Upload
nirmal-kumar
View
956
Download
3
Embed Size (px)
Citation preview
OAuth 2.0Open Protocol Standard for Authorization
Saadhvi SummitNirmal KumarDate : 2 April 2012 - 4:00 PM IST
OAuth - Overview
OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead.
Need for Authorization Standard
Secure Way to Access User Resources ?
Is there a secure way to access your Flickr Photos and Albums by some external application say example Wordpress where you already have an account with wordpress ?.
Access user resources (photos, albums etc)
Secure Way to Access User Resources ?
Is there secure way to access your Gmail Addressbook or Contact List by some external application say Facebook where are you already own an account in facebook?
Access user contacts from Gmail Account
Should i expose my Credentials?
Access user resources (photos, albums etc)
Access user contacts from Gmail Account
should i need to expose Flickr Account Credentials to facebook?
should i need to expose Gmail Account Credentials to facebook?
User Credentials Compromise 1. Applications cannot be Trusted 2. User password might be misused to access other information in that
account 3. User might use the same password for a variety application and this will
create a security threat 4. Changing password will not be reflected in the trusted applications
What OAuth Standard Provides
A way for an Application to interact with a service on users behalf without requiring user account credentials.
The Car Valet Parking
Regular Key : Car Owner- Full Access- Provides necessary access to a valet through Valet Key- Can able to Revoke the Access in time of threats Valet Key : Valet- Limited Access- Cannot change anything without authorization of the resource owner.
How this works ?
API Provider Services User Resources
API Client Application++
OwnsAuthorizes
Accesses
Sample Twitter - Authorize
Revoke Access to Applications at any time.
How this works ?
Client Application sends Authorization Request to the API Service Provider with the ClientId Key and Secret User will be redirected with a Prompt " Authorize Application X to access your Account ". User can either Authorize and Reject User will be redirected to the Client Application if they authorized with a Authentication Code in the Url. API Client Web Application can use this Authentication Code and Send a Request to the API Server to provide a Token. Client Application uses that Token to access the Authorized data from the users account.
How this works ?
OAuth Benefits 1. Can be integrated in Web, Mobile and Other Home Devices
2. No more Password or User Credentials sharing with other Applications ->
So no hassles for the user in terms of security
3. Developers just need to implement a redirect and a POST request ->
Flexible for developers
4. Users can revokeaccess tokens for specific clients at any time
5. Nefarious clients can have their credentials revoked and all associated
access tokens destroyed immediately
List of OAuth Service Providersw this works ?
Facebook OAuth 2.0Foursquare OAuth 2.0github OAuth 2.0Google OAuth 2.0Microsoft (Hotmail, Messenger, Xbox) OAuth 2.0LinkedIn 2.0MySpace OAuth 1.0aNetflix OAuth 1.0aStatusNet OAuth 1.0aTwitter OAuth 1.0aVimeo OAuth 1.0aYahoo! OAuth 1.0a
References
- http://en.wikipedia.org/wiki/OAuth#OAuth_2.0- http://oauth.net/- http://oauth.net/documentation/getting-started/- https://code.google.com/apis/console/- http://hueniverse.com/oauth/guide/workflow/- https://developers.google.com/accounts/docs/OAuth2
DemoAccess Google Tasks from Tracksheet
Questions ?
Thank You..
Contact Saadhvi Summit Nirmal Kumar @nirmal_kumar