OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.
-
Upload
neal-harrell -
Category
Documents
-
view
214 -
download
0
Transcript of OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.
![Page 1: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/1.jpg)
OAuth 2.0 in Depth
By Rohit GhatolDirector @ Synerzip
Passionate about TechNext
![Page 2: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/2.jpg)
Why study about OAuth?
![Page 3: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/3.jpg)
Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
Do you care about these or Similar Sites?
![Page 4: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/4.jpg)
Browser
Mashups
LinkedInFoursquare
Http Access
Api Access
![Page 7: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/7.jpg)
Security
Closed ClosedOpen
Authentication Authorization
![Page 8: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/8.jpg)
OAuth In a Nut ShellCan I have your
Debit Card and ATM Pin?
![Page 9: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/9.jpg)
OAuth In a Nut ShellCan I have your
Credit Card?
![Page 10: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/10.jpg)
OAuth Practical Example
Disclaimer before you read ahead:All product names and people names used in the following slides are not entirely accurate. They are only placeholders to explain the concept. None of that information should assumed to be correct or incorrect.
![Page 11: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/11.jpg)
Without OAuth
![Page 12: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/12.jpg)
Without OAuth
![Page 13: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/13.jpg)
Without OAuth
![Page 14: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/14.jpg)
Lets Start Again
![Page 15: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/15.jpg)
With OAuth
![Page 16: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/16.jpg)
With OAuth URL changed to http://picasa.com
![Page 17: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/17.jpg)
With OAuth URL ishttp://picasa.com
![Page 18: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/18.jpg)
With OAuthURL changed to
http://picasa.com with code parameter
![Page 19: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/19.jpg)
With OAuth
![Page 20: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/20.jpg)
OAuth 2.0 Flow in Depth
![Page 21: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/21.jpg)
Scenario
BOB
PicasaPrint-Fast
OwnsOwns
Wants to integrate with Google Services e.g Picasa
![Page 22: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/22.jpg)
Roles
BOB
PicasaPrint-Fast
OwnsOwns
Wants to integrate with Google Services e.g Picasa Resource
Server
Authorization Server
Client
![Page 23: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/23.jpg)
Roles
BOB
PicasaPrint-Fast
OwnsOwns
Wants to integrate with Google Services e.g Picasa Resource
Server
Authorization Server
Client
David
Resource Owner
![Page 24: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/24.jpg)
Client Registration
BOB
PicasaPrint-Fast
OwnsOwns
Client Registers with Authorization Server Resource
Server
Authorization Server
ClientClient_Id=print-fastClient_Secret=xxxRedirect_Url =
http://print-fast.com
![Page 25: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/25.jpg)
OAuth Flows/Grant Types
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
![Page 26: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/26.jpg)
Step 1 – Get Authorization Grant
![Page 27: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/27.jpg)
Authorization Request Authorization Grant
URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=code
![Page 28: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/28.jpg)
Authorization GrantAuthorization Grant
Code = ase34
![Page 29: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/29.jpg)
Client
Resource Owner
Authorization Server
Resource Server
Authorization RequestClient_Id=print-fastRedirect_url = http://print-fast.comScope=profile,email,photos
Authorization Grant
Protocol Flow
David
Print-Fast
code = ase34
![Page 30: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/30.jpg)
Step 2 – Exchange for Access Token
![Page 31: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/31.jpg)
Print-Fast
Authorization Server
Client
code = ase34
Code = ase34Client_Id=print-fastClient_Secret=xxx
access_token = x3e4
access_token = x3e4
![Page 32: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/32.jpg)
Client
Resource Owner
Authorization Server
Resource Server
Protocol Flow
David
Print-Fast
Authorization Grant code = ase34 Client_Id=print-fast Client_Secret=xxx
Access Token
access_token= x3e4
![Page 33: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/33.jpg)
Step 3 – Access Protected Resources
![Page 34: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/34.jpg)
Print-Fast
Authorization Server
Client
code = ase34
Code = ase34Client_Id=print-fastClient_Secret=xxx
access_token = x3e4
access_token = x3e4
Picasa
http://picasa.com/..../usr133/photos
[“http://…/DSC34.jpg”,“http://…/DSC44.jpg”,“http://…/DSC56.jpg”,“http://…/DSC98.jpg”]
![Page 35: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/35.jpg)
Client
Resource Owner
Authorization Server
Resource Server
Protocol Flow
David
Print-Fast Access Token
Protected Resource
access_token = x3e4
[“http://…/DSC34.jpg”,“http://…/DSC44.jpg”,“http://…/DSC56.jpg”,“http://…/DSC98.jpg”]
Picasa
![Page 36: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/36.jpg)
