OAuth
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OAuth

on

  • 11,585 views

 

Statistics

Views

Total Views
11,585
Views on SlideShare
11,459
Embed Views
126

Actions

Likes
24
Downloads
360
Comments
3

7 Embeds 126

http://seenthis.net 56
http://www.slideshare.net 28
https://limundo.basecamphq.com 15
https://limundo.basecamphq.com 15
http://rnnadafwebsite.blogspot.in 9
http://www.linkedin.com 2
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />
  • <br /> <br />

OAuth Presentation Transcript

  • 1. Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
  • 2. Community Driven
  • 3. Extraction of Existing Patterns
  • 4. http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
  • 5. Web-Native
  • 6. So how does it work?
  • 7. The User
  • 8. Jane
  • 9. Her Protected Resources Jane
  • 10. Jane
  • 11. Jane A Service Provider
  • 12. Jane
  • 13. Jane And a Consumer
  • 14. Jane
  • 15. The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
  • 16. Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
  • 17. Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
  • 18. Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
  • 19. Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
  • 20. Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
  • 21. Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
  • 22. Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
  • 23. Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
  • 24. Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
  • 25. Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
  • 26. Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
  • 27. OAuth Request Example
  • 28. The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
  • 29. The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
  • 30. How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
  • 31. Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 32. HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 33. Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 34. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 35. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
  • 36. Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.