The How of OAuth

OAuth Hackathon – 4/26 @ Six Aparthttp://icanhaz.com/oauth

The How of OAuth

or: How I learned to stop worrying and fall in love with Factory Joe

OAuth’s Goal

• Website X can access your protected data at API Y– All without sharing your password off-site – especially when there isn’t one like with OpenID

OAuth gives you:

• Signed HTTP Requests• Safe, Password-less Token Exchange

• Signed HTTP Requests• Safe, Password-less Token Exchange

The Three Actors

• User – My Buddy (not me)• Service Provider – Chuck E. Cheese• Consumer – 10 yr old kids

The Three Tokens

• Access Tokens – Chuck E. Cheese Tickets• Request Tokens – Chuck E. Cheese Tokens• Consumer Keys

The Three URLS

• Request Token Issuer• Authorization Page• Access Token Exchanger

Building a Consumer

Get a consumer key and secret

Simple enough, eh?

Get a Request Token

Authorize the Request Token

Exchange for an Access Token

Making Authenticated Calls

Building a Service Provider

Data to store

• Consumers: – key, secret, callback_url

• Request Token: – token, secret, consumer, authorizing_user

• Access Token:– token, secret, consumer, user

Registering Consumers

Issuing Request Tokens

• Verify using only the consumer credential

Issuing Request Tokens

• Issue the request token

Authorizing Request Tokens

• Ask the user to accept the authorization

Authorizing Request Tokens• Connecting the logged in user• go back to consumer

Exchange for an Access Token

• Validate using Request Token and Consumer

Exchange for an Access Token

• Issue the Access Token• Destroy the Request Token

Protecting Resources

• Validate Access Token

OAuth Hackathon – 4/26 @ Six Apart

http://icanhaz.com/oauth

Thanks!