SlideShare a Scribd company logo

Introduction to OAuth 2.0 - Part 1

N
Nabeel Yoosuf

The document discusses the risks associated with storing usernames and passwords for accessing Facebook walls through a Twitter app, highlighting this as a 'password anti-pattern.' It proposes using OAuth, a delegated authorization protocol, which allows users to give write access without sharing their credentials. This method enhances security and user trust while providing a structured way for applications to access user data safely.

Technology
1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
@nabeelxy 10/26/2014
Wouldn’t it be cool when I tweet, it automatically gets posted in my FB wall? Tweet Bob Twitter App Automatically post in Bob’s FB wall
How does the Twitter App writes in Bob’s FB wall? I mean how does it get write access to Bob’s FB wall? Tom, Twitter App Manager Jim, Twitter App Dev Let’s store Bob’s FB username and password in his Twitter App account. Then the app can login and post in his FB wall. The problem solved!
It works. But it is not a good idea to store username and password as it involves a lot of risks. Besides, Bob won’t like to give his username/password to our app considering the fact that it take a while for users to trust our app. Jill, App Dev I totally agree. This is actually called Password Anti-Pattern! At all cost, we should avoid it. Sam, App Dev
We get more access than we want with username/password as well. Users will not like it. Further, this is bad from the point of view of liability when things go wrong. Sam, App Dev Further, if users change their FB password, it breaks our app. If users want to stop cross posting in FB, they will always have to come to our app or change their FB password.
Alright, asking for username and password is not good for Bob as well as us. So, what can we do about it? Tom, Twitter App Manager Basically the problem is that we need a way for our users to give us write authorization to their FB walls?
Ali, App Dev I was thinking that this problem is strikingly similar to the valet parking situation. I want to get my new car valet parked but I am at the same time hesitant to give my car key to them. The car industry came with this idea of valet keys that has limited capabilities. For example, that valet key allows to drive a car only a short distance and most of the add-on functions in the car are disabled for that special key. So, now I can give my valet key (instead of the original key) to valet park without worrying too much about it.
So, this sounds like a valet key would map to a short-lived token just like those in Kerberos protocol, even though Kerberos is for authentication? Jim, Twitter App Dev Yes, indeed. There is in fact a token based delegated authorization mechanism called OAuth. Good news is that FB is actually supporting OAuth for such access. Sam, App Dev
OAuth sounds great. Sam, could you give us some details of it? Tom, Twitter App Manager Sam, App Dev Sure.
 Password Anti-Pattern  Give resource owner’s username and password to client in order to access the resource server on behalf of the resource owner  Dangers of using this pattern  Expanded access and risk (exposure of username/password to third-party client)  Limited reliability when passwords are changed  Revocation challenges  First Solutions  Google’s AuthSub  Yahoo’s BBAuth
 A delegated authorization protocol  Provides the ability for these applications to access a user’s data securely, without requiring the user to take the scary step of handing over an account password  Introduced in 2007  Increased developer experience and increased confidence in security due to a common protocol for handling API authorization
 Not backward compatible with OAuth 1.0  New flows  Signatures are replaced by HTTPS (bearer tokens)  Simplified signatures  Short-lived tokens  Separation of roles for authorization server and resource server
 Resource server  The server that hosts user owned resources protected by OAuth  An API provider such as Google, Facebook, etc.  Resource owner  An application user  Has the ability to grant access to their own data hosted on a resource server  Client  An application making API calls to perform certain action on protected resources on behalf of the resource owner with resource owner’s authorization  Authentication server  Often, it is same as the resource server
Tweet Bob Twitter App Automatically post in Bob’s FB wall CLIENT RESOURCE SERVER RESOURCE OWNER AUTHORIZATION SERVER
 Server-side web application  Client side web application running in the web browser  Native application
 Authorization code  For apps with backend servers  Implicit grant for browser based client side applications (no backend server)  Resource owner password based grants  Only for very trusted applications (usually for first-party applications only)  Client credentials  For application access (i.e. client is an application)
 Authorization flow sequence diagrams  Implementing authorization code flow  OAuth for mobile applications
 Getting Started with OAuth 2.0

More Related Content

PDF
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
PDF
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 
ODP
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Nathan Yergler
 
PPT
External Data Access with jQuery
Doncho Minkov
 
PDF
Bot Framework with Xamarin Forms
Cheah Eng Soon
 
PDF
What is REST API? REST API Concepts and Examples | Edureka
Edureka!
 
