Secure API Authorization with OAuth
And ideas about mobile authentication
Presented by• Rick Mak (Software Architect, Oursky)• Edwin Chu (User Experience Designer, Oursky)
Who is using/going to use OAuth?
Just to name a few
Who is using/going to use OAuth?
Just to name a few
Introduction - When to use OAuth?
When to use OAuth? Remember the first thing you did in Facebook.
When to use OAuth? Remember the first thing you did in Facebook.
You enter your Email account password here.
What OAuth Is and Isn’t
• What OAuth Is
What OAuth Is and Isn’t
• What OAuth Is
• An open protocol to allow secure API authorization in a simple and standard method
What OAuth Is and Isn’t
• What OAuth Is
• An open protocol to allow secure API authorization in a simple and standard method
• As an end-user, OAuth allows you to grant access to your private resources on one site (called the Service Provider), to another site (called Consumer), without giving out your credential.
What OAuth Is and Isn’t
• What OAuth Is
• An open protocol to allow secure API authorization in a simple and standard method
• As an end-user, OAuth allows you to grant access to your private resources on one site (called the Service Provider), to another site (called Consumer), without giving out your credential.
• As a desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, or webpage widgets developer, OAuth is a authorization protocol to get access to protected data.
What OAuth Is and Isn’t
• What OAuth Is
• An open protocol to allow secure API authorization in a simple and standard method
• As an end-user, OAuth allows you to grant access to your private resources on one site (called the Service Provider), to another site (called Consumer), without giving out your credential.
• As a desktop applications, dashboard widgets or gadgets, Javascript or browser-based apps, or webpage widgets developer, OAuth is a authorization protocol to get access to protected data.
• As a server-side APIs developer, OAuth give your users better protection and control on their data
What OAuth Is and Isn’t
• What OAuth Isn’t
What OAuth Is and Isn’t
• What OAuth Isn’t
≠
What OAuth Is and Isn’t
• What OAuth Isn’t
• compete with OpenID ≠
What OAuth Is and Isn’t
• What OAuth Isn’t
• compete with OpenID
• an OpenID extension
≠
What OAuth Is and Isn’t
• What OAuth Isn’t
• compete with OpenID
• an OpenID extension
• a new concept. OAuth is similar to other protocols currently in use (Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc)
≠
The OAuth’s Approach If Gmail supports OAuth
Some Gmail account name
The OAuth’s Approach If Gmail supports OAuth
Some Gmail account name
The OAuth’s Approach If Gmail supports OAuth
facebook is requesting access to your address book. If approved, facebook will have read only access for the next 1 hour.
Approve Deny
Some Gmail account name
The OAuth’s Approach If Gmail supports OAuth
facebook is requesting access to your address book. If approved, facebook will have read only access for the next 1 hour.
Approve Deny
Some Gmail account name
How does it work?
Source: http://oauth.net/core/1.0/
How does it work?
Source: http://oauth.net/core/1.0/
How does it work?
Source: http://oauth.net/core/1.0/
How does it work? A simpler perspective
How does it work? A simpler perspective
Please find my friends in the
address book of my Gmail account
Yes, sir.
1
How does it work? A simpler perspective
Please find my friends in the
address book of my Gmail account
Yes, sir.
1
2Get Request Token
Request Token
How does it work? A simpler perspective
How does it work? A simpler perspective
3Facebook directs User to
Gmail’s sign in URL
How does it work? A simpler perspective
3
4
Facebook directs User to Gmail’s sign in URL
Here is my username and
password. Pease keep it safe.
Sure
Are you sure your want to give access to Facebook for 1
hours?Yes
How does it work? A simpler perspective
How does it work? A simpler perspective
5Gmail directs User back to Facebook
How does it work? A simpler perspective
5
6
Gmail directs User back to Facebook
Exchange Request Token for Access Token
Access Token
How does it work? A simpler perspective
7
Get email addresses using the Access Token
Email addresses
OAuth meets mobiles
OAuth meets mobiles
OAuth meets mobiles
OAuth in Action Pownce
OAuth in Action Pownce
OAuth in Action Pownce
OAuth in Action Pownce
Contact Us
Oursky is a web application development company based in Hong Kong. Oursky offers web solutions consultation, web design, content management system and web application development.
Rick MakSoftware ArchitectEmail: [email protected]: 9620 5080
Edwin ChuUser Experience DesignerEmail: [email protected]: 9834 0556
~ The End ~