-
Notifications
You must be signed in to change notification settings - Fork 12
Lets Build OAuth
kimschles edited this page Oct 19, 2018
·
1 revision
Brian Schiller @ Develop Denver 2018
Authentication: This is who I am Authorization: I am allowed to perform this action, see this data, etc.
- Authentication
- Delegated Authorization
- Delegate the authority to take an action like hootsuite to post tweets on my account
- You give another service your username and password
- Drawbacks:
- All or nothing (you cannot specify read only, etc.)
- Tempting attack surface
- Passwords can change
- Benefits:
- No coordination needed with the provider service
- Simple UI and mental model
- Personal Access Token
- Get your API key or token from one service, and apply it to another
- Examples: Setting up Homebrew, Trelloro
(see flow diagrams)
- Identify the user
- Timestamped
- Bonus: which service?
- Signed
payload = JSON.stringify({
issued_at: Date.now(),
user_id: session.user_id,
login_with: 'twitter',
});
signature = hmac(SECRET_KEY, payload);
state = (
urlSafeBase64(payload) + '.' +
urlSafeBase64(signature)
);```