the how of oauth oauth hackathon – 4/26 @ six apart
TRANSCRIPT
The How of OAuth
OAuth Hackathon – 4/26 @ Six Aparthttp://icanhaz.com/oauth
The How of OAuth
or: How I learned to stop worrying and fall in love with Factory Joe
OAuth’s Goal
• Website X can access your protected data at API Y– All without sharing your password off-site – especially when there isn’t one like with OpenID
OAuth gives you:
• Signed HTTP Requests• Safe, Password-less Token Exchange
• Signed HTTP Requests• Safe, Password-less Token Exchange
The Three Actors
• User – My Buddy (not me)• Service Provider – Chuck E. Cheese• Consumer – 10 yr old kids
The Three Tokens
• Access Tokens – Chuck E. Cheese Tickets• Request Tokens – Chuck E. Cheese Tokens• Consumer Keys
The Three URLS
• Request Token Issuer• Authorization Page• Access Token Exchanger
Building a Consumer
Get a consumer key and secret
Simple enough, eh?
Get a Request Token
Authorize the Request Token
Exchange for an Access Token
Making Authenticated Calls
Building a Service Provider
Data to store
• Consumers: – key, secret, callback_url
• Request Token: – token, secret, consumer, authorizing_user
• Access Token:– token, secret, consumer, user
Registering Consumers
Issuing Request Tokens
• Verify using only the consumer credential
Issuing Request Tokens
• Issue the request token
Authorizing Request Tokens
• Ask the user to accept the authorization
Authorizing Request Tokens• Connecting the logged in user• go back to consumer
Exchange for an Access Token
• Validate using Request Token and Consumer
Exchange for an Access Token
• Issue the Access Token• Destroy the Request Token
Protecting Resources
• Validate Access Token
OAuth Hackathon – 4/26 @ Six Apart
http://icanhaz.com/oauth
Thanks!