2. Pownce and OAuth
• Pownce launched (June 2007)
• developers wanted an API
• became involved with OAuth (Aug 2007)
• public read-only API (Oct 2007)
• full API with OAuth (Mar 2008)
• 200+ apps built on Pownce API
3. Me and OAuth
• an author of the specification
• wrote first library (Python)
• maintain Python library
• maintain Pownce API OAuth implementation
4. What is OAuth?
A simple open standard for secure API
authentication.
http://oauth.net
5. The (API) Love Triangle
End User
Web Service 3rd Party App
“Service Provider” “Consumer Application”
Pownce AIM bot
6. Specifically OAuth is...
• Authentication
Need to log in to access parts of a website
ex: bookmark a link, post a photo, add a friend, view
a private message
• Token-based Authentication
Logged-in user has a unique token used to access
data from the site
7. Just like...
• Flickr Auth
• Google’s AuthSub
• Yahoo’s BBAuth
• Facebook Auth
• and others...
http://flickr.com/photos/bees/2504039638/
9. Who is it for?
• Serviceauthorizationhavecertain functions
Providers - an web API that
needs for
• Consumers -encourages) OAuth that
want to use an API
requires (or
10. Goals:
Be Simple
• standard for website API authentication
• consistent for developers
• easy for end users to understand *
* this is hard
11. Goals:
Be Secure
• secure for end users
• easy to implement security features for
website developers
• 3rd party developers don’t have access to
passwords
• balance security with ease of use
12. Goals:
Be Open
• any website can implement OAuth
• any 3rd party developer can use OAuth
• open source client libraries
• community-designed technical specifications
13. Goals:
Be Flexible
• authentication method agnostic
• users don’t need a username and password
• can use OpenID (or not!)
• whatever auth works best for the service
• 3rd party developers don’t handle auth
15. Is OAuth different from
OpenID?
OpenID - user identification by provider
URL, login on provider site.
OAuth - API authorization and permissions,
any form of user identification, login on
provider site.
(medium answer)
16. Is OAuth different from
OpenID?
http://www.pointy-stick.com/blog/2008/03/13/
explanation-difference-between-openid-and-oauth/
(long answer)
17. What the end user sees...
Web Consumer
Ma.gnolia and Nsyght
I’d like to search my Ma.gnolia
bookmarks via social search
engine Nsyght.
22. Web flow
Request Token!
Nsyght Ma.gnolia
API calls
asks for
request token
returns
request token
...
23. Authorize!
user sent http redirect
to ma.gnolia with
request token in
URL user logs in
and/or authorizes
nsyght
redirected back
...
to nsyght
with (authorized)
...
request token
Nsyght Ma.gnolia
24. Access Token!
ask for access API calls
token with
authorized request token
request token exchanged for
access token
nsyght stores
access token
Nsyght Ma.gnolia
31. Desktop flow
Request Token!
PownceAIM Pownce
API calls
asks for
request token
returns
request token
...
32. Authorize!
user sent user follows link
to Pownce with
request token in
URL user logs in
and/or authorizes
PownceAIM
user tells
...
PownceAIM
that auth is
...
complete
PownceAIM Pownce
33. Access Token!
ask for access API calls
token with
authorized request token
request token exchanged for
access token
PownceAIM stores
access token
PownceAIM Pownce
34. Basic Authorization Process
1. Obtain request token
2. User authorizes
request token
3. Exchange request token
for access token
4. Use access token to
obtain protected resources
35. OAuth Setup
• Service provider gives documentation of
authorization URLs and methods
• Consumer registers an application with the
service provider
36. Service Provider
Documentation
• Request token endpoint
• Authorization endpoint
• Access token endpoint
• Accepted request method(s) (GET, POST,
PUT, etc...)
• Signature method(s)
• Extra parameters (non-oauth)
• Any specific notes about OAuth for that
provider
38. Register a Consumer
Application
• Consumer gives service provider data
about the application (name, creator, url
etc...)
• Service provider assigns the application a
consumer key and consumer secret
39. Registering a
Fire Eagle Application
consumer app
sign up page
https://fireeagle.yahoo.net/developer/create
40. Registering a Fire Eagle Application
Done!
oooh!
https://fireeagle.yahoo.net/developer/manage
41. OAuth Objects -
Consumer
consumer key
• assigned during consumer registration
• passed as a request parameter
consumer secret
• assigned during consumer registration
• used for signing (e.g. HMAC-SHA1)
43. OAuth Objects - Token
token key
• unique string granted by service provider
• passed as a request parameter
• same variable name (oauth_token_key) for
both request and access type tokens
token secret
• also granted by service provider
• same variable name (oauth_token_secret)
for both request and access type tokens
46. Where is this
information passed?
(in order of preference)
• HTTP Authorization header
• HTTP POST request body (form params)
• URL query string parameters
47. Timestamp and Nonce
oauth_timestamp
• seconds since Unix epoch (unless otherwise specified
by service provider)
• must be equal or greater than previous request
oauth_nonce
• random string per timestamp / request
• attempt to stop replay attacks
52. Signature Methods
HMAC-SHA1
Example base string:
GET
&http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml
&oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j
%26oauth_nonce%3DD81FBEDC-1050-40EE-
B899-21A1E07C4EC5
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1211254098
%26oauth_token%3D0qic7f318nj42ogm
%26oauth_version%3D1.0
Example signature:
oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
53. Signature Methods
PLAINTEXT
• should be used over a secure channel (SSL)
• no base string
• url-encoded consumer ‘&’ and token
secret
secret separated by an
55. Signature Methods
RSA-SHA1
• sign signature base string private key and
with Consumer’s RSA
the
• verify with Consumer’s RSA public key
• same signature base string as HMAC-SHA1
• still in development for most OAuth libraries
58. PownceAIM Pownce
user follows link
user sent user logs in
to Pownce with and/or authorizes
request token in PownceAIM
URL
http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
59. let’s pretend the user is logged in to the Pownce site
click “Okay!”
60. PownceAIM
cue to PownceAIM that
request token has been
user tells
PownceAIM authorized
that auth is
complete
61. PownceAIM Pownce
API calls
ask for access Authorization: OAuth realm=quot;http://api.pownce.com/quot;,
token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;,
authorized oauth_token=quot;3fjay66o4x78j4c8quot;,
oauth_signature_method=quot;HMAC-SHA1quot;,
request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;,
oauth_timestamp=quot;1211258114quot;,
oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;,
oauth_version=quot;1.0quot;
request token
PownceAIM stores exchanged for
access token access token
oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
62. PownceAIM Pownce
API calls
ask for Authorization: OAuth realm=quot;http://api.pownce.com/quot;,
protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;,
oauth_token=quot;oixvd0538vmw3hm2quot;,
(note list) oauth_signature_method=quot;HMAC-SHA1quot;,
oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;,
oauth_timestamp=quot;1211258746quot;,
oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;,
oauth_version=quot;1.0quot;
<?xml version=quot;1.0quot; encoding=quot;utf-8quot;?>
return API
<notes>
<note>
data
<body>Check out my website Leah!</body>
<permalink>http://pownce.com/iamcal/notes/2211344/</permalink>
<sender>
<user>
<username>iamcal</username>
...
66. Common Errors
• signature does not match
• providers can show expected base string
• token is invalid
• expired? wrong type of token?
• request token unauthorized
• user needs to login to authorize the
request token
67. Testing Tools
• web-based test server and client by Andy
Smith (http://term.ie/oauth/example)
• Endpointr, mac desktop app by Jon Crosby
68. Issues
• service provider documentation
• files
• granular permissions
• timestamp and nonce verification
• vague tokentokens consumers check
expiration,
for expired
70. Service Provider
Implementations
• 88 Miles
• Google Contacts API
• Ma.gnolia
• Pownce
• Thmbnl
• Yahoo! Fire Eagle
http://wiki.oauth.net/ServiceProviders
71. More Info
• main site: http://oauth.net
• spec: http://oauth.net/core/1.0
• code: http://code.google.com/p/oauth
• mailing list: http://groups.google.com/group/oauth
• wiki: http://wiki.oauth.net
• Pownce API: http://pownce.com/api