PPTX
DirectLineAPI - Xamarin.Forms App and Bot Framework Integration
Bryan Anthony Garcia
 
PPTX
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 
Technology / Open Source @ Creative Commons (CC Salon SF, August 2009)
Nathan Yergler
 
External Data Access with jQuery
Doncho Minkov
 
Bot Framework with Xamarin Forms
Cheah Eng Soon
 
What is REST API? REST API Concepts and Examples | Edureka
Edureka!
 
DirectLineAPI - Xamarin.Forms App and Bot Framework Integration
Bryan Anthony Garcia
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 

What's hot (20)

PDF
OAuth big picture
Min Li
 
KEY
OAuth using PHP5
Nurulazrad Murad
 
PDF
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
PPTX
Introduction to OAuth
Mikkel Flindt Heisterberg
 
PPT
Oauth2.0
Yasmine Gaber
 
PPTX
Integrating External APIs with WordPress
Marty Thornley
 
PDF
Integrating WordPress With Web APIs
randyhoyt
 
PPTX
Day03 api
ABDEL RAHMAN KARIM
 
PPTX
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
PDF
A How-to Guide to OAuth & API Security
CA API Management
 
PPTX
The State of OAuth2
Aaron Parecki
 
ODP
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
PPTX
Being A Salesforce Jedi
Bohdan Dovhań
 
PDF
Implementing OAuth with PHP
Lorna Mitchell
 
PDF
OAuth2 and LinkedIn
Kamyar Mohager
 
PDF
Social Connections VI Prague - An introduction to ibm connections as an appde...
Mikkel Flindt Heisterberg
 
KEY
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
PPTX
Nom Nom: Consuming REST APIs
Tessa Mero
 
PDF
A 4 line login - line platform
LINE Corporation
 
PPTX
Consuming & embedding external content in WordPress
Akshay Raje
 
OAuth big picture
Min Li
 
OAuth using PHP5
Nurulazrad Murad
 
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
Introduction to OAuth
Mikkel Flindt Heisterberg
 
Oauth2.0
Yasmine Gaber
 
Integrating External APIs with WordPress
Marty Thornley
 
Integrating WordPress With Web APIs
randyhoyt
 
Day03 api
ABDEL RAHMAN KARIM
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
A How-to Guide to OAuth & API Security
CA API Management
 
The State of OAuth2
Aaron Parecki
 
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Being A Salesforce Jedi
Bohdan Dovhań
 
Implementing OAuth with PHP
Lorna Mitchell
 
OAuth2 and LinkedIn
Kamyar Mohager
 
Social Connections VI Prague - An introduction to ibm connections as an appde...
Mikkel Flindt Heisterberg
 
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Nom Nom: Consuming REST APIs
Tessa Mero
 
A 4 line login - line platform
LINE Corporation
 
Consuming & embedding external content in WordPress
Akshay Raje
 
Ad

Viewers also liked (20)

PPT
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
 
KEY
OAuth Introduction
h_marvin
 
ZIP
OAuth
Blaine
 
PDF
Monage.io identity presentation 3.22.17 v3
Michael Queralt
 
PPTX
Securing the modern data centre
Infront
 
PPTX
Securing IaaS Applications
Bitglass
 
PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PPTX
Deep Dive DMG (september update)
Jean-Pierre Riehl
 
PPTX
Authorization for Internet of Things using OAuth 2.0
Hannes Tschofenig
 
PDF
'Embedding' a meta state machine
emBO_Conference
 
PDF
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
ForgeRock
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
NFV SDN for carriers
Marie-Paule Odini
 
PPTX
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
Morgan Simonsen
 
PDF
Java secure development part 1
Rafel Ivgi
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPT
Introduction to Tokenization
Nabeel Yoosuf
 
