SlideShare a Scribd company logo

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013

Download as PPTX, PDF
Aaron Parecki
Aaron Parecki
Technology
1 of 47
Using ArcGIS with OAuth 2.0 Aaron Parecki @aaronpk CTO, Esri R&D Center Portland
Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) - An Introduction to OAuth 2
The OAuth 2.0 Spec http://oauth.net/2/
Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
Use Cases • Web-server apps • Browser-based apps • Username/password • Application • Mobile access apps An Introduction to OAuth 2 access
Use Cases – Grant Types • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password • Application • Mobile access – password access – client_credentials apps – implicit An Introduction to OAuth 2
Web Server Apps Authorization Code Grant
Create a “Log In” link Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=code&c lient_id=YOUR_CLIENT_ID&redirect_uri= REDIRECT_URI An Introduction to OAuth 2
Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
User visits the authorization page https://www.arcgis.com/sharing/oauth2/autho rize?response_type=code&client_id=YOUR_CLIE NT_ID&redirect_uri=REDIRECT_URI An Introduction to OAuth 2
On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
Server exchanges auth code for an access token Your server makes the following request POST https://www.arcgis.com/sharing/oa uth2/token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5O30zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qok2RRua48lXI”, "username":"aaronpk" } or if there was an error { "error":"invalid_request" } An Introduction to OAuth 2
Browser-Based Apps Implicit Grant
Create a “Log In” link Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=token& client_id=YOUR_CLIENT_ID&redirect_uri =REDIRECT_URI An Introduction to OAuth 2
User visits the authorization page https://www.arcgis.com/sharing/oauth2/author ize?response_type=token&client_id=YOUR_CLIEN T_ID&redirect_uri=REDIRECT_URI An Introduction to OAuth 2
On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
Application Access Client Credentials Grant
Client Credentials Grant POST https://www.arcgis.com/sharing/oa uth2/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600 } An Introduction to OAuth 2
Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
Authorization Code • User visits auth page response_type=code • User is redirected to your site with auth code http://example.com/?code=xxxxxxx • Your server exchanges auth code for access token POST /token code=xxxxxxx&grant_type=authorization_c ode
Implicit • User visits auth page response_type=token • User is redirected to your site with access token http://example.com/#token=xxxxxxx • Token is only available to the browser since it’s in the fragment
Client Credentials • Your server exchanges client ID/secret for access token POST /token client_id=xxxxxxx&client_secret=yyyyyyy & grant_type=client_credentials
Creating an App An Introduction to OAuth 2
developers.arcgis.com An Introduction to OAuth 2
Create an Application An Introduction to OAuth 2
Get your app’s client_id An Introduction to OAuth 2
Set the redirect_uri An Introduction to OAuth 2
Create a Sign-In Button
Launch Safari to the ArcGIS Online Authorization Endpoint github.com/Esri/OAuth2-Demo-iOS
The User Signs In
Redirect back to your app ArcGIS Online redirects back to your app using a custom URI scheme. Access token is included in the redirect, just like browser-based apps. oauthdemo://auth #access_token=BAAEEmo2nocQBAFFOeRTd…
Parse the token from the URL github.com/Esri/OAuth2-Demo-iOS
The User is Signed In!
Mobile Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Mobile app makes API requests directly
Accessing Resources So you have an access token. Now what?
Use the access token to make requests Now you can make requests using the access token. GET http://www.arcgis.com/sharing/rest/portals/self ?token=RsT5OjbzRn430zqMLgV3Ia An Introduction to OAuth 2
Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
Get a new access token using a refresh token Your server makes the following request POST https://www.arcgis.com/sharing/oauth2/t oken grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "username":"aaronpk" } Introduction to OAuth 2 An
developers.arcgis.com/en/authentication/ An Introduction to OAuth 2
oauth.net/2 An Introduction to OAuth 2
Links github.com/Esri/OAuth2-Demo-iOS developers.arcgis.com
Thanks. @aaronpk aparecki@esri.com github.com/aaronpk

Recommended

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 

Recommended

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 

More Related Content

What's hot

OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 

What's hot (20)

OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 example
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 

Similar to Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
RESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTRESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTYakov Fain
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 

Similar to Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013 (20)

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
RESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoTRESTful services and OAUTH protocol in IoT
RESTful services and OAUTH protocol in IoT
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
OAuth
OAuthOAuth
OAuth
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 

