oauth 2 presentation
TRANSCRIPT
OAuth 2
Mohamed Ahmed Abdullah
Google Calendar Dilemma
Mohamed
Secret 123
Import Contact
ESPN
What is the Solution ?
X
Clients ScopesAuthorization Server
In Reality (Mobile)
In Reality (website)
The Implicit Flow
Identity Server Resources Host Client (Desktop or Mobile)
Resource Owner
Pressing the Login Button
Client Id and Redirection URI
Client X want to access A,B and C (Scopes)
OK
Access Token
Get, Using Bearer Access Token
Is this Token Legitimate
Yes
Here are the Resources
The Implicit Flow
https://identityserver.sudatel.sd/identityServer/identity/connect/consent?client_id=tripgalleryimplicit&redirect_uri=https%3A%2F%2Fidentityserver.sudatel.sd%2FIdentityServerClient%2Fcallback.html&response_type=token&scope=gallerymanagement
Login Redirection
Location:https://identityserver.sudatel.sd/IdentityServerClient/callback.html#access_token=eyJ0e…900 Char …….NGg&token_type=Bearer&expires_in=20&scope=gallerymanagement
When Finish From authorization the Identity Server Redirect to This Location
Authorization Code
Identity Server Resources HostClient
Resource OwnerServer Side Client Side (Browse)
Pressing the Login Button
Client Id and Redirection URI
Client X want to access A,B and C (Scopes)
OK
Authorization Code
Authorization Code + Client Secret
Authorization Token + Refresh Token
Authorization Token as cookie
Get, Using Bearer Access Token
Is this Token Legitimate
Yes
Here are the Resources
The differences between Implicit Flow and Authorization Code
• Implicit for untrusted clients (Mobile, Desktop, Angular) Authorization Code For Servers (Web Sites, APIs) • Implicit access expire fast • In the implicit no use for the client secret • Implicit don’t have refresh token
Resource Owner Password Flow
• The client is highly trusted• The App Remove the Password after getting the token
Client Credential Flow
• The client want to access his data, not the User’s Data
• Should be used only if you have a server. you can’t do it from untrusted sources
What is bad about OAuth
• Interoperability• You can’t write one peace of code that woks for all. Discover endpoints and log on to one of them
• In the Implicit flow, the redirect URI should be something odd to prevent the Browser from requesting it.
When to Use OAuth
• Single Sign On • Scalable Solution (Many server) because it’s a stateless Authentication• Content Provider like (Facebook,…)• When you have 3 entities, your API, one of your users want to access other user’s data• Best Solution For Authorization
Thanks To
Eran Hammer
References and Resources
• https://github.com/IdentityServer/IdentityServer3
• Getting Started with OAuth 2.0• https://www.pluralsight.com/
Any Question?
How to setup OAuth
1. http://oauth.net/2/ .NET, JAVA, PHP, Python, NodeJS, Ruby, ….2. For .Net get it form https://github.com/IdentityServer/IdentityServer3
3. I Recommend to use real certificate for your development, it will speed up the process 4. Change the Constant Project URIs to Fit your URIs5. Build the Identity Server and the Resources Host6. Install Fiddler and Wireshark to help you debug your application7. At the development you can use in memory Users and Clients, but then you have to setup the Databases8. Then you can start With your developing APIs