-
Notifications
You must be signed in to change notification settings - Fork 340
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 70492d8
Showing
33 changed files
with
7,015 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,50 @@ | |||
| <?php | |||
|
|
|||
| $page_title = "OAuth 2.0 — OAuth"; | |||
| $page_section = ""; | |||
| $page_secondary = ""; | |||
| $page_meta_description = "Resources and information related to the OAuth 2.0 protocol."; | |||
|
|
|||
| ?> | |||
| <?php require('../includes/_header.php'); ?> | |||
|
|
|||
| <body class="<?php echo $page_section; ?>"> | |||
| <div class="container"> | |||
| <div id="header" class="column first last span-20"> | |||
| <h1 id="site-name" class="column first span-5 prepend-1 append-1"><a href="/">OAuth</a></h1> | |||
| <div id="primary" class="column span-13 last"> | |||
|
|
|||
| <?php require('../includes/_nav_primary.php'); ?> | |||
|
|
|||
| </div> | |||
| <div id="secondary" class="column span-18 append-1 prepend-1 first last"> | |||
|
|
|||
| </div> | |||
| </div> | |||
|
|
|||
| <div id="main" class="column first last span-18 prepend-1 append-1"> | |||
| <h2>OAuth 2.0</h2> | |||
|
|
|||
| <p><img src="/images/oauth-2-sm.png" alt="OAuth 2.0 logo" style="float:right; margin: 0 0 8px 8px;" />OAuth 2.0 is the next evolution of the OAuth protocol which was originally created in late 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the <a href="https://www.ietf.org/mailman/listinfo/oauth">IETF OAuth WG</a> and is based on the <a href="http://wiki.oauth.net/OAuth-WRAP">OAuth WRAP</a> proposal.</p> | |||
| <p>hueniverse.com's <a href="http://hueniverse.com/2010/05/introducing-oauth-2-0/" title="Introducing OAuth 2.0 « hueniverse">Introduction to OAuth 2.0</a> provides a great deal of background and information about the design decisions in OAuth 2.0. | |||
| <p>Questions, suggestions and protocol changes should be discussed on the <a href="https://www.ietf.org/mailman/listinfo/oauth">mailing list</a>.</p> | |||
| <h3>Reading the spec</h3> | |||
| <p>The latest version of the spec can be found at <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2">http://tools.ietf.org/html/draft-ietf-oauth-v2</a>.</p> | |||
| <h3>Implementations</h3> | |||
| <h4>Servers</h4> | |||
| <ul> | |||
| <li><a href="http://groups.google.com/group/37signals-api/browse_thread/thread/86b0da52134c1b7e">37Signals (draft 5)</a></li> | |||
| <li><a href="http://developers.facebook.com/docs/authentication/">Facebook's Graph API (draft 0)</a> (see <a href="http://www.sociallipstick.com/?p=239">http://www.sociallipstick.com/?p=239</a>)</li> | |||
| <li><a href="http://github.com/aflatter/oauth2-ruby">Ruby oauth2-server (draft 0)</a></li> | |||
| </ul> | |||
| <h4>Clients</h4> | |||
| <ul> | |||
| <li><a href="http://github.com/leebyron/cocoa-oauth2">Cocoa</a></li> | |||
| <li><a href="http://github.com/lukeredpath/LROAuth2Client">iPhone and iPad</a></li> | |||
| <li><a href="http://github.com/intridea/oauth2">Ruby Gem</a></li> | |||
| <li><a href="http://github.com/aflatter/oauth2-ruby">Ruby</a></li> | |||
| <li><a href="http://github.com/dgouldin/python-oauth2">Python</a></li> | |||
| </ul> | |||
|
|
|||
| </div> | |||
| <?php require('../includes/_footer.php'); ?> | |||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,37 @@ | |||
| <?php | |||
|
|
|||
| $page_title = "Credits — OAuth"; | |||
| $page_section = "about"; | |||
| $page_secondary = "credits"; | |||
| $page_meta_description = ""; | |||
|
|
|||
| ?> | |||
| <?php require('../../includes/_header.php'); ?> | |||
|
|
|||
| <body class="<?php echo $page_section; ?>"> | |||
| <div class="container"> | |||
| <div id="header" class="column first last span-20"> | |||
| <h1 id="site-name" class="column first span-5 prepend-1 append-1"><a href="/">OAuth</a></h1> | |||
| <div id="primary" class="column span-13 last"> | |||
|
|
|||
| <?php require('../../includes/_nav_primary.php'); ?> | |||
|
|
|||
| </div> | |||
| <div id="secondary" class="column span-18 append-1 prepend-1 first last"> | |||
| <ul class="navigation"> | |||
| <li><a href="/about">Introduction</a></li> | |||
| <li><a href="/about/design-goals">Design Goals</a></li> | |||
| <li><a class="selected" href="/about/credits">Credits</a></li> | |||
| </ul> | |||
| </div> | |||
| </div> | |||
|
|
|||
| <div id="main" class="column first last span-18 prepend-1 append-1"> | |||
| <h2>Credits</h2> | |||
| <p> | |||