More from Aaron Parecki

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Aaron Parecki
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Aaron Parecki
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitAaron Parecki
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceAaron Parecki
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Aaron Parecki
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandAaron Parecki
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source BridgeAaron Parecki
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISAaron Parecki
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeAaron Parecki
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Aaron Parecki
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesAaron Parecki
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPSAaron Parecki
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Aaron Parecki
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsAaron Parecki
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAaron Parecki
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App TourAaron Parecki
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9Aaron Parecki
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeAaron Parecki
 

More from Aaron Parecki (19)

Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
Deep Dive into the ArcGIS Geotrigger Service - Esri DevSummit Dubai 2013
 
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
Building Web Apps with the Esri-Leaflet Plugin - Dubai DevSummit 2013
 
Rule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer ToolkitRule Your Geometry with the Terraformer Toolkit
Rule Your Geometry with the Terraformer Toolkit
 
Intro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger ServiceIntro to the ArcGIS Geotrigger Service
Intro to the ArcGIS Geotrigger Service
 
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Low Friction Personal Data Collection - Quantified Self Global Conference 2013
Low Friction Personal Data Collection - Quantified Self Global Conference 2013
 
Low Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS PortlandLow Friction Personal Data Collection - QS Portland
Low Friction Personal Data Collection - QS Portland
 
Done Reports - Open Source Bridge
Done Reports - Open Source BridgeDone Reports - Open Source Bridge
Done Reports - Open Source Bridge
 
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGISEsri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
Esri DevSummit 2013 Speed Geeking: Intro to Esri Geotrigger Service for ArcGIS
 
Low Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source BridgeLow Friction Personal Data Collection - Open Source Bridge
Low Friction Personal Data Collection - Open Source Bridge
 
Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012Low Friction Personal Data Collection - CyborgCamp 2012
Low Friction Personal Data Collection - CyborgCamp 2012
 
Personal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session NotesPersonal Data Collection Breakout Session Notes
Personal Data Collection Breakout Session Notes
 
Home Automation with SMS and GPS
Home Automation with SMS and GPSHome Automation with SMS and GPS
Home Automation with SMS and GPS
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011Ambient Discovery - Augmented Reality Event 2011
Ambient Discovery - Augmented Reality Event 2011
 
Geolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile AppsGeolocation in Web and Native Mobile Apps
Geolocation in Web and Native Mobile Apps
 
Ambient Location Apps and Geoloqi
Ambient Location Apps and GeoloqiAmbient Location Apps and Geoloqi
Ambient Location Apps and Geoloqi
 
Geoloqi iPhone App Tour
Geoloqi iPhone App TourGeoloqi iPhone App Tour
Geoloqi iPhone App Tour
 
The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9The Vowel R - Ignite Portland 9
The Vowel R - Ignite Portland 9
 
Geoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source BridgeGeoloqi: Non-visual augmented reality Open Source Bridge
Geoloqi: Non-visual augmented reality Open Source Bridge
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013

