OAuth.io
Simplified multi-providers authorization
Thibaud arnault
thyb@oauth.io | @thibaud_arnault
EPITA MTI 2012
OAuth
Authorization
More than 500 OAuth providers
listed on programmable web
They are all different
multiple standard versions, multiple implementations...
To start with oauth
Create a Facebook application on developers.facebook.com
to get your client_id and client_secret
OAuth 2 protocol
2- Redirection
www.facebook.com/dialog/oauth/authorize
client_id=...
response_type=code
scope=email,read_friendlists...
state=...
redirect_uri=http://myapp.com/
3 - Authorize callback
http://myapp.com/?code=...&state=...
4 - Retrieve the access token
POST graph.facebook.com/oauth/access_token
code=...
client_id=...
client_secret=...
grant_type=authorization_code
Once you have the access token
you have to pass the access_token in each API request
i.e.
https://graph.facebook.com/me?access_token=...
The flow
It look simple ?
OK, let's look deeper with more providers
OAuth 1.a flow
Deezer OAuth2
1 - redirection
client_id -> app_id=...
response_type=code [inutile]
scope -> perms=email,read_friendlists...
state=...
[non documenté]
Standard not respected
Retrieve token in deezer
code=...
client_id -> app_id=...
client_secret ->
secret=...
grant_type=authorization_code
more differences ?
OAuth2 difference
You need multiple providers ?
OAUTH.io
easy Implementation
OAuth.popup('facebook', function(err, res) { if (err) { // do something with error }// the access token is in res.access_token})
You want twitter ? no problem
OAuth.popup('twitter', function(err, res) { if (err) { // do something with error }// the access token is in res.oauth_token// & res.oauth_token_secret!})
exemple with facebook
Request to API made easy
OAuth.popup('facebook', function(err, res) { if (err) { // do something with error }// the access token is in res.access_tokenres.get('/me').done(function(data) {alert("hello " + data.name);})})
For twitter ?
IOS / Android / Phonegap / Flex
OAuthd
Why ?
- Trust
- Contributions
- Improve security
- Improve bugs discovery
- Get more providers
- Company with strong security policy
Business model
License AGPL
+
SAAS monthly license
with large freemium
The story: humankindwall
Publication in Le Monde (page2)
In telematin (TV)
There was more than 15 APIs implemented
We developed behind Webshell to manage all these APIs
Webshell
It was also a student project
Developed like HumankindWall during the PLIC
(Projet Libre d'innovation et de communication)
It was a shell for the web
with our own custom shell language
Webshell evolved
Our own language became Javascript
Apis was more industrialised thanks WADL
An IDE to make your own API script
Lots of contest won
Etalab campus
Innovact campus awards
Incuballiance
Dataconnexions
French Tech Tour
Le camping
Scientipole
Tremplin entreprises (French senat)
OSEO (French ministry of research) x2
....
then oauth.io
We exported the core of Webshell for authorization
The most demanded part
The most complicated to implement
Result
Webshell : 3k users in 1 year and a half
OAuth.io : 6k users in 5 months + 800 Github stars
More traction & lots of demands :
American white house / Berkley / Cisco ...
If you have any question
using OAuth or APIs
REALLY DON'T HESITATE
thyb@oauth.io
Thanks
;-)
thyb@oauth.io
OAuth.io
By Thibaud Arnault
