OAuth you said



OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials but it became a big mess.

Transcript of OAuth you said

Page 1: OAuth you said



Page 2: OAuth you said

Why OAuth? Provide a standard way to access

protected resources, without sharing passwords.

OAuth.io OAuth, You said?

Page 3: OAuth you said



OAuth, You said?

Page 4: OAuth you said


The middle-man between the service and the OAuth provider

!Never share your Facebook credentials with a

service. !

Today, almost any app needing access or permissions relies on OAuth.

OAuth, You said?


Page 5: OAuth you said


Users had to provide their Facebook credentials to third party services.

!Not secure. Intrusive. Inconvenient.

OAuth, You said?

Before? Basic Auth.

Page 6: OAuth you said

OAuth was first designed to be interoperable and super easy to

implement for developers.

Started as a Protocol

OAuth.io OAuth, You said?

Page 7: OAuth you said

OAuth 2.0 has been reclassified as a framework. Which means no

interoperability and no backward compatibility :/

Ended up as a Framework

OAuth.io OAuth, You said?

Page 8: OAuth you said

30+ different implementations !Two separate flows for token retrieval. !

Resources' names and parameters differ from one provider to another !

A nightmare for developers: lots of potential traps. No hope for a good learning curve…

So yes, OAuth is broken

OAuth.io OAuth, You said?

Page 9: OAuth you said

OAuth 1.0 = October 2007 OAuth 1.0a = June 2009

OAuth 2.0 first draft = early 2010OAuth 2.0 final = late 2011

Many versions in 5 years

OAuth.io OAuth, You said?

Page 10: OAuth you said

Complex signature scheme. !

Almost no control over token expiry. !

No permission management.

OAuth.io OAuth, You said?

OAuth 1.0a was limited

Page 11: OAuth you said

!More flexible but less interoperable

SSL rather than signatures Easier to implement

No backward compatibility

OAuth.io OAuth, You said?

OAuth 2.0 compromise

Page 12: OAuth you said

Resource Owner: the user who wants to share a resource, e.g. owner of the facebook photos. !Client: the application that wants to leverage a resource hosted by a third party, e.g. the photo printing website. !Authorization Server: the entity that decides to grant access to the client (application), e.g. Facebook’s authorization server. !Resource Server: the place where the third party resource is hosted, e.g. Facebook’s server where the photos to print are.

4 quick definitions

Page 13: OAuth you said

The Flow

Page 14: OAuth you said

Further reading


http://tools.ietf.org/html/rfc5849OAuth 1.0 Specs

OAuth 2.0 Specs

Fuck OAuth by Eran Hammer talkhttp://vimeo.com/52882780

OAuth.io OAuth, You said?

Read our full OAuth Tutorial

Page 15: OAuth you said


The Big Lebowski

Walker Texas Ranger aka Chuck (the 1st) Norris

Jackie Brown

2001: A Space Odyssey

R2D2: Star Wars (Dagobah)

C3PO: Star Wars (Tatooine)

Las Vegas Parano


Forrest Gump

Austin Powers

OAuth.io OAuth, You said?Judge Dredd

Page 16: OAuth you said


Integrate any of our 100+ OAuth providers in minutes the SAME WAY


OAuth Popup with facebook