  • 1. Using ArcGIS with OAuth 2.0 Aaron Parecki @aaronpk CTO, Esri R&D Center Portland
  • 2. Before OAuth • Apps stored the user’s password • Apps got complete access to a user’s account • Users couldn’t revoke access to an app except by changing their password • Compromised apps exposed the user’s password An Introduction to OAuth 2
  • 3. Before OAuth • Services recognized the problems with password authentication • Many services implemented things similar to OAuth 1.0 Flickr: “FlickrAuth” frobs and tokens - Google: “AuthSub” - Facebook: requests signed with MD5 hashes - Yahoo: BBAuth (“Browser-Based Auth”) - An Introduction to OAuth 2
  • 4. The OAuth 2.0 Spec http://oauth.net/2/
  • 5. Definitions • Resource Owner: The User • Resource Server: The API • Authorization Server: Often the same as the API server • Client: The Third-Party Application An Introduction to OAuth 2
  • 6. Use Cases • Web-server apps • Browser-based apps • Username/password • Application • Mobile access apps An Introduction to OAuth 2 access
  • 7. Use Cases – Grant Types • Web-server apps – authorization_code • Browser-based apps – implicit • Username/password • Application • Mobile access – password access – client_credentials apps – implicit An Introduction to OAuth 2
  • 9. Create a “Log In” link Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=code&c lient_id=YOUR_CLIENT_ID&redirect_uri= REDIRECT_URI An Introduction to OAuth 2
  • 10. Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
  • 11. Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
  • 12. Create a “Log In” link Link to: https://www.arcgis.com/sharing/oauth2 /authorize?response_type=code&client_ id=YOUR_CLIENT_ID&redirect_uri=REDIRE CT_URI An Introduction to OAuth 2
  • 13. User visits the authorization page https://www.arcgis.com/sharing/oauth2/autho rize?response_type=code&client_id=YOUR_CLIE NT_ID&redirect_uri=REDIRECT_URI An Introduction to OAuth 2
  • 14. On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied An Introduction to OAuth 2
  • 15. Server exchanges auth code for an access token Your server makes the following request POST https://www.arcgis.com/sharing/oa uth2/token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET An Introduction to OAuth 2
  • 16. Server exchanges auth code for an access token Your server gets a response like the following { "access_token":"RsT5O30zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qok2RRua48lXI”, "username":"aaronpk" } or if there was an error { "error":"invalid_request" } An Introduction to OAuth 2
  • 18. Create a “Log In” link Link to: https://www.arcgis.com/sharing/ oauth2/authorize?response_type=token& client_id=YOUR_CLIENT_ID&redirect_uri =REDIRECT_URI An Introduction to OAuth 2
  • 19. User visits the authorization page https://www.arcgis.com/sharing/oauth2/author ize?response_type=token&client_id=YOUR_CLIEN T_ID&redirect_uri=REDIRECT_URI An Introduction to OAuth 2
  • 20. On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied An Introduction to OAuth 2
  • 21. Browser-Based Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Browser makes API requests directly An Introduction to OAuth 2
  • 23. Client Credentials Grant POST https://www.arcgis.com/sharing/oa uth2/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600 } An Introduction to OAuth 2
  • 24. Grant Type Summary • authorization_code: Web-server apps • implicit: Mobile and browser-based apps • password: Username/password access • client_credentials: Application access An Introduction to OAuth 2
  • 25. Authorization Code • User visits auth page response_type=code • User is redirected to your site with auth code http://example.com/?code=xxxxxxx • Your server exchanges auth code for access token POST /token code=xxxxxxx&grant_type=authorization_c ode
  • 26. Implicit • User visits auth page response_type=token • User is redirected to your site with access token http://example.com/#token=xxxxxxx • Token is only available to the browser since it’s in the fragment
  • 27. Client Credentials • Your server exchanges client ID/secret for access token POST /token client_id=xxxxxxx&client_secret=yyyyyyy & grant_type=client_credentials
  • 28. Creating an App An Introduction to OAuth 2
  • 30. Create an Application An Introduction to OAuth 2
  • 31. Get your app’s client_id An Introduction to OAuth 2
  • 32. Set the redirect_uri An Introduction to OAuth 2
  • 34. Launch Safari to the ArcGIS Online Authorization Endpoint github.com/Esri/OAuth2-Demo-iOS
  • 36. Redirect back to your app ArcGIS Online redirects back to your app using a custom URI scheme. Access token is included in the redirect, just like browser-based apps. oauthdemo://auth #access_token=BAAEEmo2nocQBAFFOeRTd…
  • 37. Parse the token from the URL github.com/Esri/OAuth2-Demo-iOS
  • 38. The User is Signed In!
  • 39. Mobile Apps • Use the “Implicit” grant type • No server-side code needed • Client secret not used • Mobile app makes API requests directly
  • 40. Accessing Resources So you have an access token. Now what?
  • 41. Use the access token to make requests Now you can make requests using the access token. GET http://www.arcgis.com/sharing/rest/portals/self ?token=RsT5OjbzRn430zqMLgV3Ia An Introduction to OAuth 2
  • 42. Eventually the access token may expire When you make a request with an expired token, you will get this response { "error":"expired_token" } Now you need to get a new access token! An Introduction to OAuth 2
  • 43. Get a new access token using a refresh token Your server makes the following request POST https://www.arcgis.com/sharing/oauth2/t oken grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "username":"aaronpk" } Introduction to OAuth 2 An

Editor's Notes

  1. Esri Corporate Template V2September 6, 2013See http://arczone/resources/presentations.cfmfor more sample files and help.