OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials but it became a big mess.
4. OAuth.io
The middle-man between the service and the
OAuth provider
!
Never share your Facebook credentials with a
service.
!
Today, almost any app needing access or
permissions relies on OAuth.
OAuth, You said?
Tokens!
5. OAuth.io
Users had to provide their Facebook
credentials to third party services.
!
Not secure. Intrusive. Inconvenient.
OAuth, You said?
Before? Basic Auth.
6. OAuth was first designed to be
interoperable and super easy to
implement for developers.
Started as a Protocol
OAuth.io OAuth, You said?
7. OAuth 2.0 has been reclassified as a
framework. Which means no
interoperability and no backward
compatibility :/
Ended up as a Framework
OAuth.io OAuth, You said?
8. 30+ different implementations
!
Two separate flows for token retrieval.
!
Resources' names and parameters differ
from one provider to another
!
A nightmare for developers: lots of potential
traps. No hope for a good learning curve…
So yes, OAuth is broken
OAuth.io OAuth, You said?
9. OAuth 1.0 = October 2007
OAuth 1.0a = June 2009
OAuth 2.0 first draft = early 2010
OAuth 2.0 final = late 2011
Many versions in 5 years
OAuth.io OAuth, You said?
10. Complex signature scheme.
!
Almost no control over token expiry.
!
No permission management.
OAuth.io OAuth, You said?
OAuth 1.0a was limited
11. !
More flexible but less interoperable
SSL rather than signatures
Easier to implement
No backward compatibility
OAuth.io OAuth, You said?
OAuth 2.0 compromise
12. Resource Owner: the user who wants to share a
resource, e.g. owner of the facebook photos.
!
Client: the application that wants to leverage a
resource hosted by a third party, e.g. the photo
printing website.
!
Authorization Server: the entity that decides to
grant access to the client (application), e.g.
Facebook’s authorization server.
!
Resource Server: the place where the third party
resource is hosted, e.g. Facebook’s server where
the photos to print are.
4 quick definitions
15. Credits
The Big Lebowski
Walker Texas Ranger aka Chuck (the 1st) Norris
Jackie Brown
2001: A Space Odyssey
R2D2: Star Wars (Dagobah)
C3PO: Star Wars (Tatooine)
Las Vegas Parano
Terminator
Forrest Gump
Austin Powers
OAuth.io OAuth, You said?
Judge Dredd