3. Defining Oauth
”Oauth provides a method for users to
grant third-party access to their resources
without sharing their passwords. It also
passwords
provides a way to grant limited access (in
scope, duration, etc …)”
5. Why Oauth?
Issues with traditional client-service auth model
Users share their credentials (password) with
the application for each service
Application needs as many credentials as
services
Once the application get the user password
there is no way to invalid the access to the
user's resources … unless user changes his
password
Application has the same privileges as the user.
6. Background
Based on well-established practices of many
propietary industry protocols.
Google AuthSub
Yahoo BBAuth
Flickr API
Focused on website services but also desktop
applications, mobile devices or set-top boxes.
7. Background
OpenID 2006 Blaine Cook descentralized
digital idetification standard.
OpenAuth 2006 Chris Messina no sharing
password and login agnostic.
OpenAuth Google 2007
AOL's implements OpenAuth protocol 2007
OauthCore 1.0 Revision 2009
Oauth Core 1.0 RFC 2010
Present-Future … OAuth 2.0 Draft
http://tools.ietf.org/html/draft-ietf-oauth-v2-26
9. Workflow
Goal: Print on demand our last
Service provider
Summer photos through a web
application that we previously
uploaded to Facebook.
Step 1 –User access to Print
Service.
Step 2 – Print Service gives you
the choice to access to Facebook
to get your photos.
Step 3 – You were redirected to
Facebook login page
Step 4 – Once you are logged in
you authorized the Print Service
to access your photos on
Facebook.
Step 5 – You are redirected to
the Print Service where you
access your photos. Consumer User
10. Workflow
Redirection-based authorization.
Credentials types.
Get temporary credentials
Obtain authorization from the resources
owner.
Get token credentials (request token +
secret).
11. Live Example
Give authorization to Wordpress to post on your
Facebook's wall and your Twitter account.
12. References
Official page. http://oauth.net/
Beginner's guide to Oauth
http://oauth.net/documentation/getting-started/
Google Oauth
https://developers.google.com/accounts/
Getting Started with OAuth 2.0 by Ryan Boyd
Programming Social Applications: Building Viral
Experiences with OpenSocial, OAuth, OpenID,
and Distributed Web Frameworks by Jonathan
LeBlanc