SlideShare a Scribd company logo

Implementing OAuth

L
leahculver

Workshop on OAuth from MeshU 2008 in Toronto. The basics of OAuth API authentication are covered in this talk as well as some implementation examples.

Technology
1 of 72
Download to read offline
OAuth Practical Implementation
Pownce and OAuth • Pownce launched (June 2007) • developers wanted an API • became involved with OAuth (Aug 2007) • public read-only API (Oct 2007) • full API with OAuth (Mar 2008) • 200+ apps built on Pownce API
Me and OAuth • an author of the specification • wrote first library (Python) • maintain Python library • maintain Pownce API OAuth implementation
What is OAuth? A simple open standard for secure API authentication. http://oauth.net
The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application” Pownce AIM bot
Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
Just like... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others... http://flickr.com/photos/bees/2504039638/
Who is involved?
Who is it for? • Serviceauthorizationhavecertain functions Providers - an web API that needs for • Consumers -encourages) OAuth that want to use an API requires (or
Goals: Be Simple • standard for website API authentication • consistent for developers • easy for end users to understand * * this is hard
Goals: Be Secure • secure for end users • easy to implement security features for website developers • 3rd party developers don’t have access to passwords • balance security with ease of use
Goals: Be Open • any website can implement OAuth • any 3rd party developer can use OAuth • open source client libraries • community-designed technical specifications
Goals: Be Flexible • authentication method agnostic • users don’t need a username and password • can use OpenID (or not!) • whatever auth works best for the service • 3rd party developers don’t handle auth
Is OAuth different from OpenID? Yes. (short answer)
Is OAuth different from OpenID? OpenID - user identification by provider URL, login on provider site. OAuth - API authorization and permissions, any form of user identification, login on provider site. (medium answer)
Is OAuth different from OpenID? http://www.pointy-stick.com/blog/2008/03/13/ explanation-difference-between-openid-and-oauth/ (long answer)
What the end user sees... Web Consumer Ma.gnolia and Nsyght I’d like to search my Ma.gnolia bookmarks via social search engine Nsyght.
OMG! Need to log in!
Login with service provider service provider’s site! alternative login method not username/password
Authorize
Done!
Web flow Request Token! Nsyght Ma.gnolia API calls asks for request token returns request token ...
Authorize! user sent http redirect to ma.gnolia with request token in URL user logs in and/or authorizes nsyght redirected back ... to nsyght with (authorized) ... request token Nsyght Ma.gnolia
Access Token! ask for access API calls token with authorized request token request token exchanged for access token nsyght stores access token Nsyght Ma.gnolia
use the access token... by Blaine Cook
What the end user sees... Desktop Consumer Pownce and PownceAIM I’d like to get alerts about new Pownce notes via AIM.
OMG! Need to log in!
Login with service provider service provider’s site!
Authorize click “Okay!”
Authorized! Return to desktop app.
Desktop flow Request Token! PownceAIM Pownce API calls asks for request token returns request token ...
Authorize! user sent user follows link to Pownce with request token in URL user logs in and/or authorizes PownceAIM user tells ... PownceAIM that auth is ... complete PownceAIM Pownce
Access Token! ask for access API calls token with authorized request token request token exchanged for access token PownceAIM stores access token PownceAIM Pownce
Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
OAuth Setup • Service provider gives documentation of authorization URLs and methods • Consumer registers an application with the service provider
Service Provider Documentation • Request token endpoint • Authorization endpoint • Access token endpoint • Accepted request method(s) (GET, POST, PUT, etc...) • Signature method(s) • Extra parameters (non-oauth) • Any specific notes about OAuth for that provider
Pownce API Documentation https://pownce.pbwiki.com/API%20Documentation2-0#VerifyAuth
Register a Consumer Application • Consumer gives service provider data about the application (name, creator, url etc...) • Service provider assigns the application a consumer key and consumer secret
Registering a Fire Eagle Application consumer app sign up page https://fireeagle.yahoo.net/developer/create
Registering a Fire Eagle Application Done! oooh! https://fireeagle.yahoo.net/developer/manage
OAuth Objects - Consumer consumer key • assigned during consumer registration • passed as a request parameter consumer secret • assigned during consumer registration • used for signing (e.g. HMAC-SHA1)
OAuth Objects - Consumer
OAuth Objects - Token token key • unique string granted by service provider • passed as a request parameter • same variable name (oauth_token_key) for both request and access type tokens token secret • also granted by service provider • same variable name (oauth_token_secret) for both request and access type tokens
OAuth Objects - Token
OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce • oauth_version
Where is this information passed? (in order of preference) • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
Timestamp and Nonce oauth_timestamp • seconds since Unix epoch (unless otherwise specified by service provider) • must be equal or greater than previous request oauth_nonce • random string per timestamp / request • attempt to stop replay attacks
Signing Requests oauth_signature_method • HMAC-SHA1 • RSA-SHA1 • PLAINTEXT oauth_signature • string constructed according to the chosen signature method
Signing Requests
Signature Methods HMAC-SHA1 • construct thewith a ‘&’: base string by joining signature the following 1. http request method (e.g. GET) 2. http url (endpoint url) 3. normalized request parameters (sorted by name) • key = encoded consumer secret and token secret separated by an ‘&’
Signature Methods HMAC-SHA1
Signature Methods HMAC-SHA1 Example base string: GET &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j %26oauth_nonce%3DD81FBEDC-1050-40EE- B899-21A1E07C4EC5 %26oauth_signature_method%3DHMAC-SHA1 %26oauth_timestamp%3D1211254098 %26oauth_token%3D0qic7f318nj42ogm %26oauth_version%3D1.0 Example signature: oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
Signature Methods PLAINTEXT • should be used over a secure channel (SSL) • no base string • url-encoded consumer ‘&’ and token secret secret separated by an
Signature Methods PLAINTEXT Ex: oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
Signature Methods RSA-SHA1 • sign signature base string private key and with Consumer’s RSA the • verify with Consumer’s RSA public key • same signature base string as HMAC-SHA1 • still in development for most OAuth libraries
Big Fatty Example PownceAIM and Pownce warning: screen shots might not match text.
PownceAIM Pownce API call asks for request token Authorization: OAuth realm=quot;http://api.pownce.com/quot;, oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;, oauth_timestamp=quot;1211257266quot;, oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;, oauth_version=quot;1.0quot; returns request token oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8
PownceAIM Pownce user follows link user sent user logs in to Pownce with and/or authorizes request token in PownceAIM URL http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
let’s pretend the user is logged in to the Pownce site click “Okay!”
PownceAIM cue to PownceAIM that request token has been user tells PownceAIM authorized that auth is complete
PownceAIM Pownce API calls ask for access Authorization: OAuth realm=quot;http://api.pownce.com/quot;, token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, authorized oauth_token=quot;3fjay66o4x78j4c8quot;, oauth_signature_method=quot;HMAC-SHA1quot;, request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;, oauth_timestamp=quot;1211258114quot;, oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;, oauth_version=quot;1.0quot; request token PownceAIM stores exchanged for access token access token oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
PownceAIM Pownce API calls ask for Authorization: OAuth realm=quot;http://api.pownce.com/quot;, protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_token=quot;oixvd0538vmw3hm2quot;, (note list) oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;, oauth_timestamp=quot;1211258746quot;, oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;, oauth_version=quot;1.0quot; <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?> return API <notes> <note> data <body>Check out my website Leah!</body> <permalink>http://pownce.com/iamcal/notes/2211344/</permalink> <sender> <user> <username>iamcal</username> ...
Managing Tokens • request token expiration • access token expiration • end user token management
Token Management http://pownce.com/settings/applications
HTTP Errors • 400 Bad Request • unsupported parameter • unsupported signature method • missing required parameter • duplicate OAuth parameter • 401 Unauthorized • invalid consumer key • invalid / expired token • invalid signature (signature does not match) • invalid / used nonce
Common Errors • signature does not match • providers can show expected base string • token is invalid • expired? wrong type of token? • request token unauthorized • user needs to login to authorize the request token
Testing Tools • web-based test server and client by Andy Smith (http://term.ie/oauth/example) • Endpointr, mac desktop app by Jon Crosby
Issues • service provider documentation • files • granular permissions • timestamp and nonce verification • vague tokentokens consumers check expiration, for expired
Current Status • OAuth Core 1.0 Final (Dec 2007) • OAuth Discovery 1.0 Draft 2 • Libraries: • coldfusion • csharp • java • javascript • maven • obj-c • obj-c1 • perl • php • python • ruby
Service Provider Implementations • 88 Miles • Google Contacts API • Ma.gnolia • Pownce • Thmbnl • Yahoo! Fire Eagle http://wiki.oauth.net/ServiceProviders
More Info • main site: http://oauth.net • spec: http://oauth.net/core/1.0 • code: http://code.google.com/p/oauth • mailing list: http://groups.google.com/group/oauth • wiki: http://wiki.oauth.net • Pownce API: http://pownce.com/api
Thanks! ugly logo!

