oauth tutorial - oauth2 | History of OAuth - oauth2 tutorial - oauth authentication

APIs are for connecting “software machines”

• Modules within a program
• Programs on a server
• Programs over local networks

How Web APIs Evolved

Before there were Web APIs, there were Web Apps

Then came Web Services - SOA / SOAP services

Security for Web Services

Establish TRUST with public key infrastructure

• – Private key / public certificate pairs
• – Have certificates signed by recognized CA / RA
• – Exchange that certificate with similarly-assured certificate from partners

Apply asymmetric crypto at runtime to validate digital signatures / decrypt encrypted content

• – SSL/TLS Mutual Authentication
• – XML-DSIG/XML-ENC applied to SOAP documents
• TRUST partner / corporate customer to treat crypto material with care and caution

Need for more security - Evolution of OAUTH

The new security model for Web APIs

we had better require more regular and active scrutiny of the Apps’ access privileges

First of all, DO NOT issue long-lasting certificates to the Apps (e.g. x.509 expires in 1 yr)

Instead, issue short-lived access tokens that can be revoked at any time

…we had better require more regular and active scrutiny of the Apps’ access privileges…

Next, include the end user in authenticating / authorizing the App

Explicitly grant access

To a limited scope

Introducing OAuth The new security model for Web APIs

Open standard specification by IETF WG

• The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain “ access on its own behalf.