oauth is a mess!
DESCRIPTION
OAuth is a real mess and developers can really get crazy by being to much exposed! Poorly documented and badly designed APIs is what we encounter everyday. Enter the craziness of the OAuth World!TRANSCRIPT
OAuth is a messOAuth.ioby
OAuth.io
NO KIDDING!
No nor
will be shown in this presentation
OAuth.io
Sorry
"If you don't know what OAuth is!" check these slides first:
OAuth.io Click here
OAuth 1.0 3 calls need to be
made by the Client
Call the OAuth server and ask for temporary credentials. !Open a webpage dialog
using those credentials, so the user can sign in and give access. !
Call the OAuth server again combining the temporary credentials
with the temporary token to get the final access token.
OAuth.io
OAuth 2.0 Only 2 calls
Call the OAuth server !!!!
Open a webpage dialog
OAuth 1.0 has one more step
THANKS Cpt. OBVIOUS
OAuth.io
DOCUMENTATION MADNESSOAuth.io
Because each documentation
has its own "logic"
MADNESS
FINDING URIs IS A PAIN!
OAuth.io
Need an example?
They say it uses OAuth 2.0
Which is surprising as in a server to server flow, you expect the flow to
be 3-legged.OAuth.io
Need an example?
To do anything else than the server side flow you have to search for it!
The steps are documented but only in the API reference
Even the webpage dialog and the code exchange endpoints are described in
different sections
You will become that guy OAuth.io
XML?
JSON?
URL-ENCODED TEXT
like Concur.com
like Facebook
like Google
TOKEN RESPONSESDATA FORMATS
COME ON!OAuth.io
PARAMETERS
Parameters' names vary between providers
access_tokenFacebook uses:
When Google uses:
oauth_token
It's a trap!
TOKEN RESPONSES
OAuth.io
SEPARATORS
So providers use:
,
How logical!
; |
Separators should be spaces
-> according to the RFC
TOKEN RESPONSES
OAuth.io
CARDINALITY DEGREE
Kill them all Bill
Read only, read and writefor Disqus / Heroku...
Read access for X, write access for X, read access for Y...
for Others...
Google scopes are URLs
TOKEN RESPONSES
OAuth.io
TOKEN MANAGEMENT
TOKEN EXPIRY
A wild variation between services
Sometimes you can control it sometimes
not
Always in movement the expiry is
OAuth.io
TOKEN MANAGEMENTEXPIRY: METHODS DIFFER
Google adds a field !
to the authorization url that can be
Others add options in the scope
access_type
online offline or
StackExchange: no_expirySoundcloud: no-expiring
Meetup.com: agelessOAuth.io
TOKEN MANAGEMENTREFRESH TOKEN
The standard proposes a refresh token flow
followed by few !
Facebook instead adds the grant
typefb_exchange_token
Github / Google ...
Unleash the ChuckOAuth.io
OAuth.ioWith
Integrate any of our 100+ OAuth providers in minutes the SAME WAY
TAKE A LOOK
OAuth Popup with facebook