Recommended

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 

Recommended

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the WildVictor Rentea
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 

More Related Content

What's hot

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 

What's hot (20)

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth
OAuthOAuth
OAuth
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best Practices
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 

Viewers also liked

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.Lorenzo Cassulo
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Informatica push down optimization implementation
Informatica push down optimization implementationInformatica push down optimization implementation
Informatica push down optimization implementationdivjeev
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
MongoDB - The database strikes back
MongoDB - The database strikes back MongoDB - The database strikes back
MongoDB - The database strikes back Steven Cooper
 
NEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful APINEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful APIAndrew Curioso
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync ExplainedMohan Krishnan
 
Angular meteor for angular devs
Angular meteor for angular devsAngular meteor for angular devs
Angular meteor for angular devsArc & Codementor
 

Viewers also liked (20)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Single Sign on e OpenID
Single Sign on e OpenIDSingle Sign on e OpenID
Single Sign on e OpenID
 
Oauth
OauthOauth
Oauth
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Informatica push down optimization implementation
Informatica push down optimization implementationInformatica push down optimization implementation
Informatica push down optimization implementation
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
MongoDB - The database strikes back
MongoDB - The database strikes back MongoDB - The database strikes back
MongoDB - The database strikes back
 
NEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful APINEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful API
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync Explained
 
Angular meteor for angular devs
Angular meteor for angular devsAngular meteor for angular devs
Angular meteor for angular devs
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 

Similar to Implementing OAuth

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,apidays
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 

Similar to Implementing OAuth (20)

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuth
 
Maintest3
Maintest3Maintest3
Maintest3
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 

Recently uploaded

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Recently uploaded (20)

