SlideShare a Scribd company logo

Oauth Behind The Scenes

Thang Tran Duc
Thang Tran Duc

Oauth Behind The Scenes

Technology
1 of 13
Download to read offline
OAuth Behind the scenes Tran Duc Thang Framgia Vietnam
Preface • Tran Duc Thang • 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project. • 2011 ~ 2013: Keio University. • 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
Preface • Have you ever logged into a website using your Google, or Facebook account ? • If yes, have you ever been afraid of losing your Google or Facebook account information ? • Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
Contents 1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the scenes.
What is OAuth • OAuth stands for Open Authorization. • Authentication vs Authorization ? • OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”
History • OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. • The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. • The OAuth 1.0 published as RFC 5849 in April 2010. • The OAuth 2.0 published in October 2012.
OAuth in the World OAUTH 1.0 OAUTH 2.0
OAuth 2: How does it work ? • Resource Owner: End-user • Authorization Server: Where the authorization occurs • Client: An application making protected resource requests on behalf of the resource owner. • Resource Server: Where hosts user’s resource. • Instead of using the resource owner's credentials to access protected resources, the client obtains an access token. • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. • The client uses the access token to access the protected resources hosted by the resource server.
OAuth 2: How does it work ? • OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec. • OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks. • OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
OAuth 2: How does it work ? OAuth 2 - Authorization Code Grant in details
• The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground • Demo Google OAuth 2.0 • Demo Facebook Oauth 2.0 OAuth 2 Demo
References • RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849) • RFC 6749: The OAuth 2.0 Authorization Framework (http:// tools.ietf.org/html/rfc6749) • OAuth Community Site (http://oauth.net/) • OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth) • OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/ articles/oauth-20-the-good-the-bad-the-ugly--net-33216) • OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/ oauth-2-0-and-the-road-to-hell/)
Thank you for listening!

Recommended

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
open id & o-auth
open id & o-authopen id & o-auth
open id & o-authPaul Fryer
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuthAndrea Chiodoni
 
Privacy and Security
Privacy and SecurityPrivacy and Security
Privacy and SecurityVishal Chavan
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 

Recommended

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
open id & o-auth
open id & o-authopen id & o-auth
open id & o-authPaul Fryer
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuthAndrea Chiodoni
 
Privacy and Security
Privacy and SecurityPrivacy and Security
Privacy and SecurityVishal Chavan
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIPmahan9
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnetsmahan9
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Usability Testing by Deepthi
Usability Testing by DeepthiUsability Testing by Deepthi
Usability Testing by DeepthiAgile Testing Alliance
 
Grid security
Grid securityGrid security
Grid securityjosephineusha
 
Secure Objects
Secure ObjectsSecure Objects
Secure ObjectsAshutosh Jaiswal
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth WranglingKellan
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slidesmahan9
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryNational Information Standards Organization (NISO)
 
whosinithtml
whosinithtmlwhosinithtml
whosinithtmlShane Bruce
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Securing GIS data
Securing GIS dataSecuring GIS data
Securing GIS dataJoachim Van der Auwera
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 
OAuth
OAuthOAuth
OAuthAdi Challa
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth
OAuthOAuth
OAuthTom Elrod
 

More Related Content

What's hot

Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIPmahan9
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnetsmahan9
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth WranglingKellan
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slidesmahan9
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 

What's hot (19)

Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Crypto-Book SOSP WIP
Crypto-Book SOSP WIPCrypto-Book SOSP WIP
Crypto-Book SOSP WIP
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Crypto-Book Hotnets
Crypto-Book HotnetsCrypto-Book Hotnets
Crypto-Book Hotnets
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
 
Usability Testing by Deepthi
Usability Testing by DeepthiUsability Testing by Deepthi
Usability Testing by Deepthi
 
