SlideShare a Scribd company logo

OAuth 2.0 for developers – the technology you need but never really learned

LetsConnect
LetsConnect

The document discusses OAuth 2.0 as a protocol for allowing applications to access user data without sharing credentials. It outlines the workflow for users, administrators, and developers, emphasizing the importance of authorization without exposing sensitive information. Additionally, it includes examples of command line tools and URLs used in the implementation of OAuth 2.0 for application registration and token management.

Technology
1 of 45
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
OAuth 2.0 for developers - the technology you need but never really learned Mikkel Flindt Heisterberg OnTime® by IntraVision
PLATINUM & CHAMPAGNE SPONSORS GOLD SPONSORS SILVER SPONSORS BRONZE SPONSORS
Agenda •  The problem we are trying to solve •  Demo (OAuth for users i.e. almost real people) •  The flow… •  OAuth for administrators •  OAuth for developers i.e. real people •  Q&A Mikkel Flindt Heisterberg TwiQer: @lekkim E-mail: mV@intravision.dk hQp://lekkimworld.com hQp://slideshare.net/lekkim
The problem we are trying to solve
The problem we are trying to solve Give me your Social site username and password and we can play…
The problem we are trying to solve Doesn’t really trust that shiny new site – or IBM Connec>ons for that ma@er… Give me your Social site username and password and we can play…
The problem we are trying to solve I support OAuth 2.0 and don’t want your creden>als – just authorize me to work on your behalf…
The problem we are trying to solve 1 2 3
it’s about le,ng a service access user data without knowing the users creden7als... - or without the user being there...
demo
Demo safety
it’s not as simple as that but almost...
The flow… CLIENT PROVIDER USER 1
The flow… CLIENT PROVIDER USER 2
The flow… CLIENT PROVIDER USER 3
The flow… CLIENT PROVIDER USER 4
The flow… CLIENT PROVIDER USER 5
The flow… CLIENT PROVIDER USER 6
The flow… CLIENT PROVIDER USER 7
The flow… CLIENT PROVIDER USER 8
The flow… CLIENT PROVIDER USER 9
but less cartoony and with real words this Zme...
1) User accesses site and logs in CLIENT PROVIDER USER 1
2) The site checks to see if it has Tokens for the Provider in its credenGal store CLIENT PROVIDER USER 2
3) The site sends a redirecGon to the client telling it to go authorize it at the Provider. The URL contains the Client redirect_uri and client_id CLIENT PROVIDER USER 3
4) The user use the redirect URL and go the provider and log ins if not already logged in. Then he authorizes the Client CLIENT PROVIDER USER 4
5) The Provider returns a Gme limited authorizaGon_code in a redirecGon URL to the user CLIENT PROVIDER USER 5
6) The User sends the authorizaGon_code to the Client CLIENT PROVIDER USER 6
7) Out-of-band the Client sends the authorizaGon_code, it’s client_id, redirect_uri and secret to the Provider CLIENT PROVIDER USER 7
8) The Provider exchange the authorizaGon_code for a short lived access_token (yellow) and a longer lived refresh_token (blue) CLIENT PROVIDER USER 8
9) When the User now access the site it can use the access_token to work as the User. Even if the user is not there i.e. not logged into the site… CLIENT PROVIDER USER 9
If not you should ask now…
WSADMIN COMING UP
OAuth for administrators • IBM ConnecZons use the built in OAuth provider from WebSphere ApplicaZon Server • Administrators we responsible for registering the app with the OAuth provider • You use – you guessed it – wsadmin commands to do it…
OAuth for administrators execfile(”oauthAdmin.py”) OAuthApplicationRegistrationService.addApplication( ”myapp1”, ”My App1", "https://www.renovations.com/oauth/ redirect") OAuthApplicationRegistrationService.browseApplications() [{display_name=My App1, client_id=myapp1, client_secret=xxxxxxxxxxxxxxxxxxxxxxxxxx, redirect_uri= https://www.renovations.com/oauth/redirect}] OAuthApplicationRegistrationService.deleteApplication(”myapp 1”) The application with the id myapp1 was deleted successfully. https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/ admin/admin/r_admin_common_oauth_manage_list.dita
I’M A DEVELOPER
OAuth 2.0 for developers – the technology you need but never really learned
OAuth for developers Generate the authorizaZon redirecZon URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/ authorize?response_type=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/ connectionsProvider/authorize? response_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb
OAuth for developers Generate the authorizaZon redirecZon URL and have the user visit it. Suggest it’s done in a separate window. Syntax https://<hostname>/oauth2/endpoint/connectionsProvider/ authorize?response_type=code&client_id=<client_id> &callback_uri=<callback_uri> Example https://social.example.com/oauth2/endpoint/ connectionsProvider/authorize? response_type=code&client_id=myapp1&callback_uri= https://myapp.shinysite.com/oauth20_cb Must match exactly what the Provider have on record…
OAuth for developers The user logs in to the Provider (if not already) and authorizes you app…. Hopefully...
OAuth for developers The Provider sends back a redirecZon URL to the User containing an authorizaZon code causing the User to send it to the Client Syntax https://<client_redirection_uri>?code=<authorization_code> https://<client_redirection_uri>?oauth_error=<error_code> Example https://myapp.shinysite.com/oauth20_cb ?code=user_specific_auth_code
OAuth for developers Client POST’s the authorizaZon code, client ID, redirecZon URI and client secret to the Provider out-of-band (server to server, not through User) Syntax POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: <hostname> Content-Length: <length> Connection: Close client_secret=<client_secret>&client_id=<client_id>&grant_type=authorization _code&code=<auth_code>&callback_uri=<callback_uri> Example POST /oauth2/endpoint/connectionsProvider/token HTTP/1.0 Host: social.example.com Content-Length: 161 Connection: Close client_secret=my_secret_string&client_id=myapp1 &grant_type=authorization_code&code=user_specific_auth_code &callback_uri=https://myapp.shinysite.com/oauth20_cb
OAuth for developers Provider responds with (JSON) response with access token, refresh token and expiry info. It would be wise that the client saves the tokens… Example { "access_token”: "d86o7UP0gj2c...GVzTPADsFv7”, "token_type": "Bearer", "expires_in": 43200, "scope": "", "refresh_token": "EWcVt5uaaXC9Pc...pTTgvrLRrs56gR” }
OAuth for developers To make requests on behalf of the User the Client needs to set the access token in a header Example GET /connections/opensocial/oauth/rest /activitystreams/@me/@all/@all HTTP/1.0 Host: social.example.com Authorization: Bearer d86o7UP0gj2c...GVzTPADsFv7 Connection: Close If the Client use an access token and receive a 401 back from the Provider it should aQempt the refresh token to – well – refresh the access token. If that also fails the User probably revoked access...
Mikkel Flindt Heisterberg TwiQer: @lekkim E-mail: mV@intravision.dk hQp://lekkimworld.com hQp://slideshare.net/lekkim

More Related Content

Viewers also liked (20)

PDF
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
LetsConnect
 
PDF
The Butterfly Effect – or how you can measure and improve business productivity
LetsConnect
 
PDF
Win, Win, Win: Changing Attitudes, Adopting Social and Going Green – A Custom...
LetsConnect
 
PDF
Auto-create activities – Let’s get rid of checklists
LetsConnect
 
PPTX
IBM Connections Antipatterns
LetsConnect
 
PDF
How connected systems are transforming the Future of Work
LetsConnect
 
PDF
10 insights to foster enterprise social adoption, that you already know
LetsConnect
 
PPTX
Viral Adoption of Connections via Activities - Increase User Productivity and...
LetsConnect
 
PDF
Accelerate social adoption social connections 2015
LetsConnect
 
PDF
Enrich your customer experience by socialising it using IBM Connections
LetsConnect
 
PDF
No, I’m not retired!
LetsConnect
 
PDF
What’s Coming in IBM Connections Next?
LetsConnect
 
PPTX
From Social What to Social WOW! How to design social user experiences that ma...
LetsConnect
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PDF
Managing Meeting Minutes – A concept for a Connections addon
LetsConnect
 
PDF
Using IBM Domino Data in IBM Connections – a real life story
LetsConnect
 
PDF
The anatomy of the perfect collaboration use case
LetsConnect
 
PDF
Rock the ActivityStream API
LetsConnect
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PDF
Extend and Surround – how to integrate IBM Software at customers using Adobe ...
LetsConnect
 
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
LetsConnect
 
The Butterfly Effect – or how you can measure and improve business productivity
LetsConnect
 
Win, Win, Win: Changing Attitudes, Adopting Social and Going Green – A Custom...
LetsConnect
 
Auto-create activities – Let’s get rid of checklists
LetsConnect
 
IBM Connections Antipatterns
LetsConnect
 
How connected systems are transforming the Future of Work
LetsConnect
 
10 insights to foster enterprise social adoption, that you already know
LetsConnect
 
Viral Adoption of Connections via Activities - Increase User Productivity and...
LetsConnect
 
Accelerate social adoption social connections 2015
LetsConnect
 
Enrich your customer experience by socialising it using IBM Connections
LetsConnect
 