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

Implementing OAuth

  • 2. Pownce and OAuth • Pownce launched (June 2007) • developers wanted an API • became involved with OAuth (Aug 2007) • public read-only API (Oct 2007) • full API with OAuth (Mar 2008) • 200+ apps built on Pownce API
  • 3. Me and OAuth • an author of the specification • wrote first library (Python) • maintain Python library • maintain Pownce API OAuth implementation
  • 4. What is OAuth? A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application” Pownce AIM bot
  • 6. Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others... http://flickr.com/photos/bees/2504039638/
  • 9. Who is it for? • Serviceauthorizationhavecertain functions Providers - an web API that needs for • Consumers -encourages) OAuth that want to use an API requires (or
  • 10. Goals: Be Simple • standard for website API authentication • consistent for developers • easy for end users to understand * * this is hard
  • 11. Goals: Be Secure • secure for end users • easy to implement security features for website developers • 3rd party developers don’t have access to passwords • balance security with ease of use
  • 12. Goals: Be Open • any website can implement OAuth • any 3rd party developer can use OAuth • open source client libraries • community-designed technical specifications
  • 13. Goals: Be Flexible • authentication method agnostic • users don’t need a username and password • can use OpenID (or not!) • whatever auth works best for the service • 3rd party developers don’t handle auth
  • 14. Is OAuth different from OpenID? Yes. (short answer)
  • 15. Is OAuth different from OpenID? OpenID - user identification by provider URL, login on provider site. OAuth - API authorization and permissions, any form of user identification, login on provider site. (medium answer)
  • 16. Is OAuth different from OpenID? http://www.pointy-stick.com/blog/2008/03/13/ explanation-difference-between-openid-and-oauth/ (long answer)
  • 17. What the end user sees... Web Consumer Ma.gnolia and Nsyght I’d like to search my Ma.gnolia bookmarks via social search engine Nsyght.
  • 18. OMG! Need to log in!
  • 19. Login with service provider service provider’s site! alternative login method not username/password
  • 21. Done!
  • 22. Web flow Request Token! Nsyght Ma.gnolia API calls asks for request token returns request token ...
  • 23. Authorize! user sent http redirect to ma.gnolia with request token in URL user logs in and/or authorizes nsyght redirected back ... to nsyght with (authorized) ... request token Nsyght Ma.gnolia
  • 24. Access Token! ask for access API calls token with authorized request token request token exchanged for access token nsyght stores access token Nsyght Ma.gnolia
  • 25. use the access token... by Blaine Cook
  • 26. What the end user sees... Desktop Consumer Pownce and PownceAIM I’d like to get alerts about new Pownce notes via AIM.
  • 27. OMG! Need to log in!
  • 28. Login with service provider service provider’s site!
  • 29. Authorize click “Okay!”
  • 31. Desktop flow Request Token! PownceAIM Pownce API calls asks for request token returns request token ...
  • 32. Authorize! user sent user follows link to Pownce with request token in URL user logs in and/or authorizes PownceAIM user tells ... PownceAIM that auth is ... complete PownceAIM Pownce
  • 33. Access Token! ask for access API calls token with authorized request token request token exchanged for access token PownceAIM stores access token PownceAIM Pownce
  • 34. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 35. OAuth Setup • Service provider gives documentation of authorization URLs and methods • Consumer registers an application with the service provider
  • 36. Service Provider Documentation • Request token endpoint • Authorization endpoint • Access token endpoint • Accepted request method(s) (GET, POST, PUT, etc...) • Signature method(s) • Extra parameters (non-oauth) • Any specific notes about OAuth for that provider
  • 38. Register a Consumer Application • Consumer gives service provider data about the application (name, creator, url etc...) • Service provider assigns the application a consumer key and consumer secret
  • 39. Registering a Fire Eagle Application consumer app sign up page https://fireeagle.yahoo.net/developer/create
  • 40. Registering a Fire Eagle Application Done! oooh! https://fireeagle.yahoo.net/developer/manage
  • 41. OAuth Objects - Consumer consumer key • assigned during consumer registration • passed as a request parameter consumer secret • assigned during consumer registration • used for signing (e.g. HMAC-SHA1)
  • 42. OAuth Objects - Consumer
  • 43. OAuth Objects - Token token key • unique string granted by service provider • passed as a request parameter • same variable name (oauth_token_key) for both request and access type tokens token secret • also granted by service provider • same variable name (oauth_token_secret) for both request and access type tokens
  • 45. OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce • oauth_version
  • 46. Where is this information passed? (in order of preference) • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
