OAuth is a mess!
88 likes12,002 views
The document discusses the complexities and inconsistencies of OAuth protocols, particularly OAuth 1.0 and OAuth 2.0, highlighting the number of calls required for authentication and the variations in documentation across different providers. It emphasizes the confusion regarding token responses, parameter names, and token management among various services. Additionally, it mentions the challenges developers face in navigating the disparate information and options available for OAuth integration.
OAuth is a mess!
- 1. OAuth is a mess OAuth.ioby
- 3. No nor will be shown in this presentation OAuth.io Sorry
- 4. "If you don't know what OAuth is!" check these slides first: OAuth.io Click here
- 5. OAuth 1.0 OAuth 2.0 FAKE TWINS? OAuth.io
- 6. OAuth 1.0 3 calls need to be made by the Client Call the OAuth server and ask for temporary credentials. ! Open a webpage dialog using those credentials, so the user can sign in and give access. ! Call the OAuth server again combining the temporary credentials with the temporary token to get the final access token. OAuth.io
- 7. OAuth 2.0 Only 2 calls Call the OAuth server!!!! Open a webpage dialog OAuth 1.0 has one more step THANKS Cpt. OBVIOUS OAuth.io
- 9. Because each documentation has its own "logic" MADNESS FINDING URIs IS A PAIN! OAuth.io
- 10. Some docs won't tell you if it's OAuth 1.0 or 2.0 WHY? UNNAMED OAuth.io
- 11. Need an example? They say it uses OAuth 2.0 Which is surprising as in a server to server flow, you expect the flow to be 3-legged. OAuth.io
- 12. Need an example? To do anything else than the server side flow you have to search for it! The steps are documented but only in the API reference Even the webpage dialog and the code exchange endpoints are described in different sections You will become that guy OAuth.io
- 14. XML? JSON? URL-ENCODED TEXT like Concur.com like Facebook like Google TOKEN RESPONSES DATA FORMATS COME ON! OAuth.io
- 15. PARAMETERS Parameters' names vary between providers access_token Facebook uses: When Google uses: oauth_token It's a trap! TOKEN RESPONSES OAuth.io
- 16. SEPARATORS So providers use: , How logical! ; | Separators should be spaces -> according to the RFC TOKEN RESPONSES OAuth.io
- 17. CARDINALITY DEGREE Kill them all Bill Read only, read and write for Disqus / Heroku... Read access for X, write access for X, read access for Y... for Others... Google scopes are URLs TOKEN RESPONSES OAuth.io
- 19. TOKEN MANAGEMENT TOKEN EXPIRY A wild variation between services Sometimes you can control it sometimes not Always in movement the expiry isOAuth.io
- 20. TOKEN MANAGEMENT EXPIRY: METHODS DIFFER Google adds a field ! to the authorization url that can be Others add options in the scope access_type online offlineor StackExchange: no_expiry Soundcloud: no-expiring Meetup.com: ageless OAuth.io
- 21. TOKEN MANAGEMENT REFRESH TOKEN The standard proposes a refresh token flow followed by few ! Facebook instead adds the grant type fb_exchange_token Github / Google ... Unleash the ChuckOAuth.io
- 22. OAuth.ioWith Integrate any of our 100+ OAuth providers in minutes the SAME WAY TAKE A LOOK OAuth Popup with facebook