APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
5. At the end of the talk . . .
● Understand and/or remember OAuth2 better
○ Goal, purpose, example
● The standard and yet different flavors of OAuth2
○ OAuth2 grant types
○ OAuth2 parameters/urls
● The new flavors of OAuth2 - authentication
○ Identity layers
● The evangelist - OAuth.io
○ Standardize implementation
○ Push adoption new standards
14. OAuth2 Grant Type Magic Diagram (With Labels)
Client Credential Authorization Code
Resource Owner Password Credential Implicit
15. Which Grant Type is Best?
Condition Grant Type/Flow
If user and service is the same entity Client Credential
If main logic is in backend, while front-end
is presentation only
Authorization Grant
Single-page application (SPA) or a native
app, and interacts with resource directly
Implicit
Service can be fully trusted Resource Owner Password
Credential
Security: 3
Security: 3
Security: 2
Security: 1
Ease: 1
Ease: 3
Ease: 1
Ease: 1
16. OAuth2: Grant Type Flows Has 2 Parts
Part 1:
● Get Key
Part 2:
● Use Key
17. OAuth2 Flow Part 1: Get Key
1. Service pre-register with user resource owner
2. User authenticate credentials
3. User choose permission
4. User/Agent get the code
5. Agent/Service Get the key
18. OAuth2 Flow Part 1: Get Key
Client Credential Authorization CodeResource Owner Password Credential Implicit
34. OAuth2: Identity Layers For Authentication
● Abuse of OAuth2 for authentication
○ OpenID Connect (OIDC)
● The evolution of decentralized identity
○ IndieAuth
41. OAuth2: For Authentication Mess!
DBDB
Key Used For
Authentication Elsewhere
Authenticated as owner
Get purchase history
Authorized to act as user
Stream Amazon music on TV
42. OAuth2: Intended Recipient For Authentication
Key CANNOT Be Used
Elsewhere
Authorized to act as user
DBDB
Key with intended recipient
Stream Amazon music on TV
45. OAuth.io To the Rescue!
Value for developers
● Use the latest standards whenever ready
Value for providers
● Shim to implement latest standards on their behalf
47. IndieWeb
https://indieweb.org
● What you post is yours [setup required]
● Nobody controls what you post [setup required]
● You are better connected [integration required]
○ Post to any silos (FB, twitter, etc.) - POSSE
○ All interactions goes back to you and not siloed (FB, twitter, etc.) - webmention
You already have an identity on this server
Why not use it for every service on the web
48. IndieAuth
https://indieweb.org/indieauth
● Take back control of your identity
○ Determine what type of authentication: password, fingerprint, etc.
○ Determine what you want to share about yourself, and revoke as required
■ Right-to-be-forgotten (GDPR)
54. At the end of the talk . . .
● Understand and/or remember OAuth2 better
○ Goal, purpose, example
● The standard and yet different flavors of OAuth2
○ OAuth2 grant types
○ OAuth2 parameters/urls
● The new flavors of OAuth2 - authentication
○ Identity layers
● The evangelist - OAuth.io
○ Standardize implementation
○ Push adoption new standards
55. Thank You For Listening!
@neth_6, @oauth_io
https://oauth.io