Oauth Behind The Scenes

OAuth Behind the scenes

Tran Duc Thang Framgia Vietnam

Preface

• Tran Duc Thang

• 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project.

• 2011 ~ 2013: Keio University.

• 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.

Preface

• Have you ever logged into a website using your Google, or Facebook account ?

• If yes, have you ever been afraid of losing your Google or Facebook account information ?

• Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?

Contents

1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the

scenes.

What is OAuth

• OAuth stands for Open Authorization.

• Authentication vs Authorization ?

• OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”

History

• OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation.

• The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol.

• The OAuth 1.0 published as RFC 5849 in April 2010.

• The OAuth 2.0 published in October 2012.

OAuth in the WorldOAUTH 1.0 OAUTH 2.0

OAuth 2: How does it work ?• Resource Owner: End-user

• Authorization Server: Where the authorization occurs

• Client: An application making protected resource requests on behalf of the resource owner.

• Resource Server: Where hosts user’s resource.

• Instead of using the resource owner's credentials to access protected resources, the client obtains an access token.

• Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.

• The client uses the access token to access the protected resources hosted by the resource server.

OAuth 2: How does it work ?

• OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec.

• OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks.

• OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.

OAuth 2: How does it work ?OAuth 2 - Authorization Code Grant in details

• The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground

• Demo Google OAuth 2.0

• Demo Facebook Oauth 2.0

OAuth 2 Demo

https://developers.google.com/oauthplayground

https://developers.google.com/oauthplayground/#step1&url=https%3A//&content_type=application/json&http_method=GET&useDefaultOauthCred=unchecked&oauthEndpointSelect=Custom&oauthAuthEndpointValue=https%3A//www.facebook.com/dialog/oauth&oauthTokenEndpointValue=https%3A//graph.facebook.com/oauth/access_token&includeCredentials=unchecked&accessTokenType=bearer&autoRefreshToken=unchecked&accessType=offline&forceAprovalPrompt=checked&response_type=code

References• RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849)

• RFC 6749: The OAuth 2.0 Authorization Framework (http://tools.ietf.org/html/rfc6749)

• OAuth Community Site (http://oauth.net/)

• OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth)

• OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216)

• OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/)

http://tools.ietf.org/html/rfc5849

http://tools.ietf.org/html/rfc6749

http://oauth.net/

http://en.wikipedia.org/wiki/OAuth

http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216

http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

Thank you for listening!