OAuth with Facebook and Google
Using .NET
Sathyaish Chakravarthy, Independent Consultant
Gmail
You
Resource
Server
Resource
Owner
Contacts
Client
“
OAuth allows you to give a third-party application the
permission to use some of your resources on a resource
server without giving the third party your user name
and password on the resource server.
”
REGISTERING CLIENTS
console.developers.google.com
developers.facebook.com
ROLES & FLOWS
Resource Server
Implicit
Flow
Authorization
Code
Flow
Client
Credentials
Flow
Resource
Owner
Password
Credentials
Flow
DEMO: GOOGLE OAUTH CLIENT
(AUTHORIZATION CODE FLOW)
DEMO: FACEBOOK OAUTH CLIENT
(AUTHORIZATION CODE FLOW)
Summary: What’s in it for me?
Summary: What’s in it for me?
User
Client
Summary: What’s in it for me?
Limitations of OAuth 2.0
• No discovery
• Requires HTTPS
• Open redirectors – RFC 6819 – OAuth 2.0 Thread
Model and Security Considerations
• Implementations differ widely
Further Reading
• RFC 6749 – The OAuth 2.0 Authorization Framework
http://tools.ietf.org/html/rfc6749
• Documentation of the OAuth server