OAUTH

OAUTHTHE PRESENTFUTURE OF

with drawings

MICHAEL BLEIGH PRESENTS

PROLOGUE

MICHAELB L E I G H

MY NAME IS

INTRIDEAI WORK AT

@MBLEIGHON TWITTER

“HEY, WOULD ANYONEBE INTERESTED IN

GIVING A TALK ABOUT OAUTH AT RAILSCONF?”

“NO WAY, I MIGHT

FALL ASLEEPWHILE SPEAKING”

“HMM...I’D BETTERADD SOME DRAWINGS.”

THIS TALKIS ABOUT OPEN WEBSTANDARDS

ACT IIN WHICH THE PROBLEM IS D E S C R I B E D

IN THE BEGINNING,THERE WERE

WEB APPS

WEBAPP

WEBAPP

WEBAPP A

WEBAPP B

WEBAPP B

“HEY, MY USERS WANT TO ACCESS YOUR STUFF.”

WEBAPP A

WEBAPP B

WEBAPP A

+API

HTTPBASIC

http://user:password@...

Authorization: Basic dXNlcjpwYXNzd29yZA==

WEBAPP B

WEBAPP A

+API

OK, HERE’S THE KEYS.

WEBAPP B

WEBAPP A

+API

WEBAPP B

WEBAPP A

+API

FUBARFAILED USER BAR FORAUTHORIZATION ROBUSTNESS

*COUGH*

THIS ISA PROBLEM

ACT 2IN WHICH A N E W W AYIS CREATED

CHRIS MESSINABLAINE COOKLARRY HALFF

DAVID RECORDON

“HEY, WOULDN’T IT BE GREAT TO HAVE AN OPEN AUTHORIZATION

STANDARD”

“TOTALLY, LET’SMAKE ONE ANDCALL IT OAUTH.”

FOOTAGEMISSING

WEBAPP B

WEBAPP A

WEBAPP B

WEBAPP A

WEBAPP B

WEBAPP A

“HEY, MY USER WANTS TO ACCESS YOUR STUFF.”

WEBAPP B

WEBAPP A

WEBAPP B

WEBAPP A

WEBAPP B

WEBAPP A

“WHAT’S YOUR PASSWORD?”

“PASSWORD”

WEBAPP B

WEBAPP A

WEBAPP B

WEBAPP A

ADVANTAGES

1. SECURE

2. RESTRICTABLE

WEBAPP B

WEBAPP A

“UMMM....NO”

“DELETE ALLUSER DATA”

3. REVOCABLE

WEBAPP B

*YOIN

K*

3. STANDARD

WEBAPP A

WEBAPP C

WEBAPP D

WEBAPP E

WEBAPP F

NOT QUITEPERFECT

1. COMPLICATED

WEBAPP B

WEBAPP A “NO NO, FIRST

YOU REVERSELOW FIVE...”

“OK, SO IT’S FIST BUMP,DOUBLE-HIGH FIVE...”

2. BROWSER-DEPENDENT

?

2. BROWSER-DEPENDENT

WE CAN DO BETTER

ACT 3IN WHICH WELEARN FROMOUR MISTAKES

OAUTH2.0

IMPROVEM E N T S

1. SIMPLER

WEBAPP B

WEBAPP A

< SSL >

2. FLOWS

WEBAPP B

WEBAPP A

WEB SERVER

WEBAPP A

USER-AGENT

WEBAPP A

DEVICE

SET-­TOPPER

WEBAPP A

PASSWORD

WEBAPP A

PASSWORD

WEBAPP A

PASSWORD

WEBAPP A

PASSWORD

WEBAPP A

PASSWORD

WEBAPP B

WEBAPP A

CLIENT CREDENTIALS

WEBAPP B

WEBAPP A

ASSERTION

CERTIFICATE OFAUTHENTICITY

FLEX-IBILITY

ACT 4IN WHICH WEGET DOWN TOB U S I N E S S

WHO’S DOING IT RIGHT NOW?

WHO WILL BEDOING IT SOON?

WHO WILL BEDOING IT SOON?

YOU

CONSUMINGOAUTH 2.0

# in Gemfilegem 'oauth2'

$ rails g controller oauth

# in routes.rbresource :oauth, :controller => 'oauth' do get :start get :callbackend

class OauthController < ApplicationController def start redirect_to client.web_server.authorize_url( :redirect_uri => callback_oauth_url(:format => 'json'), :scope => 'user' ) end

def callback access_token = client.web_server.get_access_token( params[:code], :redirect_uri => callback_oauth_url(:format => 'json') )

# you should store the access token info now. render :json => access_token.get('/api/v2/json/user/show') end

protected

def client @client ||= OAuth2::Client.new( '296e901b0e6ab74db167', '625fe65c7f74ee4a015d121efb011a45776d510d', :site => 'https://github.com', :authorize_path => '/login/oauth/authorize', :access_token_path => '/login/oauth/access_token' ) endend

PROVIDINGOAUTH 2.0

READ THE

SPEChttp://bit.ly/oauth2-spec

READ THE

SPEChttp://bit.ly/oauth2-spec

NO SERIOUSLY,