Evolving the social web with OAth 2.0 – Luke Shepard

Evolving the social web with OAth 2.0
Luke Shepard – Facebook

OAth is an open standard

Started in November 2006
flickr, Amazon, Facebook, Yahoo, Google all had their own methods
avoid password anti-patterns
Supported by lots of companies

what's wrong?
Developers hack and get stuck with the protocol
google and yahoo still see old standards being used
mobile devices have changed the landscape

Signatures are hard
It forces use of libraries and can be difficult
The API request is complex

Why didn't Facebook adopt OAth?
Developers asked for simplicity
JavaScript means no secrets
mobile is the future

it's time for an upgrade
April 2010 IETF released an official draft of 2.0

OAth 2.0 is on the move
Facebook adopted as authentication for Open Graph API
twitter uses it too
Uses Https to hide everything

OAth 2.0 token is self contained
You can play with it in the browser
Uses one line of code

Moving security down the stack and uses industry standards
Same as banks and ecommerce

Getting an access token
4 Flows
Webserver – full page redirects
user agent – JavaScript
username/password – mobile
Device flow – other devices

Open issues
What happens to openid? There isn't any identity on OAth since it is just access

Luke Shepard


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s