2012/11/15

Devoxx2012: OAuth 2 and Identity - Tim Bray & Nicolas Garnier

Google's focus:
  • Oauth2
    • framework -> no guarantee on interoperability
    • core is frozen
  • Openid Connect
    • protocol
    • based on Oauth2
    • "Oauth2 for login"
Javascript-only flow:
  • register for client id + select API's ("scopes")
  • redirect to google.com in popup
  • access token is returned
    • 3600s timeout -> re-logon after that
  • optionally use gapi library (apache license)
  • redirect back to original page + use access token to access the google api's
Server side api:
  • register to get "super-secret" clientid
  • no popup needed
  • redirect to google
  • extra servers-side step: get code id.
  • logon not limited in time (occasional serverside refresh for access token neede)

Mobile
  • embedded browser: no sso -> re-logon
  • call external browser: less user friendly / extra security measures needed
  • Android specific: GoogleAuthUtil
other:
  • AccountChooser framework (javascript-based)

No comments: