SlideShare a Scribd company logo

Demystifying OAuth 2.0

Yury Roa, profile picture
Yury Roa

OAuth is a protocol that allows clients limited access to protected resources on behalf of a resource owner through delegated authorization. It addresses issues with directly sharing user credentials by using tokens issued by an authorization server to represent temporary and limited authorization to access a resource on behalf of a resource owner. The key components in OAuth are the resource owner, client, authorization server, and protected resource. OAuth uses grant types like authorization code, implicit, client credentials, and resource owner password credentials to obtain access tokens from the authorization server to access protected resources.

Technology
1 of 49
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Demystifying OAuth 2
Nice to meet you Software Engineer @Colpatria Scotiabank Making things happen! Loves reading, programming and teaching. @yurynino @yurynino @yurynino yury.nino.roa
Agenda ● Why OAuth? ● What is OAuth? ● How to OAuth works? ● OAuth Grant Types
What is the problem? You have DIFFERENT accounts for LinkedIn and Google. LinkedIn wants to add your Google contacts to your LinkedIn profile.
The bad old days: credential sharing
Think in this …. Taken from Oauth 2.0 in Action
It was bad because ... ● Same credentials at the client and the protected resource are required. ● It exposed the user’s password to the client application. Taken from Oauth 2.0 in Action
What if we were able to have this kind of limited credential, issued separately for each client and each user combination, to be used at a protected resource?
OAuth is a protocol designed to do exactly that: Delegating.
Taken from Oauth 2.0 in Action What is the new with OAuth?
Demystifying OAuth 2.0
A client is a piece of software that attempts to access the protected resource on behalf of the resource owner. Taken from Oauth 2.0 in Action
An Access Token is an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. Taken from Oauth 2.0 in Action
A protected resource is available through an HTTP server and it requires an OAuth token to be accessed. Taken from Oauth 2.0 in Action
A resource owner is the entity that has the authority to delegate access to the client. It isn’t a piece of software. Taken from Oauth 2.0 in Action
An authorization server is an HTTP server that provides mechanisms for allowing resource owners to authorize clients, and issues tokens to the clients. Taken from Oauth 2.0 in Action
Tokens, scopes, and authorization grants An access token, sometimes known as just a token is an artifact issued by the authorization server to a client that indicates the rights that the client has been delegated. OAuth a token represents the combination of the client’s requested access, the resource owner that authorized the client, and the rights conferred during that authorization. A scope is a representation of a set of rights at a protected resource. They are a mechanism for limiting the access granted to a client.
Are you paying attention? 1. Which components are no software? 2. Which components should know the token content?
OAuth Dancing
Step 1
Response from the Client Redirect is a GET
Step 2
Step 3
Step 5
Step 4
Demystifying OAuth 2.0
Demystifying OAuth 2.0
Step 6
Step 7
What is the new with OAuth?
Demystifying OAuth 2.0
Are you paying attention? 1. How does Resource Owner authenticate before Authorization Server grant the access to the Resource? 2. How do you think a granted authorization is removed?
RFC 5849 https://tools.ietf.org/html/rfc5849
RFC 6749 https://tools.ietf.org/html/rfc6749
OAuth 2.0 is a delegation protocol, letting someone, who controls a resource, allow a software application to access that resource on their behalf. Taken from Oauth 2.0 in Action
Real-life examples of OAuth 2.0 in action ● StackOverflow allowing you to log in with your Google account. ● Posting a status update from your phone using the Facebook app. ● LinkedIn suggesting contacts for you to add by looking at your Google contacts.
Fundamental to the power of OAuth 2.0 is the notion of delegation. Although OAuth 2.0 is often called an authorization protocol (and this is the name given to it in the RFC which defines it), it is a delegation protocol.
How to get an access token … Grant Types
Authorization Code
Implicit Grant Type Taken from Oauth 2.0 in Action
Implicit Grant Type
Client credentials Taken from Oauth 2.0 in Action
Client credentials
Resource owner credentials Taken from Oauth 2.0 in Action
Resource owner credentials
Assertion grant types Taken from Oauth 2.0 in Action
Choosing the appropriate grant type
OAuth 2.0 the good, the bad, and the ugly
Demystifying OAuth 2.0

