OAuth FTW
-
Upload
chris-messina -
Category
Technology
-
view
7.538 -
download
0
description
Transcript of OAuth FTW
![Page 1: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/1.jpg)
OAuth FTW
Chris MessinaFuture of Web Apps
October 10, 2008London, England
How OAuth and portable data can revolutionize your web app
(FOR THE WIN)
![Page 2: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/2.jpg)
OAuth |ō| |ôˌθ|Noun.
An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
![Page 3: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/3.jpg)
The story of OAuth starts with OpenID.
![Page 4: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/4.jpg)
factoryjoe.com
![Page 5: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/5.jpg)
?!X
factoryjoe.com
![Page 6: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/6.jpg)
!
![Page 7: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/7.jpg)
Can has OpenID?
? X
factoryjoe.com
![Page 8: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/8.jpg)
B-b-but what about API apps?
X
(APPLICATION PROGRAMMING INTERFACE)
![Page 9: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/9.jpg)
![Page 10: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/10.jpg)
?
![Page 11: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/11.jpg)
!?!
![Page 12: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/12.jpg)
How much are your username and password worth?
![Page 13: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/13.jpg)
wayn.com
![Page 14: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/14.jpg)
![Page 15: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/15.jpg)
imeem.com
![Page 16: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/16.jpg)
![Page 17: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/17.jpg)
![Page 18: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/18.jpg)
PC Load Letter?! What the f...!
![Page 19: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/19.jpg)
The Password Anti-pattern!
![Page 20: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/20.jpg)
Passwords are not confetti.
![Page 21: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/21.jpg)
Please stop throwing them around.
![Page 22: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/22.jpg)
Especially if they’re not yours.
![Page 23: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/23.jpg)
OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
![Page 24: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/24.jpg)
let’s take a look
![Page 25: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/25.jpg)
Brightkite > pings Fire Eagle for Request Token
Fire Eagle > returns authorization realm
![Page 26: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/26.jpg)
Brightkite > requests that user authorize Brightkite
Fire Eagle > user authenticates through Yahoo! accounts
![Page 27: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/27.jpg)
Fire Eagle > user grants authorization to Brightkite
Fire Eagle > Fire Eagle redirects user to callback URL
![Page 28: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/28.jpg)
Brightkite > asks FE to exchange Request Token for Access Token
Fire Eagle > checks signature; if valid, returns Access Token
...subsequent requests are signed with this Access Token
![Page 29: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/29.jpg)
users can manage access...
![Page 30: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/30.jpg)
...and change access
![Page 31: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/31.jpg)
or can revoke access later without having to change their primary account password
(i.e. if they lose their phone or their computer gets stolen)
![Page 32: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/32.jpg)
?
![Page 33: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/33.jpg)
discovery
![Page 34: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/34.jpg)
Identity -› Discovery -› Authorization
![Page 35: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/35.jpg)
OpenID -› XRDS-Simple -› OAuth Endpoint
(EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
![Page 36: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/36.jpg)
Identity -› Discovery -› [Authentication] -› Authorization
![Page 37: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/37.jpg)
http://will.norris.name
☟<meta http-equiv="X-XRDS-Location" content="http://will.norris.name/?xrds" />
![Page 38: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/38.jpg)
OpenID XRDS
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD></xrds:XRDS>
![Page 39: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/39.jpg)
XRDS-Simple for Portable Contacts
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD></xrds:XRDS>
![Page 40: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/40.jpg)
XRDS-Simple for Portable Contacts
<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>
...
![Page 41: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/41.jpg)
XRDS-Simple for Portable Contacts
<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>
...
![Page 42: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/42.jpg)
adoption
![Page 43: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/43.jpg)
•OpenSocial
•MySpace
•Yahoo! (Fire Eagle)
•Netflix
•SmugMug
•Photobucket
•Plaxo
•Soocial.com
•Meetup.com
•Ma.gnolia
•Get Satisfaction
•Agree2
•SoundCloud
•88Miles
•Pownce
•Brightkite
•Praized
http://wiki.oauth.net/ServiceProviders
![Page 44: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/44.jpg)
code
![Page 45: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/45.jpg)
•C#
•Coldfusion
•Java
•Javascript
•Jifty
•.NET
•Objective-C
•OCaml
•Perl
•PHP
•CakePHP
•Python
•Ruby
•...interest in XMPP
http://oauth.net/code
![Page 46: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/46.jpg)
the pitch
![Page 47: OAuth FTW](https://reader035.fdocument.org/reader035/viewer/2022062512/554928a0b4c90547498be0cb/html5/thumbnails/47.jpg)
fin.
oauth.netme -› factoryjoe.com