Complete Flow at Once
![Page 37: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/37.jpg)
Client
Resource Owner
Authorization Server
Resource Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
Protocol Flow
![Page 38: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/38.jpg)
With Refresh Token
![Page 39: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/39.jpg)
ClientAuthorization
ServerResource
Server
Access Grant & Client Credentials
Access Token & Refresh Token
Access Token
Protected Resource
Protocol Flow
Access Token
Invalid Token Error
Refresh Token & Client Credentials
Access Token & Optional Refresh Token
![Page 40: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/40.jpg)
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
OAuth Flows/Grant Types
![Page 41: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/41.jpg)
Step 1 – Get Access Token
![Page 42: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/42.jpg)
Implicit Grant Request Implicit Grant
URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=token
![Page 43: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/43.jpg)
Implicit GrantAccess token = x3e4
![Page 44: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/44.jpg)
Client
Resource Owner
Authorization Server
Resource Server
Implicit Grant RequestClient_Id=print-fastRedirect_url = http://print-fast.comScope=profile,email,photos
Access Token
Protocol Flow
David
Print-Fast
access_token= x3e4
Picasa
![Page 45: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/45.jpg)
Step 2 – Access Protected Resources
![Page 46: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/46.jpg)
access_token = x3e4
Picasa
http://picasa.com/..../usr133/photos
[“http://…/DSC34.jpg”,“http://…/DSC44.jpg”,“http://…/DSC56.jpg”,“http://…/DSC98.jpg”]
![Page 47: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/47.jpg)
Client
Resource Owner
Resource Server
Protocol Flow
Meant for Pure Browser based Applications
Access Token
Protected Resource
access_token = x3e4
[“http://…/DSC34.jpg”,“http://…/DSC44.jpg”,“http://…/DSC56.jpg”,“http://…/DSC98.jpg”]
David
Picasa
![Page 48: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/48.jpg)
Complete Flow at Once
![Page 49: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/49.jpg)
Client
Resource Owner
Resource Server
Authorization Request
Access Token
Access Token
Protected Resource
Protocol Flow
![Page 50: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/50.jpg)
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
OAuth Flows/Grant Types
![Page 51: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/51.jpg)
Client
Authorization Server
Resource Server
Username/Password
Access Token with Optional Refresh Token
Access Token
Protected Resource
Protocol Flow
Resource Owner
Resource Owner Credentials & Client Credentials
David
Picasa
Picasa – Desktop Client
![Page 52: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/52.jpg)
Use Cases
• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App
• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided
• Example – Salesforce OAuth has provision for this
![Page 53: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/53.jpg)
• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
Grant Types
![Page 54: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/54.jpg)
Client
Authorization Server
Resource Server
Access Token with Optional Refresh Token
Access Token
Protected Resource
Protocol Flow
Client Credentials
![Page 55: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/55.jpg)
Use case
• The Data accessed is not owned by Resource Owner, but by the Client
• Say Skype showing statistics of uptime of its services
![Page 56: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/56.jpg)
Use case
• There is contract already set between the Client and the Authorization Server
• E.g Google Apps Marketspace
• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.
![Page 57: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/57.jpg)
OAuth from Mobile Device
![Page 58: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/58.jpg)
Popular Approaches
• Using User Agent (Stock Browser)• Using Embedded WebView
![Page 59: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/59.jpg)
![Page 60: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/60.jpg)
Disclaimer
• Following slides are extracted from http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
• I have no claim on the following slides with reference stated in them
• Thank you Brian Campbell for the excellent presentation
![Page 61: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/61.jpg)
Request Authorization
When user first needs to access some protected resource, client opens a browser and sends user to the authorization endpoint
Device
NativeApp
Browser
1
Cloud!
1
Authorization Endpoint
Token Endpoint
Uri authzUrl = Uri.parse("https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status");
Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);
startActivity(launchBrowser);
NSString* launchUrl = @"https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status";
[[UIApplication sharedApplication] openURL:[NSURL URLWithString: launchUrl]];
https://as.example.com/as/authorization.oauth2?client_id=myapp&response_type=code&scope=update_status
http://
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 62: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/62.jpg)
Authenticate and Approve The AS authenticates the user
Directly Indirectly via Facebook, Twitter, Google, Yahoo, etc.
Device
NativeApp
Browser
Cloud!
2
Authorization Endpoint
Token Endpoint
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 63: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/63.jpg)
Approve
Device
NativeApp
Browser
Cloud!
2
Authorization Endpoint
Token Endpoint
User approves the requested access
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 64: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/64.jpg)
Handle Callback
Server returns control to the app via HTTP redirection and includes an authorization code
HTTP/1.1 302 Found
Location: x-com.mycorp.myapp://oauth.callback?code=SplxlOBeZQQYbYS6WxSbIAhttp://
Device
NativeApp
Browser
Cloud!
3
Authorization Endpoint
Token Endpoint
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 65: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/65.jpg)
<activity android:name=".MyAppCallback” … >
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="x-com.mycorp.myapp" />
</intent-filter>
</activity>
Handle Callback (cont’d)Registering a custom URI scheme
String authzCode = getIntent().getData().getQueryParameter("code");
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
3
In AndroidManifest.xml file:
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 66: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/66.jpg)
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url
{
NSString *queryString = [url query];
NSMutableDictionary *qsParms = [[NSMutableDictionary alloc] init];
for (NSString *param in [queryString componentsSeparatedByString:@"&"]) {
NSArray *elts = [param componentsSeparatedByString:@"="];
if([elts count] < 2) continue;
[qsParms setObject:[elts objectAtIndex:1] forKey:[elts objectAtIndex:0]];
};
NSString *code = [qsParms objectForKey:@"code"];
...
Handle Callback (cont’d)Registering a custom URI scheme
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
3
In app info plist file:
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 67: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/67.jpg)
POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=myapp&grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
Trade Code for Token(s)
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
4
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"token_type":"Bearer",
"expires_in":3600,
"access_token":"PeRTSD9RQrbiuoaHVPxV41MzW1qS”,
"refresh_token":"uyAVrtyLZ2qPzI8rQ5UUTckCdGaJsz8XE8S58ecnt8”
}
http://
http://
Token Endpoint Request
Token Endpoint Response
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 68: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/68.jpg)
POST /api/update-status HTTP/1.1
Host: rs.example.com
Authorization: Bearer PeRTSD9RQrbiuoaHVPxV41MzW1qS
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
status=Almost%20done.
Using an Access Token
http://
Device
NativeApp
Browser
Cloud!
Authorization Endpoint
Token Endpoint
5
NSString *authzHeader = [NSString stringWithFormat:@"Bearer %@", accessToken];
NSMutableURLRequest *request = [[[NSMutableURLRequest alloc] init] autorelease];
[request setURL:[NSURL URLWithString:@"https://rs.example.com/api/update-status"]];
[request setValue:authzHeader forHTTPHeaderField:@"Authorization"];
DefaultHttpClient httpClient = new DefaultHttpClient();
HttpPost post = new HttpPost("https://rs.example.com/api/update-status");
post.setHeader("Authorization", "Bearer " + accessToken);
Once an access token is obtained, it can be used to authenticate/authorize calls to the protected resources at the RS by including it in HTTP Authorization header
Reference - http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your-phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and-mobile-devices
![Page 69: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/69.jpg)
Pros and Cons
• Pros– User may be already
logged in most cases– User will trust as he/she
sees https and domain name
• Cons– Complicated Custom URI
schema
![Page 70: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/70.jpg)
Popular Approaches
• Using User Agent (Stock Browser)• Using Embedded WebView
![Page 71: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/71.jpg)
![Page 72: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/72.jpg)
Pros and Cons
• Pros– Easier to monitor pages
and extract authorization or access codes
• Cons– May not appeal since
neither https or domain name is visible
– WebView has separate cookie and history leading to client entering credentials each time
![Page 73: OAuth 2.0 in Depth By Rohit Ghatol Director @ SynerzipSynerzip Passionate about TechNextTechNext.](https://reader036.fdocuments.us/reader036/viewer/2022081519/56649dd15503460f94ac7b80/html5/thumbnails/73.jpg)
Reference
• Book – Getting Started with OAuth 2.0• Facebook Documentation• Google Documentation• Brian David Campbell’s Presentation