| This site was designed by <a href="http://factoryjoe.com">Chris Messina</a> and is administered by <a href="http://larryhalff.com/">Larry Halff</a>, <a href="http://www.hueniverse.com/">Eran Hammer-Lahav</a> and Chris Messina. | |||
| </p> | |||
| <iframe id="fdbk_iframe_inline" allowTransparency="true" width="100%" height="500" scrolling="no" frameborder="0" style="margin-top:1.2em;" src="http://getsatisfaction.com/oauth/feedback/topics/new?display=inline&style=idea"></iframe> | |||
| </div> | |||
|
|
|||
| <?php require('../../includes/_footer.php'); ?> | |||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,46 @@ | |||
| <?php | |||
|
|
|||
| $page_title = "Design Goals — OAuth"; | |||
| $page_section = "about"; | |||
| $page_secondary = "design-goals"; | |||
| $page_meta_description = ""; | |||
|
|
|||
| ?> | |||
|
|
|||
| <?php require('../../includes/_header.php'); ?> | |||
|
|
|||
| <body class="<?php echo $page_section; ?>"> | |||
| <div class="container"> | |||
| <div id="header" class="column first last span-20"> | |||
| <h1 id="site-name" class="column first span-5 prepend-1 append-1"><a href="/">OAuth</a></h1> | |||
| <div id="primary" class="column span-13 last"> | |||
|
|
|||
| <?php require('../../includes/_nav_primary.php'); ?> | |||
|
|
|||
| </div> | |||
| <div id="secondary" class="column span-18 append-1 prepend-1 first last"> | |||
| <ul class="navigation"> | |||
| <li><a href="/about">Introduction</a></li> | |||
| <li><a class="selected" href="/about/design-goals">Design Goals</a></li> | |||
| <li><a href="/about/credits">Credits</a></li> | |||
|
|
|||
| </ul> | |||
| </div> | |||
| </div> | |||
|
|
|||
| <div id="main" class="column first last span-18 prepend-1 append-1"> | |||
| <h2>Design Goals</h2> | |||
|
|
|||
| <p>In developing OAuth, we sought to invent as little as possible, following the Microformats approach to <a href="http://microformats.org/wiki/process#Document_Current_Behavior">pave existing cowpaths</a> and relying on conventions already established in protocols like Google’s <a href="http://code.google.com/apis/gdata/authsub.html">AuthSub</a>, <span class="caps">AOL</span>’s <a href="http://dev.aol.com/openauth">OpenAuth</a>, Yahoo’s <a href="http://developer.yahoo.com/auth/">BBAuth</a> and <a href="http://www.flickr.com/services/api/auth.howto.web.html">FlickrAuth</a> and Facebook’s <a href="http://developers.facebook.com/documentation.php?doc=auth">FacebookAuth</a>.</p> | |||
|
|
|||
|
|
|||
| <p>While we wanted the best protocol we could design, we also wanted one that people would use and that would be compatible with existing authentication methods, inherit from existing RFCs and reuse web standards wherever possible. In this way, we ended up leaving a lot out of the spec that seemed interesting but ultimately didn’t belong.</p> | |||
|
|
|||
|
|
|||
| <p>The protocol is flexible in that it is adjustable to the actual security needs of different sites, and extensible through different signing algorithms and security features. It is also designed to work on mobile devices and explicitly supports desktop applications.</p> | |||
|
|
|||
|
|
|||
| <p>Finally, we worked hard to keep our focus on real-world scenarios and to be conscious of straying towards the impractical or utterly theoretical. Our discipline resulted in a taut protocol that can be easily read and implemented without a great deal of effort. To support this end, we hope to offer a <a href="/code">number of libraries</a> that will greatly reduce the amount of work necessary to <em>Do the Right Thing ™</em> or to migrate from existing <span class="caps">API</span> protocols.</p> | |||
| </div> | |||
|
|
|||
| <?php require('../../includes/_footer.php'); ?> | |||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,84 @@ | |||
| <?php | |||
|
|
|||
| $page_title = "Introduction — OAuthn"; | |||
| $page_section = "about"; | |||
| $page_secondary = "introduction"; | |||
|
|
|||
| ?> | |||
|
|
|||
| <?php require('../includes/_header.php'); ?> | |||
|
|
|||
| <body class="<?php echo $page_section; ?>"> | |||
| <div class="container"> | |||
| <div id="header" class="column first last span-20"> | |||
| <h1 id="site-name" class="column first span-5 prepend-1 append-1"><a href="/">OAuth</a></h1> | |||
| <div id="primary" class="column span-13 last"> | |||
|
|
|||
| <?php require('../includes/_nav_primary.php'); ?> | |||
|
|
|||
| </div> | |||
|
|
|||
| <div id="secondary" class="column span-18 append-1 prepend-1 first last"> | |||
