Oauth, and more specifically Oauth2, are enjoying interest as a result of increased popularity in a wide range of common web application. By providing authorization by users, for example, people can now send their CV to other services using linkedin information previously written on their profile. However, the source of the methodology and limitations of oauth remain poorly understood. With this talk, I aim to bridge the gap by providing an analysis involved with this protocol, using simple examples. Moreover, common jargon will be explained using the pre-defined oauth terms. Finally, a comparative analysis between Oauth and OpenID will supply insights to attendees to be used on their future applications.

With the wide adoption of collaborative platforms and social networks, many developers have had the opportunity to connect users with their data wherever they are on the web. Oauth provides the ability for different applications to access user’s data securely without requiring the user to take the scary step of handing over an account password. In other words, Oauth is a security protocol which allows users to grant delegate access of their web resources to third-party applications without sharing credentials.

Since its inception (and after certain revisions), many companies have adopted this protocol, such as Yahoo, Facebook or Google. Many users authorize applications to perform actions on their behalf. Nevertheless, the permission is scoped at a certain level. For instance, people can login and use the Spotify application using Facebook credentials. Spotify can read the user’s facebook profile, but it cannot read tagged photos.

Currently, many developers made use of the oauth2 authorization protocol with the purpose of avoiding the implementation of the app’s own login page. The ease of setting the required tokens and credentials to grant users access of the application using third-party databases, reduces the amount of time of developing and launching an app into production. In addition, relying on a third-party login application, lessens generated bugs within the application, such as database connection, security leaks, among others. However, the source of the methodology, terminology and implementation of Oauth2 remains poorly understood. This raises concerns of the lack of interpretability and limits our ability to design better architectures, or even, implementing the application own’s authorization server using oauth2.

Because of this, I made this proposal to bring to the attendees fully understanding of the oauth2 authorization framework in plain English (or spanish). The talk will provide a solid overview and be accessible to a target audience not already familiar with the Oauth and provide a much more detailed understanding of the framework. Digging more specifically into the authorization code flow, where I will explain each stage of the protocol and introducing important key terms within the relevant terminology.

The schedule of the talk will be the following:

• Definition of Oauth2 (5 min)
• Brief history of oauth (5 min)
• The oauth2 authorization framework protocol flow (15 min)
• Difference between authorization and authentication. Talk about OpenID connect (5 min)
• Question and answers (10 min)