2. Why traditional session & cookie method doesn’t
work with API?
Third party applications can not save password
as a salted hash.
Resource owner can not limit the time of access
or what resources to access by clients
Resource owners cannot revoke access to an
individual third party
Compromise of any third‐party application
results in compromise of the end-user's data.
3. Oauth 2.0
Designed to fix these issues.
Finer control over resources
Revoke access to individual apps
Change password without revoking access to apps.
Does not require resource owner to provide
credentials directly to your app
Provides a model where you can create a key to
provide to your app to access a specific part of your
app.
You can revoke a key without revoking a master key
4. 4 Roles
Resource Owner
Client Resource Server
Authorization Server
5. OAuth 2
(A) Give me the key of your car
(B) It’s with key holder, I will give you a chit,
show this to key holder and ask for key. You
can’t open my private stuff box with this key
(C) Give me car key. Here is the
chit of approve from owner
(D) Ok, This is accepted, here is the key
(E) Give me car to repair, this is the key
(F) Ok, have the car
Car owner
Key Holder
Car park
Mechanic
6. OAuth 2
(A) Authorization Request
(B) Authorization Grant
(C) Authorization Grant
(D) Access Token
(E) Access Token
(F) Protected Resource
Resource owner
Client Credentials
Authorization Server
Resource Server
Implicit
Client
Resource Owner
Password Credentials
Authorization Code
8. oAuth 2.0 infrastructure
Internet
Client
Registration
Endpoint
Authorization
Endpoint
Token
Endpoint
Protected
Resources
(such as
user media
or address
book)
Client
Registrations
Users
(Resource
Owners)
Tokens and
Authorization
Codes
Client
Registration
Manager
Authenticator
Token
Manager
Resource
Access
Manager Resource
Permissions
and Scope
Definitions
oAuth 2.0
Resource
Filter
HTTP
proxy
Resourc
e Owner
User
Agent
(browser)
Client
Authorization
Server
Resource
Server
Editor's Notes
but in clear text as they will use user credentials later to access resources.
To revoke access resource owner has to change password which will automatically revoke all other clients.
password and all of the data protected by that password.
An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
The implicit grant is a simplified authorization code flow optimized for clients implemented in a browse using a scripting language such as JavaScript
Client credentials are used as an authorization grant when the client is also the resource owner.
OAuth defines four roles:
resource owner: An entity capable of granting access to a protected resource (e.g. end-user).
resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
client: An application making protected resource requests on behalf of the resource owner and with its authorization.
authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.