SlideShare a Scribd company logo

UC2013 Speed Geeking: Intro to OAuth2

Download as PPTX, PDF
Aaron Parecki
Aaron Parecki

The document is a presentation on OAuth 2 that: 1) Explains the key concepts of OAuth 2 including resource owners, authorization servers, clients, and scopes. 2) Describes the common OAuth 2 grant types including authorization code, implicit, password, and client credentials and how they apply to different use cases like web apps, mobile apps, and application access. 3) Provides examples of implementing each grant type with code snippets and diagrams of the authorization flows.

Technology
1 of 42
Esri UC2013 . Technical Workshop . Speed Geeking 2013 Esri International User Conference July 8–12, 2013 | San Diego, California An Introduction to OAuth 2 Aaron Parecki @aaronpk
Esri UC2013 . Technical Workshop . Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . The OAuth 2 Spec http://oauth.net/2/
Esri UC2013 . Technical Workshop . Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Use Cases • Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password access – password • Application access – client_credentials • Mobile apps – implicit Use Cases – Grant Types An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Web Server Apps Authorization Code Grant
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=code&client_id=28653682475872&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server makes the following request POST https://graph.facebook.com/oauth/ access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Browser-Based Apps Implicit Grant
Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?respon se_type=token&client_id=CLIENT_ID &redirect_uri=REDIRECT_URI&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=token&client_id=2865368247587&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Username/Password Password Grant
Esri UC2013 . Technical Workshop . Password Grant Password grant is only appropriate for trusted clients, most likely first-party apps only. If you build your own website as a client of your API, then this is a great way to handle logging in. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant Type Only appropriate for your service’s website or your service’s mobile apps. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Password Grant • User exchanges username and password for a token • No server-side code needed • Client secret only used from confidential clients - (Don’t send client secret from a mobile app!) • Useful for developing a first-party login system An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Application Access Client Credentials Grant
Esri UC2013 . Technical Workshop . Client Credentials Grant POST https://api.example.com/1/oauth/t oken Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Accessing Resources So you have an access token. Now what?
Esri UC2013 . Technical Workshop . Use the access token to make requests Now you can make requests using the access token. GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzR n430zqMLgV3Ia An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Get a new access token using a refresh token Your server makes the following request POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Scope Limiting access to resouces
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists. An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . oauth.net/2 An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . oauth.net Website • Source code available on Github - github.com/aaronpk/oauth.net • Please feel free to contribute to the website • Contribute new lists of libraries, or help update information An Introduction to OAuth 2
Esri UC2013 . Technical Workshop . Thanks. @aaronpk aparecki@esri.com github.com/aaronpk An Introduction to OAuth 2

Recommended

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 

Recommended

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 

More Related Content

What's hot

Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 

What's hot (20)

Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 

Similar to UC2013 Speed Geeking: Intro to OAuth2

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 

Similar to UC2013 Speed Geeking: Intro to OAuth2 (20)

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 

More from Aaron Parecki

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Aaron Parecki
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Aaron Parecki
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitAaron Parecki
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceAaron Parecki
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Aaron Parecki
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandAaron Parecki
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source BridgeAaron Parecki
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISAaron Parecki
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeAaron Parecki
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Aaron Parecki
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesAaron Parecki
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPSAaron Parecki
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Aaron Parecki
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsAaron Parecki
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAaron Parecki
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App TourAaron Parecki
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9Aaron Parecki
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeAaron Parecki
 

More from Aaron Parecki (18)

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer Toolkit
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger Service
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS Portland
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source Bridge
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source Bridge
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session Notes
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPS
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and Geoloqi
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App Tour
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source Bridge
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

