770 likes | 1.02k Views
OAuth 2.0 in Depth. By Rohit Ghatol Director @ Synerzip Passionate about TechNext. Why study about OAuth?. Do you care about these or Similar Sites?. Reference - http://rainbowseo.com/wp-content/uploads/2012/06/ smm.png. Http Access. Facebook. Browser. LinkedIn. Foursquare. Twitter.
E N D
OAuth 2.0 in Depth By Rohit Ghatol Director @ Synerzip Passionate about TechNext
Do you care about these or Similar Sites? Reference - http://rainbowseo.com/wp-content/uploads/2012/06/smm.png
Http Access Facebook Browser LinkedIn Foursquare Twitter Api Access Mashups
Security Closed Closed Open Authentication Authorization
OAuth In a Nut Shell Can I have your Debit Card and ATM Pin?
OAuth In a Nut Shell Can I have your Credit Card?
OAuth Practical Example Disclaimer before you read ahead: All product names and people names used in the following slides are not entirely accurate. They are only placeholders to explain the concept. None of that information should assumed to be correct or incorrect.
With OAuth URL changed to http://picasa.com
With OAuth URL is http://picasa.com
With OAuth URL changed to http://picasa.com with code parameter
Scenario Wants to integrate with Google Services e.g Picasa BOB Owns Owns Print-Fast Picasa
Roles Authorization Server Wants to integrate with Google Services e.g Picasa BOB Resource Server Client Owns Owns Print-Fast Picasa
Roles Authorization Server Wants to integrate with Google Services e.g Picasa BOB David Resource Server Client Owns Owns Resource Owner Print-Fast Picasa
Client Registration Authorization Server Client Registers with Authorization Server BOB Resource Server Client Owns Owns Client_Id=print-fast Client_Secret=xxx Redirect_Url= http://print-fast.com Print-Fast Picasa
OAuth Flows/Grant Types • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant
Authorization Request Authorization Grant URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=code
Authorization Grant Code = ase34 Authorization Grant
Authorization Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Client Resource Owner Authorization Grant code = ase34 David Authorization Server Print-Fast Resource Server Protocol Flow
Client Authorization Server Code = ase34 Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4 code = ase34 access_token = x3e4
Client Resource Owner Authorization Grant code = ase34 Client_Id=print-fast Client_Secret=xxx David Authorization Server Access Token access_token= x3e4 Print-Fast Resource Server Protocol Flow
Client Authorization Server Code = ase34 Client_Id=print-fast Client_Secret=xxx Print-Fast access_token = x3e4 code = ase34 Picasa http://picasa.com/ ..../usr133/photos access_token = x3e4 [“http://…/DSC34.jpg”, “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
Client Resource Owner David Authorization Server Print-Fast Picasa Access Token Resource Server access_token = x3e4 Protected Resource [“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”] Protocol Flow
Client Authorization Request Resource Owner Authorization Grant Authorization Grant Authorization Server Access Token Access Token Resource Server Protected Resource Protocol Flow
Access Grant & Client Credentials Client Authorization Server Access Token & Refresh Token Access Token Resource Server Protected Resource Access Token Invalid Token Error Refresh Token & Client Credentials Access Token & Optional Refresh Token Protocol Flow
OAuth Flows/Grant Types • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant
Implicit Grant Request Implicit Grant URL used is http://picasa.com/?client_id=photo-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com&response_type=token
Access token = x3e4 Implicit Grant
Implicit Grant Request Client_Id=print-fast Redirect_url = http://print-fast.com Scope=profile,email,photos Client Resource Owner Access Token access_token= x3e4 David Authorization Server Print-Fast Picasa Resource Server Protocol Flow
Picasa http://picasa.com/ ..../usr133/photos access_token = x3e4 [“http://…/DSC34.jpg”, “http://…/DSC44.jpg”, “http://…/DSC56.jpg”, “http://…/DSC98.jpg” ]
Client Resource Owner David Meant for Pure Browser based Applications Access Token Picasa Resource Server access_token = x3e4 Protected Resource [“http://…/DSC34.jpg”,“http://…/DSC44.jpg”, “http://…/DSC56.jpg”,“http://…/DSC98.jpg”] Protocol Flow
Client Authorization Request Resource Owner Access Token Access Token Resource Server Protected Resource Protocol Flow
OAuth Flows/Grant Types • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant