 28
  • 29. How to Choose Grant Type What will be consuming this data? It isn’t unusual for applications to support some or all of these grant types 29
  • 30. You have an access token, now what?
  • 31. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 31
  • 32. Using Access Tokens With the access token, include it in an Authorization header: Authorization: OAuth db141c50adb74b22 Everything you already knew about web APIs now applies as normal 31
  • 33. Refresh Tokens Some applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry) The refresh token is an authorisation grant in its own right, to be used when the access token has expired 32
  • 34. What about access control?
  • 35. Scope Consumers will request a given set of permissions, usually called scope Users usually only get to accept, or not 34
  • 36. HTTPS (a vital OAuth2 ingredient)
  • 37. HTTPS HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport Layer Security) Basically, we encrypt the pipe! 36
  • 39. About OAuth 1 In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38
  • 40. OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their verification for an access token • Step 4: Consume data 39
  • 42. OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41
  • 43. Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42
  • 45. Thanks https://joind.in/6232 @lornajane http://lornajane.net 44