Delegated Authorization
http://flickr.com/photos/claveirole/3028193046/

Community
Driven

Extraction of
Existing Patterns

http://flickr.com/photos/olivander/58499153/
Flexible ...
... But with a low barrier to entry.

Web-Native

So how does it work?

The User

Jane

Her
Protected Resources
Jane

Jane

Jane
A Service Provider

Jane

Jane
And a Consumer

Jane

The Problem
fake
: Hi Jane, what’s your username?
: I dunno, jane@hotmail.com?
fake
: Okay, great! What’s your password?
: h4pp1n3ss
fake : Brilliant! We’ll steal your credit card details using your
email account print those photos right away!

Step 1: Intent
: Hey, ! I need to print out some that
are on , but I marked them as private.
Could you print them for me?
: Sure, but first I need to ask for permission.

Step 2: Request Token
! Can I have a Request Token?
“Hi ! This is
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”
: Great, thanks!

Step 3: Authorize Request Token
: Hey, could you go to flickr and authorize
this Request Token: 9iKot2y5UQTDlS2V?
Once you do that, I can access your .
: Sure, one sec! My browser’s great at redirects,
so this won’t hurt a bit.

Step 3, Continued
: , I’d like to authorize 9iKot2y5UQTDlS2V
: Sure - just to be sure, you’re authorizing for
read-only access to your private photos?
We trust them, so it’s pretty safe.
: Yup, that’s right!
: Cool. Now, go back and tell to go ahead.

Step 3, Optional Notify
: Hey, , I gave permission to and they
said you could go ahead.
: Awesome, thanks! I’ll get right on that.

Step 4: Exchange Token
Hey, . Could I exchange this token:
9iKot2y5UQTDlS2V for the Access Token?
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”
: Great, thanks!

Step 5: Access Data
Dear , I’d like to access the photos that
are owned by 94S3sJVmuuxSPiZz.
HMAC-SHA1 (Yours Truly, Moo.)
: Here they are!
Any other requests?

Things to Note
(non-obvious)
• No identity information. Moo doesn’t know
who Jane is on Flickr.
• The Consumer could be anonymous.
• The User could be anonymous (where
permission is implicit), providing verified
User-Agent.
• API-independent.
• Tokens (permissions) can be revoked.

Signatures
• Currently three methods:
• HMAC-SHA1 (shared secrets + hash)
• PLAINTEXT (shared secrets + SSL)
• RSA-SHA1 (PKI)

Signatures
• Signature Base String is what we called the
signed bits. It includes:
• URI
• Request Parameters
• OAuth Parameters
• Does NOT sign HTTP Headers, non
x-www-form-urlencoded HTTP Body.

Signatures
• Not just limited to HTTP.
• Signature method exists for XMPP,
methods could be described for any
protocol.
• Did we mention it’s extensible? Easy to
describe extensions to sign, for example,
multi-part HTTP bodies.

OAuth
Request Example

The Request
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80

The Request, with OAuth
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"

How did we get there?
• Collect the following:
• Consumer Key & Secret
• Access Token & Secret
• Timestamp and Nonce
• Request Parameters (normalized)
• Destination URI and HTTP method

Request Example
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"
Signature Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal

HTTP Request Method
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"
Signature Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal

Request URI
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"
Signature Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal

Request Parameters
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"
Signature Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal

Request Parameters
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=\"http://photos.example.net/photos\"
oauth_consumer_key=\"dpf43f3p2l4k3l03\"
oauth_token=\"nnch734d00sl2jdk\"
oauth_nonce=\"kllo9940pd9333jh\"
oauth_timestamp=\"1191242096\"
oauth_signature_method=\"HMAC-SHA1\"
oauth_version=\"1.0\"
oauth_signature=\"tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D\"
Signature:
HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file
%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal)

Issues
• Documentation.
• Spec is precise, not ideal for implementors.
• Harder than HTTP Basic Auth.
• Concerns of API usage dropoff due to user
loss during the redirect step.
• Not perfect. Doesn’t solve phishing / brute
force attacks.