Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

OAuth is a mess!

OAuth.io
OAuth.io

OAuth is a real mess and developers can really get crazy by being to much exposed! Poorly documented and badly designed APIs is what we encounter everyday. Enter the craziness of the OAuth World!

Related slideshows

OAuth you said
OAuth you saidOAuth you said
OAuth you said
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
1 of 22
Download to read offline
OAuth is a mess OAuth.ioby
OAuth.io NO KIDDING!
No nor will be shown in this presentation OAuth.io Sorry
"If you don't know what OAuth is!" check these slides first: OAuth.io Click here
OAuth 1.0 OAuth 2.0 FAKE TWINS? OAuth.io
OAuth 1.0 3 calls need to be made by the Client Call the OAuth server and ask for temporary credentials. ! Open a webpage dialog using those credentials, so the user can sign in and give access. ! Call the OAuth server again combining the temporary credentials with the temporary token to get the final access token. OAuth.io
OAuth 2.0 Only 2 calls Call the OAuth server!!!! Open a webpage dialog OAuth 1.0 has one more step THANKS Cpt. OBVIOUS OAuth.io
DOCUMENTATION MADNESS OAuth.io
Because each documentation has its own "logic" MADNESS FINDING URIs IS A PAIN! OAuth.io
Some docs won't tell you if it's OAuth 1.0 or 2.0 WHY? UNNAMED OAuth.io
Need an example? They say it uses OAuth 2.0 Which is surprising as in a server to server flow, you expect the flow to be 3-legged. OAuth.io
Need an example? To do anything else than the server side flow you have to search for it! The steps are documented but only in the API reference Even the webpage dialog and the code exchange endpoints are described in different sections You will become that guy OAuth.io
TOKEN RESPONSES? CHOOSE
 YOUR
 WEAPON OAuth.io
XML? JSON? URL-ENCODED TEXT like Concur.com like Facebook like Google TOKEN RESPONSES DATA FORMATS COME ON! OAuth.io
PARAMETERS Parameters' names vary between providers access_token Facebook uses: When Google uses: oauth_token It's a trap! TOKEN RESPONSES OAuth.io
SEPARATORS So providers use: , How logical! ; | Separators should be spaces -> according to the RFC TOKEN RESPONSES OAuth.io
CARDINALITY DEGREE Kill them all Bill Read only, read and write for Disqus / Heroku... Read access for X, write access for X, read access for Y... for Others... Google scopes are URLs TOKEN RESPONSES OAuth.io
TOKEN MANAGEMENT EXPIRY & REFRESH ORDEAL OAuth.io
TOKEN MANAGEMENT TOKEN EXPIRY A wild variation between services Sometimes you can control it sometimes not Always in movement the expiry isOAuth.io
TOKEN MANAGEMENT EXPIRY: METHODS DIFFER Google adds a field ! to the authorization url that can be Others add options in the scope access_type online offlineor StackExchange: no_expiry Soundcloud: no-expiring Meetup.com: ageless OAuth.io
TOKEN MANAGEMENT REFRESH TOKEN The standard proposes a refresh token flow followed by few ! Facebook instead adds the grant type fb_exchange_token Github / Google ... Unleash the ChuckOAuth.io
OAuth.ioWith Integrate any of our 100+ OAuth providers in minutes the SAME WAY TAKE A LOOK OAuth Popup with facebook

More Related Content

OAuth is a mess!