OAuth

8,699 views
8,455 views

Published on

Published in: Technology, Design
3 Comments
23 Likes
Statistics
Notes
No Downloads
Views
Total views
8,699
On SlideShare
0
From Embeds
0
Number of Embeds
128
Actions
Shares
0
Downloads
366
Comments
3
Likes
23
Embeds 0
No embeds

No notes for slide









































































  • OAuth

    1. 1. Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
    2. 2. Community Driven
    3. 3. Extraction of Existing Patterns
    4. 4. http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
    5. 5. Web-Native
    6. 6. So how does it work?
    7. 7. The User
    8. 8. Jane
    9. 9. Her Protected Resources Jane
    10. 10. Jane
    11. 11. Jane A Service Provider
    12. 12. Jane
    13. 13. Jane And a Consumer
    14. 14. Jane
    15. 15. The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
    16. 16. Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
    17. 17. Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
    18. 18. Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
    19. 19. Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
    20. 20. Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
    21. 21. Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
    22. 22. Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
    23. 23. Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
    24. 24. Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
    25. 25. Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
    26. 26. Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
    27. 27. OAuth Request Example
    28. 28. The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
    29. 29. The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
    30. 30. How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
    31. 31. Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
    32. 32. HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
    33. 33. Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
    34. 34. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
    35. 35. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
    36. 36. Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

    ×