OAuth 2.0 - Assaf Arkin
-
Upload
marakana-inc -
Category
Technology
-
view
3.090 -
download
0
description
Transcript of OAuth 2.0 - Assaf Arkin
Assaf Arkin
OAuth 2.0
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
OWNED!!!Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Simple to connect new application
No giving password
Authorize limited permissions
Revoke individual client application
Wednesday, July 27, 11
Each access token is tied to an end-user, a client application, a resource and a scope.
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
OAuth 2.0 draft 10: OAuth scheme
OAuth 2.0 draft 20: two extensions
Bearer Token
MAC Access Authentication
OAuth 1.0, similar to 2.0 + MAC
Wednesday, July 27, 11
Wednesday, July 27, 11
Redirect user to authorization
endpointUser authenticates
User grants authorization
request
Exchange access grant for access
token
Grant access token
Client ID, Redirect URI, Scope
Redirect user back to application
Authorization code
Authorization ServerClient Application
Client ID, Redirect URI
Store in safe place
Access resource
Access token(w/optional Refresh token)
Access tokenProtected resource
Wednesday, July 27, 11
Wednesday, July 27, 11
1. Authenticate
2. Verify application
3. Verify scope
4. Authorize
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Wednesday, July 27, 11
Desktop/mobile applications open in-app browser (e.g. UIWebView)
Command line can open <url>, final page asks user to copy & paste access token
High trust applications can exchange username/password for access token
Wednesday, July 27, 11
Client applications should not ask users for their password
OAuth provides an alternative flow that balances convenience and security
It can support Web applications, desktop and mobile, even command line tools
Wednesday, July 27, 11
Not complicated or terribly hard, existing tools help a lot
First time might trip and fall, some new concepts to wrap head around
Almost one year in, ongoing maintenance cost has been zero for us
Wednesday, July 27, 11