oauth behind the scenes
Embed Size (px)
OAuth Behind the scenes
Tran Duc Thang Framgia Vietnam
• Tran Duc Thang
• 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project.
• 2011 ~ 2013: Keio University.
• 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
• Have you ever logged into a website using your Google, or Facebook account ?
• If yes, have you ever been afraid of losing your Google or Facebook account information ?
• Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the
What is OAuth
• OAuth stands for Open Authorization.
• Authentication vs Authorization ?
• OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”
• OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation.
• The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol.
• The OAuth 1.0 published as RFC 5849 in April 2010.
• The OAuth 2.0 published in October 2012.
OAuth in the WorldOAUTH 1.0 OAUTH 2.0
OAuth 2: How does it work ?• Resource Owner: End-user
• Authorization Server: Where the authorization occurs
• Client: An application making protected resource requests on behalf of the resource owner.
• Resource Server: Where hosts user’s resource.
• Instead of using the resource owner's credentials to access protected resources, the client obtains an access token.
• Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.
• The client uses the access token to access the protected resources hosted by the resource server.
OAuth 2: How does it work ?
• OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec.
• OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks.
• OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
OAuth 2: How does it work ?OAuth 2 - Authorization Code Grant in details
• The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground
• Demo Google OAuth 2.0
• Demo Facebook Oauth 2.0
OAuth 2 Demo
References• RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)
• RFC 6749: The OAuth 2.0 Authorization Framework (http://tools.ietf.org/html/rfc6749)
• OAuth Community Site (http://oauth.net/)
• OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)
• OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216)
• OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/)
Thank you for listening!