No, I’m not retired!
LetsConnect
 
What’s Coming in IBM Connections Next?
LetsConnect
 
From Social What to Social WOW! How to design social user experiences that ma...
LetsConnect
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Managing Meeting Minutes – A concept for a Connections addon
LetsConnect
 
Using IBM Domino Data in IBM Connections – a real life story
LetsConnect
 
The anatomy of the perfect collaboration use case
LetsConnect
 
Rock the ActivityStream API
LetsConnect
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Extend and Surround – how to integrate IBM Software at customers using Adobe ...
LetsConnect
 

Similar to OAuth 2.0 for developers – the technology you need but never really learned (20)

PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPT
O auth 2
Nisha Baswal
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PDF
Oauth2.0 tutorial
HarikaReddy115
 
PPT
Oauth2.0
Yasmine Gaber
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
Api security with OAuth
thariyarox
 
PDF
OAuth2
SPARK MEDIA
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PDF
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
PDF
OAuth in the Real World featuring Webshell
CA API Management
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
PDF
OAuth2 primer
Manish Pandit
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
OAuth and why you should use it
Sergey Podgornyy
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Demystifying OAuth 2.0
Karl McGuinness
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
(1) OAuth 2.0 Overview
anikristo
 
O auth 2
Nisha Baswal
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Oauth2.0 tutorial
HarikaReddy115
 
Oauth2.0
Yasmine Gaber
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Api security with OAuth
thariyarox
 
OAuth2
SPARK MEDIA
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
OAuth in the Real World featuring Webshell
CA API Management
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
OAuth2 primer
Manish Pandit
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
OAuth and why you should use it
Sergey Podgornyy
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Ad

More from LetsConnect (20)

PDF
Installing Component Pack 6.0.0.6
LetsConnect
 
PPTX
Oh $h@# - How to deal with emotional outbursts and hate in social situations
LetsConnect
 
PPTX
It is not About Connections vs Office 365 - You can have the best of the both...
LetsConnect
 
PPTX
Using ibm connections to enhance university courses
LetsConnect
 
PPTX
IBM Connections 6 Component Pack
LetsConnect
 
PPTX
IBM Connections 6.0 CR3 New Features
LetsConnect
 
PDF
10 years of IBM Connections
LetsConnect
 
PDF
IBM Collaboration Framework in action: Customer success stories
LetsConnect
 
PDF
Design for the Digital Workspace
LetsConnect
 
PDF
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
LetsConnect
 
PDF
Power up your Salesforce Opportunities by using IBM Watson Workspace as your ...
LetsConnect
 
PDF
There is nothing more practical than a good theory
LetsConnect
 
PDF
Kubernetes Basics for Connections Admins
LetsConnect
 
PDF
Intelligent Collaboration driving Digital Transformation
LetsConnect
 
PDF
Developing IBM Connections Community Apps using Domino
LetsConnect
 
PDF
IBM Connections - Have it YOUR Way!
LetsConnect
 
PDF
You Get What You Give
LetsConnect
 
PDF
Building Custom ibm Watson Workspace Templates to make you and your team more...
LetsConnect
 
PDF
ICS INtegration with Node-RED and Open Source
LetsConnect
 
PDF
Communities as the fundament of social learning
LetsConnect
 
Installing Component Pack 6.0.0.6
LetsConnect
 
Oh $h@# - How to deal with emotional outbursts and hate in social situations
LetsConnect
 
It is not About Connections vs Office 365 - You can have the best of the both...
LetsConnect
 
Using ibm connections to enhance university courses
LetsConnect
 
IBM Connections 6 Component Pack
LetsConnect
 
IBM Connections 6.0 CR3 New Features
LetsConnect
 
10 years of IBM Connections
LetsConnect
 
IBM Collaboration Framework in action: Customer success stories
LetsConnect
 
Design for the Digital Workspace
LetsConnect
 
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
LetsConnect
 
Power up your Salesforce Opportunities by using IBM Watson Workspace as your ...
LetsConnect
 
There is nothing more practical than a good theory
LetsConnect
 
Kubernetes Basics for Connections Admins
LetsConnect
 
Intelligent Collaboration driving Digital Transformation
LetsConnect
 
Developing IBM Connections Community Apps using Domino
LetsConnect
 
IBM Connections - Have it YOUR Way!
LetsConnect
 
You Get What You Give
LetsConnect
 
Building Custom ibm Watson Workspace Templates to make you and your team more...
LetsConnect
 
ICS INtegration with Node-RED and Open Source
LetsConnect
 
Communities as the fundament of social learning
LetsConnect
 
Ad

Recently uploaded (20)

PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Python basic programing language for automation
DanialHabibi2
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
July Patch Tuesday
Ivanti
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 

OAuth 2.0 for developers – the technology you need but never really learned