Assaf Arkin, Flowtown You're building an API and the question comes up, how to let client applications authenticate against it? Giving username/password to 3rd party client applications is a security anti-pattern. You don't want to do that. API keys are better, but confusing for the average user. So we're going to look at solving that with OAuth 2.0. If you used Facebook Connect to allow a non-Facebook application restricted access to your Facebook account, you've used OAuth 2.0. Let's talk about what OAuth 2.0 is, how it works, and how to add support to your application/API. We'll cover authentication flows for Web apps, mobile, desktop and even command-line tools, and talk about access control patterns that are based, not on users and roles, but client applications and requested access scopes. This talk will cover rack-oauth2-server, an open source OAuth 2.0 Authorization Server module: https://github.com/flowtown/rack-oauth2-server

1. OAuth 2.0
Assaf Arkin
Wednesday, July 27, 11

2. Wednesday, July 27, 11

3. Wednesday, July 27, 11

4. OWNED!!!
Wednesday, July 27, 11

5. Wednesday, July 27, 11

6. Wednesday, July 27, 11

7. Wednesday, July 27, 11

8. Wednesday, July 27, 11

9. Simple to connect new application
No giving password
Authorize limited permissions
Revoke individual client application
Wednesday, July 27, 11

10. Each access token is tied to an
end-user, a client application, a
resource and a scope.
Wednesday, July 27, 11

11. Wednesday, July 27, 11

12. Wednesday, July 27, 11

13. OAuth 2.0 draft 10: OAuth scheme
OAuth 2.0 draft 20: two extensions
Bearer Token
MAC Access Authentication
OAuth 1.0, similar to 2.0 + MAC
Wednesday, July 27, 11

14. Wednesday, July 27, 11

15. Client Application Authorization Server
Redirect user to
authorization User authenticates
endpoint Client ID, Redirect URI, Scope
User grants
authorization
request
Redirect user back
to application
Exchange access
grant for access
Authorization code
token
Grant access token
Client ID, Redirect URI
Store in safe place
Access token
(w/optional Refresh token)
Access resource Protected resource
Access token
Wednesday, July 27, 11

16. Wednesday, July 27, 11

17. 1. Authenticate
2.Verify application
3.Verify scope
4. Authorize
Wednesday, July 27, 11

18. Wednesday, July 27, 11

19. Wednesday, July 27, 11

20. Wednesday, July 27, 11

21. Wednesday, July 27, 11

22. Wednesday, July 27, 11

23. Wednesday, July 27, 11

24. Wednesday, July 27, 11

25. Wednesday, July 27, 11

26. Desktop/mobile applications open in-app
browser (e.g. UIWebView)
Command line can open <url>, final page
asks user to copy & paste access token
High trust applications can exchange
username/password for access token
Wednesday, July 27, 11

27. Client applications should not ask users for
their password
OAuth provides an alternative flow that
balances convenience and security
It can support Web applications, desktop and
mobile, even command line tools
Wednesday, July 27, 11

28. Not complicated or terribly hard, existing
tools help a lot
First time might trip and fall, some new
concepts to wrap head around
Almost one year in, ongoing maintenance
cost has been zero for us
Wednesday, July 27, 11

29. follow me @assaf
http://labnotes.org
Wednesday, July 27, 11