More Related Content

PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
Introduction to OAuth2.0
Oracle Corporation
 
DOCX
6.designing secure and efficient biometric based secure access mechanism for ...
Venkat Projects
 
PPTX
OAuth2 Presentaion
Bhargav Surimenu
 
PDF
OAuth2 primer
Manish Pandit
 
PDF
Auth experience - vol 1.0
Haggai Philip Zagury
 
PPT
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Introduction to OAuth2.0
Oracle Corporation
 
6.designing secure and efficient biometric based secure access mechanism for ...
Venkat Projects
 
OAuth2 Presentaion
Bhargav Surimenu
 
OAuth2 primer
Manish Pandit
 
Auth experience - vol 1.0
Haggai Philip Zagury
 
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 

What's hot (20)

PDF
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
PDF
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
DOC
Certification authority
proser tech
 
PPTX
OpenID Connect 1.0 Explained
Eugene Siow
 
PDF
OpenID and OAuth
Andrea Chiodoni
 
PPTX
OAuth2 & OpenID Connect
Marcin Wolnik
 
PPT
Grid security
josephineusha
 
PDF
OAuth Base Camp
Oliver Pfaff
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PDF
iaetsd Robots in oil and gas refineries
Iaetsd Iaetsd
 
PDF
Spring security oauth2
axykim00
 
PDF
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
PDF
1000 ways to die in mobile oauth
Priyanka Aash
 
PPT
Google Apps Secure Data Connector
Guus Disselkoen
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PDF
Basic security concepts essential for all architects
Debasis Chakraborty
 
PPT
Openid & Oauth: An Introduction
Steve Ivy
 
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Certification authority
proser tech
 
OpenID Connect 1.0 Explained
Eugene Siow
 
OpenID and OAuth
Andrea Chiodoni
 
OAuth2 & OpenID Connect
Marcin Wolnik
 
Grid security
josephineusha
 
OAuth Base Camp
Oliver Pfaff
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
iaetsd Robots in oil and gas refineries
Iaetsd Iaetsd
 
Spring security oauth2
axykim00
 
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
1000 ways to die in mobile oauth
Priyanka Aash
 
Google Apps Secure Data Connector
Guus Disselkoen
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Basic security concepts essential for all architects
Debasis Chakraborty
 
Openid & Oauth: An Introduction
Steve Ivy
 
Ad

Similar to Demystifying OAuth 2.0 (20)

PDF
A technical insight into the concepts and terminologies behind oauth – an ope...
eSAT Journals
 
PPTX
OAuth2 Introduction
Arpit Suthar
 
PPT
Oauth2.0
Yasmine Gaber
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPTX
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
PPTX
OAuth with Salesforce - Demystified
Calvin Noronha
 
PPTX
OAuth 2 Spring Boot 3 Integration Presentation
Knoldus Inc.
 
PDF
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
PDF
Oauth2.0 tutorial
HarikaReddy115
 
PDF
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
PPTX
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
PPTX
Id fiware upm-dit
Joaquín Salvachúa
 
PPTX
OAuth
Tom Elrod
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PPT
Oauth
Aakanksha Bhardwaj
 
A technical insight into the concepts and terminologies behind oauth – an ope...
eSAT Journals
 
OAuth2 Introduction
Arpit Suthar
 
Oauth2.0
Yasmine Gaber
 
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
OAuth2 - Introduction
Knoldus Inc.
 
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
OAuth with Salesforce - Demystified
Calvin Noronha
 
OAuth 2 Spring Boot 3 Integration Presentation
Knoldus Inc.
 
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Oauth2.0 tutorial
HarikaReddy115
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
Id fiware upm-dit
Joaquín Salvachúa
 
OAuth
Tom Elrod
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Oauth
Aakanksha Bhardwaj
 
Ad

Recently uploaded (20)

PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
A Presentation on Artificial Intelligence
memembruh336
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Teaching material agriculture food technology
LiaRayya
 
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

Demystifying OAuth 2.0