oauth vs password antipattern
DESCRIPTION
In the world of the Web, it's common for sites to push and pull data to and from other sites & services. One example is that of sharing friends lists between social networks. All too often, however, websites ask their users to hand over passwords for different services; this is the Password Anti-Pattern. Using APIs protected by OAuth, an open authorization protocol, we can allow websites to collaborate without falling prey of the Password Anti-Pattern. The talk features demos and examples built in .NET using OAuth.net: http://lab.madgex.com/oauth-net/ NB: Download the PowerPoint for full notes on the slidesTRANSCRIPT
Barcamp Brighton 3
OAuth versus the Password Anti-PatternBruce Boughton
6-7 September 2008
http://lab.madgex.com/oauth-net/[email protected]://siliconbea.ch/
The Password Anti-Pattern
Problem Solved
Google Contacts Data APIWindows Live Contacts APIYahoo! Address Book API
AuthSubWL ID Delegated AuthBBAuth
And this is just for authentication!
OAuth
An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.
http://lab.madgex.com/oauth-net/googlecontacts/
http://whereami.lab.madgex.com/
consumers
service providers
users
Asserting Identity and Authority
Requests signed using consumer & token secrets
Request token: consumer identified, requesting authorization
Access token: consumer authorized by user to act on their behalf, may now fetch protected resources
Extensible and Flexible
OAuth Core 1.0 provides base
Supports at least web, desktop consumers
Extensions add functionality
OAuth.netOpen source .NET library
http://lab.madgex.com/oauth-net/[email protected]
Bringing OAuth to .NET developers
Build consumers and service providers for .NET 2.0 and newer
Hides complexity of protocol from developer
Very permissive MIT license
Developed as part of ongoing innovation work
Configuring the Fire Eagle service
Requesting the user’s location
Handling authorization (when required)
Using the protected resource
http://oauthproviderdemo.madgex.com/
Want to know more?
http://lab.madgex.com/oauth-net/[email protected]
http://siliconbea.ch/[email protected]