OAuth

Objectives

  • Draw and explain the OAuth data flow
  • Identify use-cases for OAuth
  • Implement OAuth using Passport

What is OAuth

OAuth is a authentication protocol.

It allows our users to login to our applications via a third party such as Facebook or Google

What is OAuth

Our users grant us permission to access some of their account information from a 3rd party provider.

What is OAuth

Our users provide the 3rd party with their login credentials for the 3rd party website.


 

What is OAuth

If verified, the 3rd party gives our server an access token for that user.

 

Additionally, WE log them in to OUR application.

OAuth Flow

Client

Our Server

3rd party server

These are the 3 machines involved in OAuth

OAuth Flow

Client

Our Server

3rd party server

Before any authentication, a developer for our server registers with Facebook.

We provide Facebook with a specific "redirect URL" and get a "client_id" and a "client_secret"

OAuth Flow

Client

Our Server

3rd party server

First a client goes to our webpage. We respond with our landing page.

OAuth Flow

Client

Our Server

3rd party server

Then, a user clicks "Login with Facebook" which sends a request directly to FB, often in a new tab.

OAuth Flow

Client

Our Server

3rd party server

Our user provides Facebook with their credentials, and authorizes OUR application to use their Facebook data.

OAuth Flow

Client

Our Server

3rd party server

Facebook's response redirects the client (our user) to our "redirect URL" and provides a query-parameter called an "authentication code".

OAuth Flow

Client

Our Server

3rd party server

Our server now provides the authentication code, client_id, and client_secret to Facebook.

OAuth Flow

Client

Our Server

3rd party server

Finally, Facebook responds with an "Authorization Token" which grants our application access to our users Facebook information

OAuth Flow

Client

Our Server

3rd party server

After all this, we can log the user into our service.

You Try!

Grab a Mini-Whiteboard and draw the OAuth flow.

Compare Notes

Discuss your drawing with a fellow student!

Why OAuth?

How to OAuth

Grab a partner and try to implement this simple server:

https://github.com/gSchool/express-passport-linkedin

How to OAuth

How to OAuth

There is a longer reference example here:

https://github.com/gSchool/express-passport-linkedin-solution

Made with Slides.com