OAuth is a messOAuth.ioby

OAuth.io

NO KIDDING!

No nor

will be shown in this presentation

OAuth.io

Sorry

"If you don't know what OAuth is!" check these slides first:

OAuth.io Click here

OAuth 1.0 OAuth 2.0

FAKE TWINS?

OAuth.io

OAuth 1.0 3 calls need to be

made by the Client

Call the OAuth server and ask for temporary credentials. !Open a webpage dialog

using those credentials, so the user can sign in and give access. !

Call the OAuth server again combining the temporary credentials

with the temporary token to get the final access token.

OAuth.io

OAuth 2.0 Only 2 calls

Call the OAuth server !!!!

Open a webpage dialog

OAuth 1.0 has one more step

THANKS Cpt. OBVIOUS

OAuth.io

DOCUMENTATION MADNESSOAuth.io

Because each documentation

has its own "logic"

MADNESS

FINDING URIs IS A PAIN!

OAuth.io

Some docs won't tell you if it's OAuth 1.0 or

2.0

WHY?

UNNAMED

OAuth.io

Need an example?

They say it uses OAuth 2.0

Which is surprising as in a server to server flow, you expect the flow to

be 3-legged.OAuth.io

Need an example?

To do anything else than the server side flow you have to search for it!

The steps are documented but only in the API reference

Even the webpage dialog and the code exchange endpoints are described in

different sections

You will become that guy OAuth.io

TOKEN RESPONSES?

CHOOSEYOUR

WEAPON

OAuth.io

XML?

JSON?

URL-ENCODED TEXT

like Concur.com

like Facebook

like Google

TOKEN RESPONSESDATA FORMATS

COME ON!OAuth.io

PARAMETERS

Parameters' names vary between providers

access_tokenFacebook uses:

When Google uses:

oauth_token

It's a trap!

TOKEN RESPONSES

OAuth.io

SEPARATORS

So providers use:

,

How logical!

; |

Separators should be spaces

-> according to the RFC

TOKEN RESPONSES

OAuth.io

CARDINALITY DEGREE

Kill them all Bill

Read only, read and writefor Disqus / Heroku...

Read access for X, write access for X, read access for Y...

for Others...

Google scopes are URLs

TOKEN RESPONSES

OAuth.io

TOKEN MANAGEMENT

EXPIRY &

REFRESH

ORDEAL

OAuth.io

TOKEN MANAGEMENT

TOKEN EXPIRY

A wild variation between services

Sometimes you can control it sometimes

not

Always in movement the expiry is

OAuth.io

TOKEN MANAGEMENTEXPIRY: METHODS DIFFER

Google adds a field !

to the authorization url that can be

Others add options in the scope

access_type

online offline or

StackExchange: no_expirySoundcloud: no-expiring

Meetup.com: agelessOAuth.io

TOKEN MANAGEMENTREFRESH TOKEN

The standard proposes a refresh token flow

followed by few !

Facebook instead adds the grant

typefb_exchange_token

Github / Google ...

Unleash the ChuckOAuth.io

OAuth.ioWith

Integrate any of our 100+ OAuth providers in minutes the SAME WAY

TAKE A LOOK

OAuth Popup with facebook