PDF
OAuth - Open API Authentication
leahculver
 
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
 
OAuth Introduction
h_marvin
 
OAuth
Blaine
 
Monage.io identity presentation 3.22.17 v3
Michael Queralt
 
Securing the modern data centre
Infront
 
Securing IaaS Applications
Bitglass
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Deep Dive DMG (september update)
Jean-Pierre Riehl
 
Authorization for Internet of Things using OAuth 2.0
Hannes Tschofenig
 
'Embedding' a meta state machine
emBO_Conference
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
ForgeRock
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
NFV SDN for carriers
Marie-Paule Odini
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
Morgan Simonsen
 
Java secure development part 1
Rafel Ivgi
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Introduction to Tokenization
Nabeel Yoosuf
 
OAuth - Open API Authentication
leahculver
 
Ad

Similar to Introduction to OAuth 2.0 - Part 1 (20)

PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
1000 ways to die in mobile oauth
Priyanka Aash
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
KEY
OAuth Android Göteborg
danieloskarsson
 
PPTX
OAuth
Adi Challa
 
PPTX
OAuth
Tom Elrod
 
PPTX
OAuth 2.0
Mihir Shah
 
PDF
OAuth and why you should use it
Sergey Podgornyy
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
Saadhvi Summit - oAuth Standards
Nirmal Kumar
 
PDF
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
PPTX
Api security
teodorcotruta
 
PDF
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
PPTX
O auth 2.0 authorization framework
John Temoty Roca
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
OAuth 1.0
Nov Matake
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PDF
The Current State of OAuth 2
Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
1000 ways to die in mobile oauth
Priyanka Aash
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth Android Göteborg
danieloskarsson
 
OAuth
Adi Challa
 
OAuth
Tom Elrod
 
OAuth 2.0
Mihir Shah
 
OAuth and why you should use it
Sergey Podgornyy
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
An Introduction to OAuth2
Aaron Parecki
 
OAuth2 + API Security
Amila Paranawithana
 
Saadhvi Summit - oAuth Standards
Nirmal Kumar
 
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
Api security
teodorcotruta
 
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
O auth 2.0 authorization framework
John Temoty Roca
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
OAuth 1.0
Nov Matake
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
The Current State of OAuth 2
Aaron Parecki
 

More from Nabeel Yoosuf (8)

PDF
Building RESTful Applications
Nabeel Yoosuf
 
PPT
API Façade Pattern
Nabeel Yoosuf
 
PDF
Privacy Preserving Access Control for Third Party Data Management Systems
Nabeel Yoosuf
 
PDF
Efficient privacy preserving publish subscribe systems
Nabeel Yoosuf
 
PDF
Access Control: Principles and Practice
Nabeel Yoosuf
 
PDF
Efficient Filtering in Pub-Sub Systems using BDD
Nabeel Yoosuf
 
PDF
Pub-Sub Systems and Confidentiality/Privacy
Nabeel Yoosuf
 
PDF
A Structure Preserving Approach for Securing XML Documents
Nabeel Yoosuf
 
Building RESTful Applications
Nabeel Yoosuf
 
API Façade Pattern
Nabeel Yoosuf
 
Privacy Preserving Access Control for Third Party Data Management Systems
Nabeel Yoosuf
 
Efficient privacy preserving publish subscribe systems
Nabeel Yoosuf
 
Access Control: Principles and Practice
Nabeel Yoosuf
 
Efficient Filtering in Pub-Sub Systems using BDD
Nabeel Yoosuf
 
Pub-Sub Systems and Confidentiality/Privacy
Nabeel Yoosuf
 
A Structure Preserving Approach for Securing XML Documents
Nabeel Yoosuf
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

