OAuth 2.0: Theory and Practice

OAuth 2.0:

Theory and Practice

Daniel Correia

Pedro F��lix

1

whoami

? Daniel Correia

? Fast learner Junior Software Engineer

? Passionate about everything Web-related

? Currently working with the SAPO SDB team

? Pedro F��lix

? Teacher at ISEL �C the engineering school of the Lisbon Polytechnic Institute

? Independent consultant working with the SAPO SDB team

2

OAuth History

? OAuth started circa 2007

? 2008 - IETF normalization started in 2008

? 2010 - RFC 5849 defines OAuth 1.0

? 2010 - WRAP (Web Resource Authorization Profiles) proposed by

Microsoft, Yahoo! And Google

? 2010 - OAuth 2.0 work begins in IETF

? 2012

? RFC 6749 - The OAuth 2.0 Authorization Framework

? RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

3

An use case

? The cast of characters

? storecode.example �C code repository service (e.g. )

? checkcode.example �C code analysis service (e.g. travis-)

? Alice �C a fictional developer

? The problem

? How can Alice allow checkcode to access her private code stored at storecode?

build and analyze code

Alice

checkcode.example

stores private code

storecode.example

fetch Alice��s code

4

The password anti-pattern

? A solution: Alice shares her password with checkcode

? Problems:

? Unrestricted access �C checkcode has all of Alice��s permissions

? read and write on all code repositories, issues, wiki, ...

? No easy revocation

? Changing password implies revoking all other client applications

? Password management

? Changing password implies updating all the delegated applications

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches