O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
OAuth with Facebook and Google
Using .NET
Sathyaish Chakravarthy, Independent Consultant
You
Contacts
Gmail
Resource
Owner
Resource
Server
Client
You
Contacts
Gmail
Resource
Owner
Resource
Server
Client
OAuth is not about authentication.
OAuth allows you to give a third-party application the
permission to use some of your resources on a resource
server witho...
REGISTERING CLIENTS
console.developers.google.com
developers.facebook.com
ROLES & FLOWS
Implicit
Flow
Authorization
Code
Flow
Resource Server
Client
Credentials
Flow
Resource
Owner
Password
Credentials
Flow
Authorization Code Flow from an End-User’s Perspective
Authorization Code Flow Under the Covers
You
Resource
Owner
Resource
Server
Client
Authorization
Server
2
1
4
5
3
Exchange...
2.0
1.0
1.0a
Not backward compatible
Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
GET
client_id
Who is making this request?
scope
Wha...
?
Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
RESPONSE (302)
code
Authorization code
error
Loca...
?
Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
GET
code
Authorization code
error
client_redirect...
Authorization Code Flow Under the Covers
Client
Authorization
Server4
Exchange auth code for access token
GET or POST
clie...
Authorization Code Flow Under the Covers
Client
Authorization
Server4
Exchange auth code for access token
RESPONSE (query ...
Authorization Code Flow Under the Covers
Resource
Server
Client
5
GET OR POST
Access_token
As querystring or request body ...
Authorization Code Flow Under the Covers
You
Resource
Owner
Resource
Server
Client
Authorization
Server
2
1
4
5
3
Exchange...
Roles
• You, the resource owner
• Client, the server side web app
• Resource server
• Authorization Server
DEMO: GOOGLE OAUTH CLIENT
(AUTHORIZATION CODE FLOW)
DEMO: FACEBOOK OAUTH CLIENT
(AUTHORIZATION CODE FLOW)
Summary: What’s in it for me?
Summary: What’s in it for me?
User
Client
Summary: What’s in it for me?
Limitations of OAuth 2.0
• No discovery
• Requires HTTPS
• Open redirectors – RFC 6819 – OAuth 2.0 Thread
Model and Securi...
Further Reading
• RFC 6749 – The OAuth 2.0 Authorization Framework
http://tools.ietf.org/html/rfc6749
• Google
https://dev...
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
O auth with facebook and google using .net
Próximos SlideShares
Carregando em…5
×

O auth with facebook and google using .net

557 visualizações

Publicada em

This is a slide deck I created and used to explain what OAuth is and how to use it with the .NET framework to write clients for Facebook and Google.

My slides usually do not have a lot of text on them so it might be difficult to get the ideas I am trying to convey in each individual slide. They're only relevant with the commentary I present during a talk. I use slides as a secondary tool, the primary one being my narration.

Within May 2015, I will edit and upload the video of my talk on YouTube, and provide a link to the YouTube video here. That may make these slides more useful.

Publicada em: Engenharia

O auth with facebook and google using .net

  1. 1. OAuth with Facebook and Google Using .NET Sathyaish Chakravarthy, Independent Consultant
  2. 2. You Contacts Gmail Resource Owner Resource Server Client
  3. 3. You Contacts Gmail Resource Owner Resource Server Client
  4. 4. OAuth is not about authentication.
  5. 5. OAuth allows you to give a third-party application the permission to use some of your resources on a resource server without giving the third party your user name and password on the resource server. “ ”
  6. 6. REGISTERING CLIENTS
  7. 7. console.developers.google.com developers.facebook.com
  8. 8. ROLES & FLOWS
  9. 9. Implicit Flow Authorization Code Flow Resource Server Client Credentials Flow Resource Owner Password Credentials Flow
  10. 10. Authorization Code Flow from an End-User’s Perspective
  11. 11. Authorization Code Flow Under the Covers You Resource Owner Resource Server Client Authorization Server 2 1 4 5 3 Exchange auth code for access token
  12. 12. 2.0 1.0 1.0a Not backward compatible
  13. 13. Authorization Code Flow Under the Covers You Resource Owner Client 2 1 GET client_id Who is making this request? scope What do they want to know about the user? response_type (reserved: code) What do they want from me just now? redirect_uri Where should I send them this stuff? state (optional but recommended) CSRF token 1 2and
  14. 14. ? Authorization Code Flow Under the Covers You Resource Owner Client 2 1 RESPONSE (302) code Authorization code error Location: client_redirect_uri?code=ljfvknfANB3454 Location: client_redirect_uri?error=access_denied Or 2 state (CSRF token) If you’d sent it
  15. 15. ? Authorization Code Flow Under the Covers You Resource Owner Client 2 1 GET code Authorization code error client_redirect_uri?code=ljfvknfANB3454 client_redirect_uri?error=access_denied Or 3 3
  16. 16. Authorization Code Flow Under the Covers Client Authorization Server4 Exchange auth code for access token GET or POST client_id Who is making this request? client_secret What’s the password I gave you earlier? Prove your identity. grant_type What’s this flow? Oh, you’re a web server, so this must be the “authorization code” flow. code Okay, show us the authorization code? state (optional but recommended) CSRF token 4
  17. 17. Authorization Code Flow Under the Covers Client Authorization Server4 Exchange auth code for access token RESPONSE (query string or request body) access_token state (optional but recommended) CSRF token 4
  18. 18. Authorization Code Flow Under the Covers Resource Server Client 5 GET OR POST Access_token As querystring or request body or basic authentication / bearer authentication (HTTP authorization header) 5
  19. 19. Authorization Code Flow Under the Covers You Resource Owner Resource Server Client Authorization Server 2 1 4 5 3 Exchange auth code for access token
  20. 20. Roles • You, the resource owner • Client, the server side web app • Resource server • Authorization Server
  21. 21. DEMO: GOOGLE OAUTH CLIENT (AUTHORIZATION CODE FLOW)
  22. 22. DEMO: FACEBOOK OAUTH CLIENT (AUTHORIZATION CODE FLOW)
  23. 23. Summary: What’s in it for me?
  24. 24. Summary: What’s in it for me? User Client
  25. 25. Summary: What’s in it for me?
  26. 26. Limitations of OAuth 2.0 • No discovery • Requires HTTPS • Open redirectors – RFC 6819 – OAuth 2.0 Thread Model and Security Considerations • Implementations differ widely
  27. 27. Further Reading • RFC 6749 – The OAuth 2.0 Authorization Framework http://tools.ietf.org/html/rfc6749 • Google https://developers.google.com/identity/protocols/O Auth2WebServer • Facebook (Facebook Login) - https://developers.facebook.com/docs/facebook- login/v2.3

×