SlideShare a Scribd company logo

Securing RESTful APIs using OAuth 2 and OpenID Connect

Download as PPTX, PDF
Jonathan LeBlanc, profile picture
Jonathan LeBlanc

The document discusses securing RESTful APIs using OAuth 2 and OpenID Connect, highlighting the importance of authentication and authorization mechanisms for user data protection. It covers practical implementation details for fetching and using access tokens, along with various authorization flows and considerations for integrating these security standards without alienating developers. Additionally, it emphasizes the flexibility of REST and OAuth as specifications and provides resource links for further exploration.

Technology
1 of 40
Downloaded 1,435 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
What We’re Covering Auth History and REST Concepts Adding in an Auth Mechanism Integration in Practice (server + client side integrations)
What We Want
The Ultimate Decision Security Usability
Path to the Standard
The Insecure, Unmanageable Start
Very Secure, Long to Implement
Two Currently Widely Used Specs
REST Architecture
What a RESTful API isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
What a RESTful API is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header
Does Anyone Actually Do That? Very few APIs follow pragmatic REST principles
HATEOAS
"links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
Adding Auth Mechanisms
Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
When You Need Access Security
A Few Different Flavors of Usage User login (authentication) Application only (bearer tokens) User Involvement (authorization)
Practical Implementation
Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret HTTP POST Access Token Endpoint
Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_KS1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
A few implementation differences Endpoints Scopes (dynamic / static) Using the Access Token in a request
OAuth 2 & JavaScript?
The Complexities of JavaScript The same-origin policy Keeping private keys private Not having to provide a hacked experience
The Ways we Made it Work Server-side proxy Flash / iframe proxy Private token storage mechanism
User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
User Agent Flow: Redirect Building the redirect link var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
User Agent Flow: Hash Mod Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
User Agent Flow: Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/); Extracting the access token from the hash
User Agent Flow: Get Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
User Agent Flow: Get Resources $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request
Using the Skeleton Key
How it’s Normally Used Access user details Push data through user social streams
But why? Access token as a control structure Improve Existing Products Our showcase: Seamless Checkout
The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal
Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America

More Related Content

PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
OAuth - Open API Authentication
leahculver
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Single-Page-Application & REST security
Igor Bossenko
 
OAuth - Open API Authentication
leahculver
 
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
Uwe Friedrichsen
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 

What's hot (20)

PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
Rest API Security
Stormpath
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
The Ultimate Guide to Mobile API Security
Stormpath
 
PPTX
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PDF
Implementing OAuth
leahculver
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
PDF
OAuth2 Authentication
Ismael Costa
 
ODP
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Demystifying OAuth 2.0
Karl McGuinness
 
Rest API Security
Stormpath
 
OAuth2 - Introduction
Knoldus Inc.
 
OAuth2 and Spring Security
Orest Ivasiv
 
OAuth2 + API Security
Amila Paranawithana
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
JWT Authentication with AngularJS
robertjd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
The Ultimate Guide to Mobile API Security
Stormpath
 
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Oauth 2.0 security
vinoth kumar
 
Implementing OAuth
leahculver
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
OAuth2 Authentication
Ismael Costa
 
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
An Introduction to OAuth 2
Aaron Parecki
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Ad

Viewers also liked (7)

PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
OpenID Authentication by example
Chris Vertonghen
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Authentication by example
Chris Vertonghen
 
Introduction to OpenID Connect
Nat Sakimura
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
Ad

Similar to Securing RESTful APIs using OAuth 2 and OpenID Connect (20)

PPTX
Designing JavaScript APIs
Jonathan LeBlanc
 
PPTX
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
PDF
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
PDF
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
PPTX
API design principles for accelerated development
Jonathan LeBlanc
 
PDF
REST APIs in the context of single-page applications
yoranbe
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PPTX
Restful api
Anurag Srivastava
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PPTX
How to Use Stormpath in angular js
Stormpath
 
PPTX
Best Practices for Architecting a Pragmatic Web API.
Mario Cardinal
 
PPTX
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
PDF
WebApp #3 : API
Jean Michel
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PPT
Pentesting web applications
Satish b
 
Designing JavaScript APIs
Jonathan LeBlanc
 
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
UserCentric Identity based Service Invocation
guestd5dde6
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
API design principles for accelerated development
Jonathan LeBlanc
 
REST APIs in the context of single-page applications
yoranbe
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Restful api
Anurag Srivastava
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
How to Use Stormpath in angular js
Stormpath
 
Best Practices for Architecting a Pragmatic Web API.
Mario Cardinal
 
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
WebApp #3 : API
Jean Michel
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Pentesting web applications
Satish b
 

More from Jonathan LeBlanc (20)

PDF
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
PDF
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
PDF
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
PPTX
Best Practices for Application Development with Box
Jonathan LeBlanc
 
PPTX
Box Platform Overview
Jonathan LeBlanc
 
PPTX
Box Platform Developer Workshop
Jonathan LeBlanc
 
PPTX
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
PPTX
Box Authentication Types
Jonathan LeBlanc
 
PPTX
Understanding Box UI Elements
Jonathan LeBlanc
 
PPTX
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
PPTX
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PPTX
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
PDF
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PDF
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PDF
PHP Identity and Data Security
Jonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PPTX
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Box Platform Overview
Jonathan LeBlanc
 
Box Platform Developer Workshop
Jonathan LeBlanc
 
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
Box Authentication Types
Jonathan LeBlanc
 
Understanding Box UI Elements
Jonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PHP Identity and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 

Recently uploaded (20)

PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
KodekX | Application Modernization Development
KodekX
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Cloud computing and distributed systems.
kkkkkhan
 

Securing RESTful APIs using OAuth 2 and OpenID Connect

  • 1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
  • 2. What We’re Covering Auth History and REST Concepts Adding in an Auth Mechanism Integration in Practice (server + client side integrations)
  • 5. Path to the Standard
  • 7. Very Secure, Long to Implement
  • 8. Two Currently Widely Used Specs
  • 10. What a RESTful API isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
  • 11. What a RESTful API is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header
  • 12. Does Anyone Actually Do That? Very few APIs follow pragmatic REST principles
  • 14. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
  • 16. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
  • 17. When You Need Access Security
  • 18. A Few Different Flavors of Usage User login (authentication) Application only (bearer tokens) User Involvement (authorization)
  • 20. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret HTTP POST Access Token Endpoint
  • 21. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_KS1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
  • 22. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
  • 23. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
  • 24. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
  • 25. A few implementation differences Endpoints Scopes (dynamic / static) Using the Access Token in a request
  • 26. OAuth 2 & JavaScript?
  • 27. The Complexities of JavaScript The same-origin policy Keeping private keys private Not having to provide a hacked experience
  • 28. The Ways we Made it Work Server-side proxy Flash / iframe proxy Private token storage mechanism
  • 29. User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  • 30. User Agent Flow: Redirect Building the redirect link var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
  • 31. User Agent Flow: Hash Mod Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
  • 32. User Agent Flow: Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/); Extracting the access token from the hash
  • 33. User Agent Flow: Get Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
  • 34. User Agent Flow: Get Resources $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request
  • 36. How it’s Normally Used Access user details Push data through user social streams
  • 37. But why? Access token as a control structure Improve Existing Products Our showcase: Seamless Checkout
  • 38. The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
  • 39. A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal
  • 40. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America

Editor's Notes

  • #4: What we want
  • #15: Working with HATEOASHypermedia as the Engine of Application State("hate -o's") or "hate yo' ass"