| <ul class="navigation"> | |||
| <li><a class="selected" href="/about">Introduction</a></li> | |||
| <li><a href="/about/design-goals">Design Goals</a></li> | |||
| <li><a href="/about/credits">Credits</a></li> | |||
| </ul> | |||
| </div> | |||
| </div> | |||
|
|
|||
| <div id="main" class="column first last span-18 prepend-1 append-1"> | |||
| <h2>Introduction</h2> | |||
|
|
|||
| <p><small style="font-size:0.8em;">Adapted from <a href="http://www.hueniverse.com/hueniverse/2007/09/explaining-oaut.html">Explaining OAuth</a>, published on September 05, 2007 by Eran Hammer-Lahav</small></p> | |||
|
|
|||
| <hr /> | |||
|
|
|||
| <h3>A Little Bit of History</h3> | |||
|
|
|||
|
|
|||
| <p>OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation. He got in touch with Chris Messina looking for a way to use OpenID together with the Twitter <span class="caps">API</span> to delegate authentication. They met with David Recordon, Larry Halff, and others at a CitizenSpace OpenID meeting to discuss existing solutions. Larry was looking into integrating OpenID for Ma.gnolia Dashboard Widgets. After reviewing exiting OpenID functionality, as well as other industry practices, they came to the conclusion that there was no open standard for <span class="caps">API</span> access delegation. The conversation continued online and off for a few months.</p> | |||
|
|
|||
|
|
|||
| <p>In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol. It turned out that this problem wasn’t unique to OpenID and when DeWitt Clinton from Google caught wind of the project, he expressed his interest in supporting the effort, if only as a stakeholder. In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing. On October 3rd, 2007 the OAuth Core 1.0 final draft was released.</p> | |||
|
|
|||
|
|
|||
| <h3 id="what-is-it-for">What is it For?</h3> | |||
|
|
|||
| <p>Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.</p> | |||
|
|
|||
|
|
|||
| <p>Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.</p> | |||
|
|
|||
|
|
|||
| <p>This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).</p> | |||
|
|
|||
|
|
|||
| <h3>OAuth and OpenID</h3> | |||
|
|
|||
|
|
|||
| <p>OAuth is not an OpenID extension and at the specification level, shares only few things with OpenID – some common authors and the fact both are open specification in the realm of authentication and access control. ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an <span class="caps">API</span> without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.</p> | |||
|
|
|||
|
|
|||
| <h3>Who is Going to Use it?</h3> | |||
|
|
|||
|
|
|||
| <p>Everyone. If you are a web developer – you, we hope.</p> | |||
|
|
|||
|
|
|||
| <h3>Is OAuth a New Concept?</h3> | |||
|
|
|||
|
|
|||
| <p>No. OAuth is the standardization and combined wisdom of many well established industry protocols. It is similar to other protocols currently in use (Google AuthSub, <span class="caps">AOL</span> OpenAuth, Yahoo BBAuth, Upcoming <span class="caps">API</span>, Flickr <span class="caps">API</span>, Amazon Web Services <span class="caps">API</span>, etc). Each protocol provides a proprietary method for exchanging user credentials for an access token or ticker. OAuth was created by carefully studying each of these protocols and extracting the best practices and commonality that will allow new implementations as well as a smooth transition for existing services to support OAuth.</p> | |||
|
|
|||
|
|
|||
| <p>An area where OAuth is more evolved than some of the other protocols and services is its direct handling of non-website services. OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites. Many of the protocols today use a shared secret hardcoded into your software to communicate, something which pose an issue when the service trying to access your private data is open source.</p> | |||
|
|
|||
|
|
|||
| <h3>Is It Ready?</h3> | |||
|
|
|||
|
|
|||
| <p><a href="http://oauth.net/core/1.0">OAuth Core 1.0</a>, the main protocol, was finalized in December. It is stable and ready to be implemented. <a href="http://oauth.net/code">Libraries</a> are already available for many popular platforms such as <span class="caps">PHP</span>, Rails, Python, .NET, C, and Perl. We expect most upcoming work to focus on implementations and the development of extensions to the protocol.</p> | |||
| </div> | |||
|
|
|||
| <?php require('../includes/_footer.php'); ?> | |||
Oops, something went wrong.