Find out how today’s authorization experts are getting maximum value from OAuth
OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Scopes and Privileges Scopes are critical in OAuth
– But developers too often overlook their power
Attach scope to an access token based on user privileges
– Same endpoint, but different capabilities
The OpenID Connect UserInfo endpoint is like this
We are seeing scope being differentiated based on how an access token was acquired
– Eg: If the access token derives from an immediate authentication event, it is of higher relative “value” than if it comes from a refresh
Continuous authentication is an important trend in security
Scope is the key to integrating risk-based evaluation, step-up authentication, idle time mgmt, privileged action mgmt, etc
The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
More parameters options for the authorization form:
access_type: to choose to send a refresh_token or notapproval_prompt to force the popup even if we are already connectedlogin_hint to select an account or prefill the email addressinclude_granted_scopes to add more authorizations “incremental authorization”
OAuth.io@medjawii
Foursquare :
- Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up.
- No scope.
OAuth.io@medjawii
Salesforce :Added custom authorization parameters:immediate: whether the user should be prompted for login and approvaldisplay: template web, mobile, popuplogin_hint: to prefill an emailprompt: prompt the user for reauthorization or reapproval
the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid
UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form)
OAuth.io@medjawii
VK:
Added authorizations parameters v: API version
The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so)
Instead of access_token: xxx/user/me?access_token=xxx
You haveaccess_token: xxxuser_id: yyy/user/yyy?access_token=xxx
OAuth.io@medjawii
23ANDME:
scope “notation”: profile:write profile:read
OAuth.io@medjawii
Tencent weibo:
Authorization parameters : chinese language only
oauth_version=2.a (useless parameter)
Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0
OAuth.io@medjawii
This was just non exhaustive.
OAuth.io@medjawii
API calls Authorization
api.provider.com/path/action?access_token=TOKEN
api.provider.com/path/action?oauth_token=TOKEN
api.provider.com/path/action?token=TOKEN
Authorization HTTP header: Bearer TOKEN
Authorization HTTP Header: OAuth TOKEN
OAuth.io@medjawii
Scopescope=email%20publish
scope=email,publish
scope=email;publish
scope=email:publish
scope=email|publish
scope=read_only or scope=read_write
OAuth.io@medjawii
The "state" param
● inexistent (dailymotion, eventbrite...) so you have to put it in the callback
● undocumented (wordpress, deezer...)
● impossible (angelist.co) “fixed callback url”
OAuth.io@medjawii
What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
April fool: Introducing OAuth 3:0
- “0 token” paradigm- No more secret key, everything public
The huge majority did not understand...
OAuth.io@medjawii
What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
Even if you are right,
3rd party developers will be lost…
because of others providers already
did it wrong before you
OAuth.io@medjawii
What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
“In a design perspective,
documentation is a bug, not a feature”It is the most important but the last place to find information
OAuth.io@medjawii
OAuth.io@medjawii
Devil’s in the details.
OAuth.io@medjawii
OAuth.io
100+ providers unified and simplified
OAuth.io@medjawii
OAuth.io@medjawii
To retrieve you token
OAuth.io@medjawii
- Register on oauth.io- Click on the OAuth provider you want in the list- Share you credentials - Click on “try me“
That’s it, you have your token.90seconds after signup.
OAuth.io@medjawii
And for generating the pop-
up?
OAuth.io@medjawii
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('facebook', function(err) {
if (err) {
// do something with error
}
OAuth.io@medjawii
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('twitter', function(err) {
if (err) {
// do something with error
}
OAuth.io@medjawii
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('salesforce', function(err) {
if (err) {
// do something with error
}
OAuth.io@medjawii
OAuth.initialize("OAUTHIO_KEY");
OAuth.popup('yourcompany', function(err) {
if (err) {
// do something with error
}
OAuth.io@medjawii
And for deeper APIs calls?
OAuth.io@medjawii
OAuth.popup('twitter', function(err, res) {
if (err) {
// do something with error
}
res.get('/1.1/account/verify_credentials.json')
.done(function(data) {
alert('Hello ' + data.name)
})
})
OAuth.io@medjawii
OAuth.popup('twitter', function(err, res) {
if (err) {
// do something with error
}
res.get('/1.1/account/verify_credentials.json')
.done(function(data) {
alert('Hello ' + data.name)
})
})
No need to call your own server and to sign your API request and send it
back
No more access token management, it’s now completely abstracted
It feels lighter right?
For web and mobile
Open source : oauthd for on premises implementation to consume your own oauth
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis.