Getting Started with OAuth 2.0. Programming Clients for Secure Web API Authorization and Authentication (e-book)

Getting Started with OAuth 2.0. Programming Clients for Secure Web API Authorization and Authentication (e-book) - Opis

Whether you develop web applications or mobile apps, the OAuth 2.0 protocol will save a lot of headaches. This concise introduction shows you how OAuth provides a single authorization technology across numerous APIs on the Web, so you can securely access users... data-such as user profiles, photos, videos, and contact lists-to improve their experience of your application.Through code examples, step-by-step instructions, and use-case examples, you...ll learn how to apply OAuth 2.0 to your server-side web application, client-side app, or mobile app. Find out what it takes to access social graphs, store data in a user...s online filesystem, and perform many other tasks.Understand OAuth 2.0...s role in authentication and authorizationLearn how OAuth...s Authorization Code flow helps you integrate data from different business applicationsDiscover why native mobile apps use OAuth differently than mobile web appsUse OpenID Connect and eliminate the need to build your own authentication system Spis treści:
Getting Started with OAuth 2.0
SPECIAL OFFER: Upgrade this ebook with OReilly
A Note Regarding Supplemental Files
Preface
Conventions Used in This Book
Using Code Examples
Safari Books Online
How to Contact Us
Acknowledgments
1. Introduction
How OAuth Was Born
Why Developers Should Care About OAuth
Why Dont These APIs Just Use Passwords for Authorization?
Terminology
Authentication
Federated Authentication
Authorization
Delegated Authorization
Roles
The Great Debate over Signatures
Mitigating (...) więcej Concerns with Bearer Tokens
Signing Your OAuth 2.0 Requests
Getting the key
Making API requests
Developer and Application Registration
Why Is Registration Necessary?
Client Profiles, Access Tokens, and Authorization Flows
Client Profiles
Access Tokens
Authorization Flows
2. Server-Side Web Application Flow
When Should the Authorization Code Flow Be Used?
Security Properties
User Experience
Step-by-Step
Step 1: Let the user know what youre doing and request authorization
Error handling
Step 2: Exchange authorization code for an access token
Why both access tokens and refresh tokens?
Step 3: Call the API
Error handling
Step 4a: Refresh the access token
Step 4b: Obtaining a new access token
How Can Access Be Revoked?
3. Client-Side Web Applications Flow
When Should the Implicit Grant Flow Be Used?
Limitations of the Implicit Grant Flow
Security Properties
User Experience
Step-by-Step
Step 1: Let the user know what youre doing and request authorization
Error handling
Step 2: Parsing the access token from the URL
Step 3: Call the API
Step 4: Refreshing the access token
How Can Access Be Revoked?
4. Resource Owner Password Flow
When Should the Resource Owner Password Flow Be Used?
Security Properties
User Experience
Step-by-Step
Step 1: Ask the user for their credentials
Step 2: Exchange the credentials for an access token
Step 3: Call the API
Step 4: Refresh the access token
5. Client Credentials Flow
When Should the Client Credentials Flow Be Used?
What APIs Support the Client Credentials Flow?
How Does the Client Authenticate?
Security Properties
Step-by-Step
Step 1: Exchange the applications credentials for an access token
Step 2: Call the API
When the Access Token Expires
6. Getting Access to User Data from Mobile Apps
Why You Should Use OAuth for Native Mobile Apps
What Flow Should Be Used for Native Mobile Apps?
Do You Have a Mobile Backend Web Server for Your Application?
The (Ugly) Web Browser
Embedded WebView
System Web Browser
Enhanced Mobile App Authorization for Specific Providers
For Google
For Facebook
7. OpenID Connect Authentication
ID Token
Security Properties
Obtaining User Authorization
Check ID Endpoint
UserInfo Endpoint
Performance Improvements
Practical OpenID Connect
For Google
For Facebook
OpenID Connect Evolution
8. Tools and Libraries
Googles OAuth 2.0 Playground
Googles TokenInfo Endpoint
Apigees Console
Facebooks Access Token Tool and Access Token Debugger
Libraries
Going Further
A. References
Specifications
Vendor Documentation
Mailing Lists
Misc
About the Author
SPECIAL OFFER: Upgrade this ebook with OReilly mniej