After she grants access, she is redirected back to the web application and an authorization code is included in the URL as the code query parameter:. Because the code is passed as a query parameter, the web browser sends it along to the web server that is acting as the OAuth client.
This authorization code is then exchanged for an access token using a server-to-server call from the application to the authorization server. This access token is used by the client to make API calls. Sound confusing? Figure shows the flow step-by-step, based on a diagram from the specification.
The Robert C. Unternehmensportale und Intranet: konzipieren, realisieren, betreiben 3. Carola Halhuber. Was will mein Baby sagen? Web 2. Wer bin ich? Wo will ich hin? Wir sind das Volk, der kleine Ratgeber: 1. In less than 50 pages you will gain an overview of the capabilities of OAuth.
You will learn the core concepts of OAuth. You will get to know all four OAuth flows that are used in cloud solutions and mobile apps. Who should read this book? If you have tried to read the official OAuth specification, you may get the impression that OAuth is complex.
This book explains OAuth in simple terms. The different OAuth flows are visualized graphically using sequence diagrams. The diagrams allow you to see the big picture of the various OAuth interactions. This high-level overview is complemented with rich set of example requests and responses and an explanation of the technical details.
In the book the challenges and benefits of OAuth are presented, followed by an explanation of the technical concepts of OAuth. The technical concepts include the actors, endpoints, tokens and the four OAuth flows. With the recent incidents of compromised accounts and stolen passwords, these types of question are more than justified. Organizations that offer mobile apps and cloud services have to address these questions of their users.
These organizations are not any longer only web-startups, Google and Facebook. Today, the business of almost every industry is transforming into a digital business.
Businesses across the different industries thus need to think about information security. To differentiate, more and more traditional businesses increasingly create digital services for their customers. That is why all types of businesses need to face the security questions of their users.
Users demand the responsible processing, storing and transmission of their data and companies have to react now. To win the trust of their customers and users, organizations need to take the concerns of their users seriously.
They can do this by building on established standards instead of building proprietary solutions. But which standard should be used in a given scenario? How does the technology work? Which experiences have been gathered from practical use of these technologies? On the mobile app of her insurance company, she first has to authenticate by entering her username and password. Because entering passwords is cumbersome, the mobile app saves the credentials on the mobile.
A second example: Tim wants his tweets from Twitter to appear on LinkedIn automatically to stay in touch with his business contacts. To realize this functionality, LinkedIn would need to have access to Tim's Twitter account. The simplistic solution would be to provide LinkedIn with the credentials of Twitter, so LinkedIn can directly access Tim's tweets.
However, both "solutions" would be quite a security risk, since Sarah's password is saved unprotected on the mobile and Tim's password is provided to another cloud service. Both instances are examples of the "Password Anti-Pattern". In practice, this solution cannot be used. OAuth 2 offers a solution for the scenarios of the examples above without the risks of the password anti-pattern. With OAuth 2 we can give access rights to the mobile app, without providing the password.
Instead, a token is handed to the app. The token represents the access rights for a subset of the data, for a short time frame. To obtain the token, the user first logs in on the website of the OAuth server. The generated token can be an authorization code, an access token or a refresh token. An access token allows access to a resource during a limited time period. In case the token gets compromised, the access rights associated with the token can be revoked.
Sarah and Tim from the previous example will not notice any difference, whether OAuth is used or not. They can use their mobile apps and cloud apps in a secure manner, if OAuth is used under the hood.
In fact, most of OAuth is happening under the hood of modern cloud, mobile and web applications. The end user can directly notice a few advantages. The advantages are that they have a fine-granular control over the access to their data, do not need to give their password to third parties, and if they should lose their mobile, they can remotely revoke all OAuth tokens which are stored on the lost device.
OAuth is used for mobile, cloud services, and web APIs. OAuth 2 is a standard that is used in mobile integration use cases, when mobile apps need to communicate securely with server-side backend systems. Most cloud-based Software-as-a-Service offerings use OAuth for protecting their services and the data of their users.
OAuth 1 has been replaced by OAuth 2, is outdated and not presented here. This is why we use the short form OAuth to refer to OAuth 2. To understand the details of OAuth, it is essential to know the distinction between the two: Authentication is a concept for answering the question: Who are you?
Authentication provides a method for providing proof for the claimed identity. Authorization is a concept that answers the question: What are you allowed to do? Authorization provides the rights assigned to the confirmed identity, for example access rights.
For OAuth, authentication is a precondition for proper authorization. OAuth relies on authentication and authorization but does neither.
0コメント