The Present Future of OAuth
-
Upload
michael-bleigh -
Category
Technology
-
view
5.669 -
download
1
description
Transcript of The Present Future of OAuth
OAUTH
OAUTHTHE PRESENTFUTURE OF
with drawings
MICHAEL BLEIGH PRESENTS
PROLOGUE
MICHAELB L E I G H
MY NAME IS
INTRIDEAI WORK AT
@MBLEIGHON TWITTER
“HEY, WOULD ANYONEBE INTERESTED IN
GIVING A TALK ABOUT OAUTH AT RAILSCONF?”
“NO WAY, I MIGHT
FALL ASLEEPWHILE SPEAKING”
“HMM...I’D BETTERADD SOME DRAWINGS.”
THIS TALKIS ABOUT OPEN WEBSTANDARDS
ACT IIN WHICH THE PROBLEM IS D E S C R I B E D
IN THE BEGINNING,THERE WERE
WEB APPS
WEBAPP
WEBAPP
WEBAPP A
WEBAPP B
WEBAPP B
“HEY, MY USERS WANT TO ACCESS YOUR STUFF.”
WEBAPP A
WEBAPP B
WEBAPP A
+API
HTTPBASIC
http://user:password@...
Authorization: Basic dXNlcjpwYXNzd29yZA==
WEBAPP B
WEBAPP A
+API
OK, HERE’S THE KEYS.
WEBAPP B
WEBAPP A
+API
WEBAPP B
WEBAPP A
+API
FUBARFAILED USER BAR FORAUTHORIZATION ROBUSTNESS
*COUGH*
THIS ISA PROBLEM
ACT 2IN WHICH A N E W W AYIS CREATED
CHRIS MESSINABLAINE COOKLARRY HALFF
DAVID RECORDON
“HEY, WOULDN’T IT BE GREAT TO HAVE AN OPEN AUTHORIZATION
STANDARD”
“TOTALLY, LET’SMAKE ONE ANDCALL IT OAUTH.”
FOOTAGEMISSING
WEBAPP B
WEBAPP A
WEBAPP B
WEBAPP A
WEBAPP B
WEBAPP A
“HEY, MY USER WANTS TO ACCESS YOUR STUFF.”
WEBAPP B
WEBAPP A
WEBAPP B
WEBAPP A
WEBAPP B
WEBAPP A
“WHAT’S YOUR PASSWORD?”
“PASSWORD”
WEBAPP B
WEBAPP A
WEBAPP B
WEBAPP A
ADVANTAGES
1. SECURE
2. RESTRICTABLE
WEBAPP B
WEBAPP A
“UMMM....NO”
“DELETE ALLUSER DATA”
3. REVOCABLE
WEBAPP B
*YOIN
K*
3. STANDARD
WEBAPP A
WEBAPP C
WEBAPP D
WEBAPP E
WEBAPP F
NOT QUITEPERFECT
1. COMPLICATED
WEBAPP B
WEBAPP A “NO NO, FIRST
YOU REVERSELOW FIVE...”
“OK, SO IT’S FIST BUMP,DOUBLE-HIGH FIVE...”
2. BROWSER-DEPENDENT
?
2. BROWSER-DEPENDENT
WE CAN DO BETTER
ACT 3IN WHICH WELEARN FROMOUR MISTAKES
OAUTH2.0
IMPROVEM E N T S
1. SIMPLER
WEBAPP B
WEBAPP A
< SSL >
2. FLOWS
WEBAPP B
WEBAPP A
WEB SERVER
WEBAPP A
USER-AGENT
WEBAPP A
DEVICE
SET-TOPPER
WEBAPP A
PASSWORD
WEBAPP A
PASSWORD
WEBAPP A
PASSWORD
WEBAPP A
PASSWORD
WEBAPP A
PASSWORD
WEBAPP B
WEBAPP A
CLIENT CREDENTIALS
WEBAPP B
WEBAPP A
ASSERTION
CERTIFICATE OFAUTHENTICITY
FLEX-IBILITY
ACT 4IN WHICH WEGET DOWN TOB U S I N E S S
WHO’S DOING IT RIGHT NOW?
WHO WILL BEDOING IT SOON?
WHO WILL BEDOING IT SOON?
YOU
CONSUMINGOAUTH 2.0
# in Gemfilegem 'oauth2'
$ rails g controller oauth
# in routes.rbresource :oauth, :controller => 'oauth' do get :start get :callbackend
class OauthController < ApplicationController def start redirect_to client.web_server.authorize_url( :redirect_uri => callback_oauth_url(:format => 'json'), :scope => 'user' ) end
def callback access_token = client.web_server.get_access_token( params[:code], :redirect_uri => callback_oauth_url(:format => 'json') )
# you should store the access token info now. render :json => access_token.get('/api/v2/json/user/show') end
protected
def client @client ||= OAuth2::Client.new( '296e901b0e6ab74db167', '625fe65c7f74ee4a015d121efb011a45776d510d', :site => 'https://github.com', :authorize_path => '/login/oauth/authorize', :access_token_path => '/login/oauth/access_token' ) endend
PROVIDINGOAUTH 2.0
READ THE
SPEChttp://bit.ly/oauth2-spec
NO SERIOUSLY,