UC2013 Speed Geeking: Intro to OAuth2

  • 1. Esri UC2013 . Technical Workshop . Speed Geeking 2013 Esri International User Conference July 8–12, 2013 | San Diego, California An Introduction to OAuth 2 Aaron Parecki @aaronpk
  • 2. Esri UC2013 . Technical Workshop . Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
  • 3. Esri UC2013 . Technical Workshop . Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 - Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) An Introduction to OAuth 2
  • 4. Esri UC2013 . Technical Workshop . The OAuth 2 Spec http://oauth.net/2/
  • 5. Esri UC2013 . Technical Workshop . Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
  • 6. Esri UC2013 . Technical Workshop . Use Cases • Web-server apps • Browser-based apps • Username/password access • Application access • Mobile apps An Introduction to OAuth 2
  • 7. Esri UC2013 . Technical Workshop . • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password access – password • Application access – client_credentials • Mobile apps – implicit Use Cases – Grant Types An Introduction to OAuth 2
  • 8. Esri UC2013 . Technical Workshop . Web Server Apps Authorization Code Grant
  • 9. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 10. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 11. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 12. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 13. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?res ponse_type=code&client_id=YOUR_CLIENT _ID&redirect_uri=REDIRECT_URI&scope=e mail An Introduction to OAuth 2
  • 14. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=code&client_id=28653682475872&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  • 15. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
  • 16. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server makes the following request POST https://graph.facebook.com/oauth/ access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
  • 17. Esri UC2013 . Technical Workshop . Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" }An Introduction to OAuth 2
  • 18. Esri UC2013 . Technical Workshop . Browser-Based Apps Implicit Grant
  • 19. Esri UC2013 . Technical Workshop . Create a “Log In” link Link to: https://facebook.com/dialog/oauth?respon se_type=token&client_id=CLIENT_ID &redirect_uri=REDIRECT_URI&scope=email An Introduction to OAuth 2
  • 20. Esri UC2013 . Technical Workshop . User visits the authorization page https://facebook.com/dialog/oauth?response_ty pe=token&client_id=2865368247587&redirect_uri =everydaycity.com&scope=email An Introduction to OAuth 2
  • 21. Esri UC2013 . Technical Workshop . On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
  • 22. Esri UC2013 . Technical Workshop . Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
  • 23. Esri UC2013 . Technical Workshop . Username/Password Password Grant
  • 24. Esri UC2013 . Technical Workshop . Password Grant Password grant is only appropriate for trusted clients, most likely first-party apps only. If you build your own website as a client of your API, then this is a great way to handle logging in. An Introduction to OAuth 2
  • 25. Esri UC2013 . Technical Workshop . Password Grant Type Only appropriate for your service’s website or your service’s mobile apps. An Introduction to OAuth 2
  • 26. Esri UC2013 . Technical Workshop . Password Grant POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia" , "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"An Introduction to OAuth 2
  • 27. Esri UC2013 . Technical Workshop . Password Grant • User exchanges username and password for a token • No server-side code needed • Client secret only used from confidential clients - (Don’t send client secret from a mobile app!) • Useful for developing a first-party login system An Introduction to OAuth 2
  • 28. Esri UC2013 . Technical Workshop . Application Access Client Credentials Grant
  • 29. Esri UC2013 . Technical Workshop . Client Credentials Grant POST https://api.example.com/1/oauth/t oken Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  • 30. Esri UC2013 . Technical Workshop . Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
  • 31. Esri UC2013 . Technical Workshop . Accessing Resources So you have an access token. Now what?
  • 32. Esri UC2013 . Technical Workshop . Use the access token to make requests Now you can make requests using the access token. GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzR n430zqMLgV3Ia An Introduction to OAuth 2
  • 33. Esri UC2013 . Technical Workshop . Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
  • 34. Esri UC2013 . Technical Workshop . Get a new access token using a refresh token Your server makes the following request POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" }An Introduction to OAuth 2
  • 35. Esri UC2013 . Technical Workshop . Scope Limiting access to resouces
  • 36. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 37. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 38. Esri UC2013 . Technical Workshop . Limiting Access to Third Parties An Introduction to OAuth 2
  • 39. Esri UC2013 . Technical Workshop . OAuth 2 scope on Github https://github.com/login/oauth/authorize? client_id=...&scope=user,public_repo user • Read/write access to profile info only. public_repo • Read/write access to public repos and organizations. repo • Read/write access to public and private repos and organizations. delete_repo • Delete access to adminable repositories. gist • write access to gists. An Introduction to OAuth 2
  • 40. Esri UC2013 . Technical Workshop . oauth.net/2 An Introduction to OAuth 2
  • 41. Esri UC2013 . Technical Workshop . oauth.net Website • Source code available on Github - github.com/aaronpk/oauth.net • Please feel free to contribute to the website • Contribute new lists of libraries, or help update information An Introduction to OAuth 2
  • 42. Esri UC2013 . Technical Workshop . Thanks. @aaronpk aparecki@esri.com github.com/aaronpk An Introduction to OAuth 2