SlideShare a Scribd company logo

OAuth Introduction

H
h_marvin
TechnologyDesign
1 of 39
OAuth Or: „Why you don‘t have to pass credentials“
About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
History and basics
Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
That of course... we don‘t want to be necessary! Pass username and password?
That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
OAuth
We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
Facebo ok
OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
Little more details Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
Project Reference no code :(
Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
Conclusion
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access
Thanks! Questions?

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - Miniclip
Myles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linking
Ramu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slides
Personagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering students
SkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api
snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 

Recommended

Facebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - MiniclipFacebook API in the Real World - Myles Noton - Miniclip
Facebook API in the Real World - Myles Noton - Miniclip
Myles Noton
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
Deep linking
Deep linkingDeep linking
Deep linking
Ramu Chokkalingam
 
Deep linking slides
Deep linking slidesDeep linking slides
Deep linking slides
Personagraph
 
Download PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering studentsDownload PowerPoint Project on social programming for engineering students
Download PowerPoint Project on social programming for engineering students
SkyingBlogger
 
Facebook api
Facebook api Facebook api
Facebook api
snipermkd
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
Nabeel Yoosuf
 
Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)
Colin Su
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook api
Alphageeks
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDK
Dimitar Danailov
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich Snippets
Justin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App Indexation
Justin Briggs
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication Providers
Developer Force - Force.com Community
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factors
SEO_adam
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websites
Shruti Arya
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websites
iProspect Canada
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
Pat Patterson
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam Audette
Adam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant Sridharan
Francisco Saez Cerda
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
Nabeel Yoosuf
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Suzzicks
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEO
Affiliate Summit
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOS
Hidetoshi Mori
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-report
Jim Barritt
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open Social
Julia Foxworthy
 
Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + Ruby
Alex Koppel
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook Apps
David Keener
 

More Related Content

What's hot

Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich Snippets
Justin Briggs
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App Indexation
Justin Briggs
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication Providers
Developer Force - Force.com Community
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 

What's hot (20)

Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)Introduction to Facebook Javascript SDK (NEW)
Introduction to Facebook Javascript SDK (NEW)
 
Alphageeks meetup - facebook api
Alphageeks meetup - facebook apiAlphageeks meetup - facebook api
Alphageeks meetup - facebook api
 
Workshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDKWorkshop : Facebook JavaScript SDK
Workshop : Facebook JavaScript SDK
 
Advanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich SnippetsAdvanced Structured Data: Beyond Rich Snippets
Advanced Structured Data: Beyond Rich Snippets
 
How to Setup App Indexation
How to Setup App IndexationHow to Setup App Indexation
How to Setup App Indexation
 
Social Sign-On with Authentication Providers
Social Sign-On with Authentication ProvidersSocial Sign-On with Authentication Providers
Social Sign-On with Authentication Providers
 
SEO tips and ranking factors
SEO tips and ranking factorsSEO tips and ranking factors
SEO tips and ranking factors
 
Introduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websitesIntroduction to Social Networking Sites and websites
Introduction to Social Networking Sites and websites
 
Confoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websitesConfoo Montreal : SEO for dynamic websites
Confoo Montreal : SEO for dynamic websites
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Hands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com PlatformHands-on with OAuth, Facebook and the Force.com Platform
Hands-on with OAuth, Facebook and the Force.com Platform
 
Site Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam AudetteSite Architecture Best Practices for Search Findability - Adam Audette
Site Architecture Best Practices for Search Findability - Adam Audette
 
Prashant Sridharan
Prashant SridharanPrashant Sridharan
Prashant Sridharan
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
Why Deep Linking is the Next Big Thing: App Indexing - SMX East 2015
 
Supercharging WordPress for SEO
Supercharging WordPress for SEOSupercharging WordPress for SEO
Supercharging WordPress for SEO
 
Facebook API for iOS
Facebook API for iOSFacebook API for iOS
Facebook API for iOS
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Rest experience-report
Rest experience-reportRest experience-report
Rest experience-report
 
Hi5 Open Social
Hi5 Open SocialHi5 Open Social
Hi5 Open Social
 

Similar to OAuth Introduction

OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for Facebook
Salesforce Developers
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_social
Rajesh Kumar
 

Similar to OAuth Introduction (20)

Facebook + Ruby
Facebook + RubyFacebook + Ruby
Facebook + Ruby
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook Apps
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Shiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development GuidelinesShiny Agency's Facebook Development Guidelines
Shiny Agency's Facebook Development Guidelines
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Google APIs
Google APIsGoogle APIs
Google APIs
 
Social Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for FacebookSocial Apps with the Force.com Toolkit for Facebook
Social Apps with the Force.com Toolkit for Facebook
 
Hack u iitb_social
Hack u iitb_socialHack u iitb_social
Hack u iitb_social
 
Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)Facebook Apps Development 101 (Java)
Facebook Apps Development 101 (Java)
 
API Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIsAPI Workshop: Deep dive into REST APIs
API Workshop: Deep dive into REST APIs
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
Progressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting StartedProgressive Web Apps - Overview & Getting Started
Progressive Web Apps - Overview & Getting Started
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011
 
Kt 15 07-2013
Kt 15 07-2013Kt 15 07-2013
Kt 15 07-2013
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf
 
What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011What's New on the Facebook Platform, July 2011
What's New on the Facebook Platform, July 2011
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

OAuth Introduction

  • 1. OAuth Or: „Why you don‘t have to pass credentials“
  • 2. About me! Marvin Hoffmann (B.Sc.) Computer Science and Media Semester 2 Why am I here? Security will always be a key aspect of application development
  • 3. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion
  • 4. What‘s coming? some history and basics some OAuth some Facebook project reference conclusion semester holidays :)
  • 6. Once upon a time... you had to pass your username and password to let applications use one another Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2
  • 7. That of course... we don‘t want to be necessary! Pass username and password?
  • 8. That of course... we don‘t want to be necessary! Pass username and password? No thanks. There must be another way!
  • 9. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 10. What‘s necessary? Authentication Who the heck are you? Authorization You are allowed to do xyz and only xyz!
  • 11. OAuth
  • 12. We need a standard! many custom build solutions before OAuth Flickr: „FlickrAuth“ Google: „AuthSub“ Facebook: requests signed with MD5 Hashes Source: http://www.slideshare.net/aaronpk/the-current-state-of-oauth-2; Links: http://oauth.net/2/
  • 13. What‘s in the protocol? OAuth 1 based on „FlickrAuth“ and Googles „AuthSub“ OAuth2 is a completely new protocol defines different flows, useful for different requirements (native Client, Website, mobile App) we‘ll see soon how such a flow can look like Source: http://hueniverse.com/2010/05/introducing-oauth-2-0/
  • 15. OAuth and Facebook lo oks familiar ? Source: Application „Pulp“; https://www.facebook.com/settings/?tab=privacy
  • 16. How to get there 1 register your application or website as Facebook-Application to get your App credentials an App ID / API Key an App Secret (tokens you get are only valid for your Facebook-App)
  • 17. How to get there 2 add App-ID and App-Secret to your code example: $facebook = new Facebook(array( 'appId' => 'YOUR_APP_KEY', 'secret' => 'YOUR_APP_SECRET')); your App/Website will now be identified correctly Domain will be checked aswell!
  • 18. How to get there 3 define what your app needs to use e.g. „Post to Facebook as me“; „Access basic information“ example: <fb:login-button show-faces="true" width="500" max- rows="1" perms="user_useralbums, read_stream, publish_stream"></fb:login-button> rights? See photos, read from and write to stream
  • 19. How to get there 4 App-ID App-Secret Do main Source: https://developers.facebook.com/apps/
  • 20. How to get there 5 You‘re good to go! Your App/Website will know be identified (always) and the user has to grand specific rights (once)
  • 21. HTTP calls flow Source: https://developers.facebook.com/docs/authentication/
  • 22. Little more details Source: https://developers.facebook.com/docs/authentication/
  • 23. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Source: https://developers.facebook.com/docs/authentication/
  • 24. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Source: https://developers.facebook.com/docs/authentication/
  • 25. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Source: https://developers.facebook.com/docs/authentication/
  • 26. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 27. Little more details Request: https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& scope=email,read_stream Response: http://YOUR_URL? code=A_CODE_GENERATED_BY_SERVER Request: https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET& code=THE_CODE_FROM_ABOVE save it! Response: access_token and time in seconds till token expires Source: https://developers.facebook.com/docs/authentication/
  • 28. Project Reference no code :(
  • 29. Environment „Online & Performance Marketing Agency“ a LOT of Facebook Marketing campaigns per month campaign creation and monitoring via Facebook Ads Manager (web- interface) Task: integrate into Java Client! Links: Ads-Manager: https://www.facebook.com/ads/manage/; Ad Creation: https://www.facebook.com/ads/create/
  • 30. Facebook and Java just like we learned: register App with Facebook get an Access-Token RestFB: helpful Library to speak with GraphAPI in Java Links: RestFB: http://restfb.com
  • 31. The Problem we had what if.. .. we want to access information of a page, that only an admin of the page can access? .. we want to add data to an account, but only admins are allowed to?
  • 33. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 34. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 35. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 36. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 37. What do we want then? distinguish between different applications (and us) give different rights to each (scoping) be able to revoke rights once they where granted standardized approach in granting access
  • 38. One more thing! a stolen token is not as horrible as stolen credentials! just dedicated information or actions can be accessed no need to change password it‘s easy to revoke access

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. 1.0 -&gt; 2006 / 2007\n2.0 -&gt; 2010\n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  22. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  23. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  24. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  25. &amp;#x201E;if the user has already authorized your app, they will not be prompted to do so again&amp;#x201C;\noffline_access -&gt; token verliert seine g&amp;#xFC;ltigkeit nie!\n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n