  • 47. Timestamp and Nonce oauth_timestamp • seconds since Unix epoch (unless otherwise specified by service provider) • must be equal or greater than previous request oauth_nonce • random string per timestamp / request • attempt to stop replay attacks
  • 48. Signing Requests oauth_signature_method • HMAC-SHA1 • RSA-SHA1 • PLAINTEXT oauth_signature • string constructed according to the chosen signature method
  • 50. Signature Methods HMAC-SHA1 • construct thewith a ‘&’: base string by joining signature the following 1. http request method (e.g. GET) 2. http url (endpoint url) 3. normalized request parameters (sorted by name) • key = encoded consumer secret and token secret separated by an ‘&’
  • 51. Signature Methods HMAC-SHA1
  • 52. Signature Methods HMAC-SHA1 Example base string: GET &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j %26oauth_nonce%3DD81FBEDC-1050-40EE- B899-21A1E07C4EC5 %26oauth_signature_method%3DHMAC-SHA1 %26oauth_timestamp%3D1211254098 %26oauth_token%3D0qic7f318nj42ogm %26oauth_version%3D1.0 Example signature: oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
  • 53. Signature Methods PLAINTEXT • should be used over a secure channel (SSL) • no base string • url-encoded consumer ‘&’ and token secret secret separated by an
  • 54. Signature Methods PLAINTEXT Ex: oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
  • 55. Signature Methods RSA-SHA1 • sign signature base string private key and with Consumer’s RSA the • verify with Consumer’s RSA public key • same signature base string as HMAC-SHA1 • still in development for most OAuth libraries
  • 56. Big Fatty Example PownceAIM and Pownce warning: screen shots might not match text.
  • 57. PownceAIM Pownce API call asks for request token Authorization: OAuth realm=quot;http://api.pownce.com/quot;, oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;, oauth_timestamp=quot;1211257266quot;, oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;, oauth_version=quot;1.0quot; returns request token oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8
  • 58. PownceAIM Pownce user follows link user sent user logs in to Pownce with and/or authorizes request token in PownceAIM URL http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
  • 59. let’s pretend the user is logged in to the Pownce site click “Okay!”
  • 60. PownceAIM cue to PownceAIM that request token has been user tells PownceAIM authorized that auth is complete
  • 61. PownceAIM Pownce API calls ask for access Authorization: OAuth realm=quot;http://api.pownce.com/quot;, token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, authorized oauth_token=quot;3fjay66o4x78j4c8quot;, oauth_signature_method=quot;HMAC-SHA1quot;, request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;, oauth_timestamp=quot;1211258114quot;, oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;, oauth_version=quot;1.0quot; request token PownceAIM stores exchanged for access token access token oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
  • 62. PownceAIM Pownce API calls ask for Authorization: OAuth realm=quot;http://api.pownce.com/quot;, protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_token=quot;oixvd0538vmw3hm2quot;, (note list) oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;, oauth_timestamp=quot;1211258746quot;, oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;, oauth_version=quot;1.0quot; <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?> return API <notes> <note> data <body>Check out my website Leah!</body> <permalink>http://pownce.com/iamcal/notes/2211344/</permalink> <sender> <user> <username>iamcal</username> ...
  • 63. Managing Tokens • request token expiration • access token expiration • end user token management
  • 65. HTTP Errors • 400 Bad Request • unsupported parameter • unsupported signature method • missing required parameter • duplicate OAuth parameter • 401 Unauthorized • invalid consumer key • invalid / expired token • invalid signature (signature does not match) • invalid / used nonce
  • 66. Common Errors • signature does not match • providers can show expected base string • token is invalid • expired? wrong type of token? • request token unauthorized • user needs to login to authorize the request token
  • 67. Testing Tools • web-based test server and client by Andy Smith (http://term.ie/oauth/example) • Endpointr, mac desktop app by Jon Crosby
  • 68. Issues • service provider documentation • files • granular permissions • timestamp and nonce verification • vague tokentokens consumers check expiration, for expired
  • 69. Current Status • OAuth Core 1.0 Final (Dec 2007) • OAuth Discovery 1.0 Draft 2 • Libraries: • coldfusion • csharp • java • javascript • maven • obj-c • obj-c1 • perl • php • python • ruby
  • 70. Service Provider Implementations • 88 Miles • Google Contacts API • Ma.gnolia • Pownce • Thmbnl • Yahoo! Fire Eagle http://wiki.oauth.net/ServiceProviders
  • 71. More Info • main site: http://oauth.net • spec: http://oauth.net/core/1.0 • code: http://code.google.com/p/oauth • mailing list: http://groups.google.com/group/oauth • wiki: http://wiki.oauth.net • Pownce API: http://pownce.com/api
  • 72. Thanks! ugly logo!