Posts tagged "authentication"

My First Book – “Mastering OAuth 2.0”

Here at Adobe, I work on the Identity Platform team. We are responsible for running the main identity management platform that services all of Adobe’s customers. As part of this, we get the opportunity to solve some very interesting problems in the identity space. I’ve written about this before, but we recently underwent a large change to our identity platform to adopt the OAuth 2.0 standard for authentication and authorization. This allows our users to integrate with us much like they would with other large service providers who have also adopted OAuth 2.0, such as Google, Microsoft, and Facebook. This was a very fun project and one that I particularly enjoyed because I learned a heck of a lot about identity management and API security, as well as some of the deeper ins and outs of the OAuth 2.0 protocol. At the conclusion of that project, I was approached by the nice folks at Packt Publishing to write a book about the topic.

Introducing Mastering OAuth 2.0
I present to you, my first book, Mastering OAuth 2.0…

download sample chapter

What does it cover?
The book covers what you would imagine: the OAuth 2.0 protocol and how to use it effectively. However, it focuses specifically on the client integration side of the OAuth 2.0 protocol. That is, this book is geared towards application developers looking to build applications that integrate with OAuth 2.0 service providers, as opposed to application developers looking to build their own OAuth 2.0 servers. This is best described by the book’s description…

“OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world’s most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user’s LinkedIn feed? This is all achievable through the power of OAuth. With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way.”

If you are an application developer looking to build a web or mobile application that integrates with any of the major service providers, like Google or Facebook, you will likely be doing it via OAuth 2.0. If so, this book is right up your alley :)

The World’s Most Interesting Infographic
One thing that I’m especially proud of regarding this book is the depth of the code and sample applications that I provide. I didn’t want to step through the learning process while building a sample application that isn’t realistic, or that no one will ever use. Rather, I decided to build an interesting, real-world, working sample application. Enter The World’s Most Interesting Infographic!

The World’s Most Interesting Infographic is the sample application that is built throughout the book. It is a web application that will, through the power of OAuth 2.0, request profile and feed data from your Facebook account and dynamically generate an infographic based on the statistics it gleans. Here is a snapshot of mine…

The World's Most Interesting Infographic

Log into www.worldsmostinterestinginfographic.com (or www.wmiig.com for short) to see your own infographic! Or better yet, follow along in the book and create your own application!

It’s all open-source!
Much like I do with a lot of my other projects, I’ve made the source code for The World’s Most Interesting Infographic, as well as the rest of the sample code for the book, available on GitHub. Check it out here…

See me on GitHub

Sample chapter
We’ve made chapter 1 available for free for anyone interested in checking the book out, but not sure whether it will be useful for them. You can download it in PDF form, or view it on the publisher’s interactive website…

Download sample chapter as PDF

View sample chapter on publisher website

Take a look at the sample chapter I’ve provided above, and if you like it, please consider purchasing it! As always, I love hearing from you. So do let me know your feedback in the comments too. Happy coding!

Charles

OAuth 2.0 Library for ActionScript

Here at Adobe, we’ve been working really hard recently on our latest big project: Adobe Creative Cloud. For anyone that is unfamiliar or wasn’t able to attend our latest MAX conference, here is how we describe the project, straight from our press release

“Adobe Creative Cloud reinvents creative expression by enabling a new generation of services for
creativity and publishing, that embrace touch interaction to re-imagine how individuals interact with
creative tools and build deeper social connections between creatives around the world.”

-Kevin Lynch, CTO, Adobe Systems

In a nutshell, Creative Cloud is really an ecosystem that includes a multitude of applications for various devices that facilitate creative workflows, all backed by a cloud storage solution. Now that I’m done with the marketing, I can get to the good stuff :)

One of the major tasks that we’ve decided to undertake while doing this project was to switch from our current authentication system to a standards-based OAuth 2.0 authentication and authorization system. This was (is) a large undertaking and included building the likes of an OAuth 2.0 server, building and supporting new OAuth 2.0 compatible clients, as well as converting all existing systems to the new one. As part of this project, I ended up creating some OAuth 2.0 libraries that our touch-tooling applications use to interact with our system. While doing this, I realized that a lot of this work can easily be open-sourced and used with any OAuth 2.0 compliant service! And so, here we are!

 
Out in the Open
What I’ve created is exactly how it sounds: an OAuth 2.0 library for ActionScript. It abides by the OAuth 2.0 specification (version 2.15) and so is compatible with any OAuth 2.0 service! That includes services like Facebook Platform, Google APIs, Foursquare APIs, and many many more.

 
What it Does
If you are unfamiliar with the OAuth 2.0 workflow, it is really quite simple…

  1. Your application makes a request to the server to get an access token.
    • An access token is what is used to access a protected resource, say, an API to post a status update.
  2. The user authenticates and authorizes the use of said protected resource by the application on behalf of the user.
    • For example, the user logs in and allows your application to post a status update on their behalf.
  3. An access token is granted and returned back to your application.
    • The access token will be restricted for use with only the specific permissions that were authorized in Step 2.
  4. You use the access token for whatever you want!
    • Using the same example, your application then uses this token to make a call to update your status.

The library is only in charge of steps 1-3. It will just get you your access token. What you do with it, and what API calls you make with it, are up to you.

 
How to Use It
This library is designed for use in mobile devices using AIR. Because of that, it makes use of the StageWebView object to display the user consent page (the form that the user must log into and authorize your application in Step 2). I’ve created a very simple mobile demo application that does exactly this. Here is the important part of the code…

// set up our StageWebView object to use our visible stage
stageWebView.stage = stage;

// set up the call
var oauth2:OAuth2 = new OAuth2("https://accounts.google.com/o/oauth2/auth", "https://accounts.google.com/o/oauth2/token", LogSetupLevel.ALL);
var grant:IGrantType = new AuthorizationCodeGrant(stageWebView, "INSERT_CLIENT_ID_HERE", "INSERT_CLIENT_SECRET_HERE", "http://www.mysite.com", "https://www.googleapis.com/auth/userinfo.profile");

// make the call
oauth2.addEventListener(GetAccessTokenEvent.TYPE, onGetAccessToken);
oauth2.getAccessToken(grant);

function onGetAccessToken(getAccessTokenEvent:GetAccessTokenEvent):void
{
	if (getAccessTokenEvent.errorCode == null && getAccessTokenEvent.errorMessage == null)
	{
		// success!
		trace("Your access token value is: " + getAccessTokenEvent.accessToken);
	}
	else
	{
		// fail :(
	}
}  // onGetAccessToken

You’ll see that the code is quite simple. First, we set up the StageWebView object. Then, we prepare the OAuth2 object by invoking its constructor with the appropriate values. In the third step, we attach an event-listener and make the call. Finally, in the event handler function, we handle the response. That’s it!

 
Demo
I’ve created a sample demo application that demonstrates the usage of this library. Using the same sample code as above (with the appropriate values filled in), connecting to Google’s OAuth 2.0 APIs, the sample app looks like this…

Take it for a spin and let me know what you think!

ActionScript OAuth 2.0 Mobile Demo Application

 
Code, please!
I’ve released the code under the Apache License, Version 2.0 and made it all available on GitHub! Please, fork and extend!

ActionScript OAuth 2.0 Library

That’s it! Hopefully some of you will find this project useful. And as always, I love hearing from you so let me know what you think! Happy coding =)

 
Update: As requested, I’ve removed the dependencies on the Flex framework so this library is now a pure AS3 library. Enjoy!

 
Charles