O auth with facebook and google using .net
Download as PPTX, PDF2 likes666 views
This document discusses OAuth and how it allows third-party applications to access a user's resources like contacts or photos from services like Google or Facebook without sharing the user's passwords. It describes registering clients, the authorization code flow, and demonstrates OAuth with Google and Facebook using .NET. Key points are that OAuth is not about authentication but permission, and allows resources to be shared securely without giving passwords to third parties.
O auth with facebook and google using .net
- 1. OAuth with Facebook and Google Using .NET Sathyaish Chakravarthy, Independent Consultant
- 11. OAuth is not about authentication.
- 12. OAuth allows you to give a third-party application the permission to use some of your resources on a resource server without giving the third party your user name and password on the resource server. “ ”
- 17. ROLES & FLOWS
- 19. Authorization Code Flow from an End-User’s Perspective
- 20. Authorization Code Flow Under the Covers You Resource Owner Resource Server Client Authorization Server 2 1 4 5 3 Exchange auth code for access token
- 22. Authorization Code Flow Under the Covers You Resource Owner Client 2 1 GET client_id Who is making this request? scope What do they want to know about the user? response_type (reserved: code) What do they want from me just now? redirect_uri Where should I send them this stuff? state (optional but recommended) CSRF token 1 2and
- 23. ? Authorization Code Flow Under the Covers You Resource Owner Client 2 1 RESPONSE (302) code Authorization code error Location: client_redirect_uri?code=ljfvknfANB3454 Location: client_redirect_uri?error=access_denied Or 2 state (CSRF token) If you’d sent it
- 24. ? Authorization Code Flow Under the Covers You Resource Owner Client 2 1 GET code Authorization code error client_redirect_uri?code=ljfvknfANB3454 client_redirect_uri?error=access_denied Or 3 3
- 25. Authorization Code Flow Under the Covers Client Authorization Server4 Exchange auth code for access token GET or POST client_id Who is making this request? client_secret What’s the password I gave you earlier? Prove your identity. grant_type What’s this flow? Oh, you’re a web server, so this must be the “authorization code” flow. code Okay, show us the authorization code? state (optional but recommended) CSRF token 4
- 26. Authorization Code Flow Under the Covers Client Authorization Server4 Exchange auth code for access token RESPONSE (query string or request body) access_token state (optional but recommended) CSRF token 4
- 27. Authorization Code Flow Under the Covers Resource Server Client 5 GET OR POST Access_token As querystring or request body or basic authentication / bearer authentication (HTTP authorization header) 5
- 28. Authorization Code Flow Under the Covers You Resource Owner Resource Server Client Authorization Server 2 1 4 5 3 Exchange auth code for access token
- 29. Roles • You, the resource owner • Client, the server side web app • Resource server • Authorization Server
- 30. DEMO: GOOGLE OAUTH CLIENT (AUTHORIZATION CODE FLOW)
- 31. DEMO: FACEBOOK OAUTH CLIENT (AUTHORIZATION CODE FLOW)
- 32. Summary: What’s in it for me?
- 33. Summary: What’s in it for me? User Client
- 34. Summary: What’s in it for me?
- 35. Limitations of OAuth 2.0 • No discovery • Requires HTTPS • Open redirectors – RFC 6819 – OAuth 2.0 Thread Model and Security Considerations • Implementations differ widely
- 36. Further Reading • RFC 6749 – The OAuth 2.0 Authorization Framework http://tools.ietf.org/html/rfc6749 • Google https://developers.google.com/identity/protocols/O Auth2WebServer • Facebook (Facebook Login) - https://developers.facebook.com/docs/facebook- login/v2.3