Introduction to OAuth 2.0 - Part 1

  • 2. Wouldn’t it be cool when I tweet, it automatically gets posted in my FB wall? Tweet Bob Twitter App Automatically post in Bob’s FB wall
  • 3. How does the Twitter App writes in Bob’s FB wall? I mean how does it get write access to Bob’s FB wall? Tom, Twitter App Manager Jim, Twitter App Dev Let’s store Bob’s FB username and password in his Twitter App account. Then the app can login and post in his FB wall. The problem solved!
  • 4. It works. But it is not a good idea to store username and password as it involves a lot of risks. Besides, Bob won’t like to give his username/password to our app considering the fact that it take a while for users to trust our app. Jill, App Dev I totally agree. This is actually called Password Anti-Pattern! At all cost, we should avoid it. Sam, App Dev
  • 5. We get more access than we want with username/password as well. Users will not like it. Further, this is bad from the point of view of liability when things go wrong. Sam, App Dev Further, if users change their FB password, it breaks our app. If users want to stop cross posting in FB, they will always have to come to our app or change their FB password.
  • 6. Alright, asking for username and password is not good for Bob as well as us. So, what can we do about it? Tom, Twitter App Manager Basically the problem is that we need a way for our users to give us write authorization to their FB walls?
  • 7. Ali, App Dev I was thinking that this problem is strikingly similar to the valet parking situation. I want to get my new car valet parked but I am at the same time hesitant to give my car key to them. The car industry came with this idea of valet keys that has limited capabilities. For example, that valet key allows to drive a car only a short distance and most of the add-on functions in the car are disabled for that special key. So, now I can give my valet key (instead of the original key) to valet park without worrying too much about it.
  • 8. So, this sounds like a valet key would map to a short-lived token just like those in Kerberos protocol, even though Kerberos is for authentication? Jim, Twitter App Dev Yes, indeed. There is in fact a token based delegated authorization mechanism called OAuth. Good news is that FB is actually supporting OAuth for such access. Sam, App Dev
  • 9. OAuth sounds great. Sam, could you give us some details of it? Tom, Twitter App Manager Sam, App Dev Sure.
  • 10.  Password Anti-Pattern  Give resource owner’s username and password to client in order to access the resource server on behalf of the resource owner  Dangers of using this pattern  Expanded access and risk (exposure of username/password to third-party client)  Limited reliability when passwords are changed  Revocation challenges  First Solutions  Google’s AuthSub  Yahoo’s BBAuth
  • 11.  A delegated authorization protocol  Provides the ability for these applications to access a user’s data securely, without requiring the user to take the scary step of handing over an account password  Introduced in 2007  Increased developer experience and increased confidence in security due to a common protocol for handling API authorization
  • 12.  Not backward compatible with OAuth 1.0  New flows  Signatures are replaced by HTTPS (bearer tokens)  Simplified signatures  Short-lived tokens  Separation of roles for authorization server and resource server
  • 13.  Resource server  The server that hosts user owned resources protected by OAuth  An API provider such as Google, Facebook, etc.  Resource owner  An application user  Has the ability to grant access to their own data hosted on a resource server  Client  An application making API calls to perform certain action on protected resources on behalf of the resource owner with resource owner’s authorization  Authentication server  Often, it is same as the resource server
  • 14. Tweet Bob Twitter App Automatically post in Bob’s FB wall CLIENT RESOURCE SERVER RESOURCE OWNER AUTHORIZATION SERVER
  • 15.  Server-side web application  Client side web application running in the web browser  Native application
  • 16.  Authorization code  For apps with backend servers  Implicit grant for browser based client side applications (no backend server)  Resource owner password based grants  Only for very trusted applications (usually for first-party applications only)  Client credentials  For application access (i.e. client is an application)
  • 17.  Authorization flow sequence diagrams  Implementing authorization code flow  OAuth for mobile applications
  • 18.  Getting Started with OAuth 2.0

Editor's Notes

  • #13: http://hueniverse.com/2010/05/15/introducing-oauth-2-0/ When OAuth 1.0 was developed in 2007, it was decided that cryptographic signatures were necessary to support the security of APIs. At the time, many top API providers hosted their APIs at vanilla HTTP endpoints, without SSL/TLS protection. Over the years, SSL/TLS became a more common way of protecting APIs and the need for signatures decreased in the eyes of some members of the security community. In Oauth 2.0 - transition: Signature  HTTPS Combining the perception of low API adoption due to the complexity of cryptography in OAuth 1.0 and the greater prevalence of SSL/TLS support for APIs led to the development of the OAuth Web Resource Authorization Profiles (WRAP) specification. OAuth WRAP is the predecessor to OAuth 2.0—it eliminated the complex signature requirements and introduced the use of bearer tokens.