Barcamp Brighton 3

OAuth versus the Password Anti-PatternBruce Boughton

6-7 September 2008

http://lab.madgex.com/oauth-net/bruce@bruceboughton.me.ukhttp://siliconbea.ch/

The Password Anti-Pattern

Problem Solved

Google Contacts Data APIWindows Live Contacts APIYahoo! Address Book API

AuthSubWL ID Delegated AuthBBAuth

And this is just for authentication!

OAuth

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.

http://lab.madgex.com/oauth-net/googlecontacts/

http://whereami.lab.madgex.com/

consumers

service providers

users

Asserting Identity and Authority

Requests signed using consumer & token secrets

Request token: consumer identified, requesting authorization

Access token: consumer authorized by user to act on their behalf, may now fetch protected resources

Extensible and Flexible

OAuth Core 1.0 provides base

Supports at least web, desktop consumers

Extensions add functionality

OAuth.netOpen source .NET library

http://lab.madgex.com/oauth-net/oauth-dot-net@madgex.com

Bringing OAuth to .NET developers

Build consumers and service providers for .NET 2.0 and newer

Hides complexity of protocol from developer

Very permissive MIT license

Developed as part of ongoing innovation work

Configuring the Fire Eagle service

Requesting the user’s location

Handling authorization (when required)

Using the protected resource

http://oauthproviderdemo.madgex.com/

Want to know more?

http://lab.madgex.com/oauth-net/oauth-dot-net@madgex.com

http://siliconbea.ch/bruce@bruceboughton.me.uk