Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to O auth2.0 20141003
Similar to O auth2.0 20141003 (20)
More from Syed Ali Raza
Recently uploaded
Recently uploaded (20)
O auth2.0 20141003
- 1. OAuth 2.0 Syed Ali Raza
- 2. Why traditional session & cookie method doesn’t work with API? Third party applications can not save password as a salted hash. Resource owner can not limit the time of access or what resources to access by clients Resource owners cannot revoke access to an individual third party Compromise of any third‐party application results in compromise of the end-user's data.
- 3. Oauth 2.0 Designed to fix these issues. Finer control over resources Revoke access to individual apps Change password without revoking access to apps. Does not require resource owner to provide credentials directly to your app Provides a model where you can create a key to provide to your app to access a specific part of your app. You can revoke a key without revoking a master key
- 4. 4 Roles Resource Owner Client Resource Server Authorization Server
- 5. OAuth 2 (A) Give me the key of your car (B) It’s with key holder, I will give you a chit, show this to key holder and ask for key. You can’t open my private stuff box with this key (C) Give me car key. Here is the chit of approve from owner (D) Ok, This is accepted, here is the key (E) Give me car to repair, this is the key (F) Ok, have the car Car owner Key Holder Car park Mechanic
- 6. OAuth 2 (A) Authorization Request (B) Authorization Grant (C) Authorization Grant (D) Access Token (E) Access Token (F) Protected Resource Resource owner Client Credentials Authorization Server Resource Server Implicit Client Resource Owner Password Credentials Authorization Code
- 8. oAuth 2.0 infrastructure Internet Client Registration Endpoint Authorization Endpoint Token Endpoint Protected Resources (such as user media or address book) Client Registrations Users (Resource Owners) Tokens and Authorization Codes Client Registration Manager Authenticator Token Manager Resource Access Manager Resource Permissions and Scope Definitions oAuth 2.0 Resource Filter HTTP proxy Resourc e Owner User Agent (browser) Client Authorization Server Resource Server
Editor's Notes
- but in clear text as they will use user credentials later to access resources. To revoke access resource owner has to change password which will automatically revoke all other clients. password and all of the data protected by that password.
- An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript Client credentials are used as an authorization grant when the client is also the resource owner.
- OAuth defines four roles: resource owner: An entity capable of granting access to a protected resource (e.g. end-user). resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. client: An application making protected resource requests on behalf of the resource owner and with its authorization. authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.