Grid security
Grid securityGrid security
Grid security
 
Secure Objects
Secure ObjectsSecure Objects
Secure Objects
 
Advanced OAuth Wrangling
Advanced OAuth WranglingAdvanced OAuth Wrangling
Advanced OAuth Wrangling
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 
Crypto-Book slides
Crypto-Book slidesCrypto-Book slides
Crypto-Book slides
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
 
whosinithtml
whosinithtmlwhosinithtml
whosinithtml
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Securing GIS data
Securing GIS dataSecuring GIS data
Securing GIS data
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web Exploitation
 

Similar to Oauth Behind The Scenes

ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platformPham Thinh
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)Michael Maurice
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationBiodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationRenzo Kottmann
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Yury Roa
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identityGopikrishna Gujjula
 

Similar to Oauth Behind The Scenes (20)

OAuth
OAuthOAuth
OAuth
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
OAuth
OAuthOAuth
OAuth
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Api security
Api security Api security
Api security
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platform
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Open authentication (oauth)
Open authentication (oauth)Open authentication (oauth)
Open authentication (oauth)
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & AuthorisationBiodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
Biodiversity Virtual e-Laboratory (BioVeL): Athentication & Authorisation
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identity
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Oauth Behind The Scenes

  • 1. OAuth Behind the scenes Tran Duc Thang Framgia Vietnam
  • 2. Preface • Tran Duc Thang • 2008 ~ 2011: Hanoi University of Science and Technology, K53. HEDSPI Project. • 2011 ~ 2013: Keio University. • 2013 ~ now: Working as BrSE and Web Developer at Framgia Vietnam.
  • 3. Preface • Have you ever logged into a website using your Google, or Facebook account ? • If yes, have you ever been afraid of losing your Google or Facebook account information ? • Have you ever though about how the authentication work when you logged in by using Google or Facebook account ?
  • 4. Contents 1. What is OAuth ? 2. History 3. OAuth in the world 4. OAuth 2.0 How does it work ? 5. OAuth 2.0 Demo: Behind the scenes.
  • 5. What is OAuth • OAuth stands for Open Authorization. • Authentication vs Authorization ? • OAuth is “An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.”
  • 6. History • OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. • The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. • The OAuth 1.0 published as RFC 5849 in April 2010. • The OAuth 2.0 published in October 2012.
  • 7. OAuth in the World OAUTH 1.0 OAUTH 2.0
  • 8. OAuth 2: How does it work ? • Resource Owner: End-user • Authorization Server: Where the authorization occurs • Client: An application making protected resource requests on behalf of the resource owner. • Resource Server: Where hosts user’s resource. • Instead of using the resource owner's credentials to access protected resources, the client obtains an access token. • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. • The client uses the access token to access the protected resources hosted by the resource server.
  • 9. OAuth 2: How does it work ? • OAuth 2 is completely different to OAuth 1, and is not backwards compatible with OAuth 1 spec. • OAuth 2 itself does not have any encryption and request verification. It relies entirely on SSL/TLS. It also uses ‘state’ to prevent CSRF attacks. • OAuth 2 defines four grant types (authorization code, implicit, resource owner password credentials, and client credential) for supporting different types of applications.
  • 10. OAuth 2: How does it work ? OAuth 2 - Authorization Code Grant in details
  • 11. • The Web Server Flow Demo (authorization code grant type) with Google OAuth 2.0 Playground • Demo Google OAuth 2.0 • Demo Facebook Oauth 2.0 OAuth 2 Demo
  • 12. References • RFC 5849: The OAuth 1.0 Protocol (http://tools.ietf.org/html/rfc5849) • RFC 6749: The OAuth 2.0 Authorization Framework (http:// tools.ietf.org/html/rfc6749) • OAuth Community Site (http://oauth.net/) • OAuth Wikipedia (http://en.wikipedia.org/wiki/OAuth) • OAuth 2.0 - The Good, The Bad & The Ugly (http://code.tutsplus.com/ articles/oauth-20-the-good-the-bad-the-ugly--net-33216) • OAuth 2.0 and the Road to Hell (http://hueniverse.com/2012/07/26/ oauth-2-0-and-the-road-to-hell/)
  • 13. Thank you for listening!