oauth behind the scenes

of 13 /13
OAuth Behind the scenes Tran Duc Thang Framgia Vietnam

Upload: thang-tran-duc

Post on 16-Jul-2015




0 download

Embed Size (px)


Page 1: Oauth Behind The Scenes

OAuth Behind the scenes

Tran Duc Thang Framgia Vietnam

Page 2: Oauth Behind The Scenes


• Tran Duc Thang

• 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project.

• 2011 ~ 2013: Keio University.

• 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.

Page 3: Oauth Behind The Scenes


• Have you ever logged into a website using your Google, or Facebook account ?

• If yes, have you ever been afraid of losing your Google or Facebook account information ?

• Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?

Page 4: Oauth Behind The Scenes


1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the


Page 5: Oauth Behind The Scenes

What is OAuth

• OAuth stands for Open Authorization.

• Authentication vs Authorization ?

• OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”

Page 6: Oauth Behind The Scenes


• OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation.

• The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol.

• The OAuth 1.0 published as RFC 5849 in April 2010.

• The OAuth 2.0 published in October 2012.

Page 7: Oauth Behind The Scenes

OAuth in the WorldOAUTH 1.0 OAUTH 2.0

Page 8: Oauth Behind The Scenes

OAuth 2: How does it work ?• Resource Owner: End-user

• Authorization Server: Where the authorization occurs

• Client: An application making protected resource requests on behalf of the resource owner.

• Resource Server: Where hosts user’s resource.

• Instead of using the resource owner's credentials to access protected resources, the client obtains an access token.

• Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.

• The client uses the access token to access the protected resources hosted by the resource server.

Page 9: Oauth Behind The Scenes

OAuth 2: How does it work ?

• OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec.

• OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks.

• OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.

Page 10: Oauth Behind The Scenes

OAuth 2: How does it work ?OAuth 2 - Authorization Code Grant in details

Page 12: Oauth Behind The Scenes

References• RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)

• RFC 6749: The OAuth 2.0 Authorization Framework (http://tools.ietf.org/html/rfc6749)

• OAuth Community Site (http://oauth.net/)

• OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)

• OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216)

• OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/)

Page 13: Oauth Behind The Scenes

Thank you for listening!