@nabeelxy

11/02/2014

How OAuth was born

What problem OAuth solves

Evolution of OAuth to the current 2.0

OAuth 2.0 actors, client profiles, access tokens, abstract protocol and core authorization flows

It would be great if we can familiarize the team with the concepts of OAuth

through an example client app development.

Tom, Twitter App Manager

A good suggestion! Most services like FB, Gmail, Twitter,

Dropbox provide SDK to develop clients. Let me walk through a simple Java OAuth client for accessing Dropbox.

Sam, App Dev

(1) Register dbapp_nabeel app

(2) App Key, App Secret

(3) Provide Authorization URL

(4) Request Authorization code

(5) Authorization code

(6) Authorization code; request access token

(7) Access token

(8) Access dropbox given access token

Nabeel Nabeel’s dropbox a/c

DbxAppInfo dbxAppInfo = new

DbxAppInfo(dropBoxAppKey,

dropBoxAppSecret);

DbxRequestConfig dbxRequestConfig = new

DbxRequestConfig(

"JavaDropboxExample/1.0",

Locale.getDefault().toString());

DbxWebAuthNoRedirect dbxWebAuthNoRedirect =

new DbxWebAuthNoRedirect(

dbxRequestConfig, dbxAppInfo);

String authorizeUrl =

dbxWebAuthNoRedirect.start();

DbxAuthFinish authFinish =

dbxWebAuthNoRedirect.finish(dropboxAuth

Code);

String authAccessToken =

authFinish.accessToken;

dbxClient = new

DbxClient(dbxRequestConfig,

authAccessToken);

dbxClient.getAccountInfo..

dbxClient.uploadFile..

dbxClient.createFolder..

dbxClient.getMetadataWithChildren…

bxClient.getFile..

…

Authorization code For apps with backend servers

Implicit grant for browser based client side applications (no backend server)

Resource owner password based grants Only for very trusted applications (usually for first-party

applications only)

Client credentials For application access (i.e. client is an application)

Authorization Request GET /authorize?response_type=code&client_id=s6BhdRkqt3

&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexa

mple%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

Authorization Response HTTP/1.1 302 Found|

Location:

https://client.example.com/cb?code=SplxlOBeZQQYbYS

6WxSbIA&state=xyz

Access Token Request POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS

6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexampl

e%2Ecom%2Fcb

Access Token Response HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"2YotnFZFEjr1zCsicMWpAA“,

"token_type":"example“,

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA“,

"example_parameter":"example_value”

}

Deep dive into each authorization flows Understanding Required and Optional fields

Understanding re-direction based architecture

Handling errors and failures

Examples on the last three authorization flows

Implement Authorization Code flow for full server side web application profile

OAuth 2.0 Authorization Framework (RFC 6749)

Getting Started with OAuth 2.0