oauth tokens

OAuth

Tokens

By

Vindhya N

Contents

Understanding REST

A Web service is a software system designed to support inter-

operable, machine-to-machine interaction over a network. In layman terms

they are the calls made by the application to a service present on the web

to perform the specified actions.

Two major web services:

1. REST compliant Web services, in which the primary purpose of the

service is to manipulate XML representations of Web

resources using a uniform set of stateless operations

2. Arbitrary Web services, in which the service may expose an

arbitrary set of operations

REST Web Service

Rest is a stateless architecture which uses a client-

server, cacheable communication protocol HTTP. It

is an Application Programming Interface (API) which

performs all the functions using HTTP methods.

Why OAuth is Required?

Consider a 3rd party application, like a gaming app in facebook.

To login to the app, you don’t want to give your facebook password.

Neither you can access the application directly

So in this case, there should be an authorisation process from facebook to

authorize the 3rd Party app.

The authorisation is done by oAuth

Types of authorisation

1. Open ID:

De-centralized Single Sign-on for the Web

2. Basic Authentication

3. Session based

4. OAuth

What is OAuth?

OAuth is a simple and secure delegation protocol to

access resources on behalf of a user without requiring

them to share passwords.

It is an authorization mechanism

Provides a single point of authentication for multiple

services

Helps in integrating an application with an existing

authentication service.

OAuth Jargons

Client -> 3rd Party Application

Resource owner -> User (You)

Authorisation Server -> Application you have

logged in (Facebook, twitter)

Resource Server -> Server that has data

OAuth Mechanisms

1.Authorisation

2. Implicit Grant

3.Resource owner password

credentials

4.Client Credentials Grant

Securing OAuth

1. Should be patched for all web application

security vulnerabilities

2. Encrypt all OAuth credentials

3. OAuth token should be random

4. Signed with HMAC

5. Short lived

6. Generate verifiable consumer keys

References

• https://developers.google.com/accounts/docs/OAuth2

• http://docs.oracle.com/cd/E39820_01/doc.11121/gatewa

y_docs/content/oauth_flows.html

• https://www.greendizer.com/docs/api/oauth/#flow_code

• https://www.youtube.com/watch?v=tFYrq3d54Dc

Thank You