16. The Problem
fake
: Hi Jane, what’s your username?
: I dunno, jane@hotmail.com?
fake
: Okay, great! What’s your password?
: h4pp1n3ss
fake : Brilliant! We’ll steal your credit card details using your
email account print those photos right away!
17. Step 1: Intent
: Hey, ! I need to print out some that
are on , but I marked them as private.
Could you print them for me?
: Sure, but first I need to ask for permission.
18. Step 2: Request Token
! Can I have a Request Token?
“Hi ! This is
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”
: Great, thanks!
19. Step 3: Authorize Request Token
: Hey, could you go to flickr and authorize
this Request Token: 9iKot2y5UQTDlS2V?
Once you do that, I can access your .
: Sure, one sec! My browser’s great at redirects,
so this won’t hurt a bit.
20. Step 3, Continued
: , I’d like to authorize 9iKot2y5UQTDlS2V
: Sure - just to be sure, you’re authorizing for
read-only access to your private photos?
We trust them, so it’s pretty safe.
: Yup, that’s right!
: Cool. Now, go back and tell to go ahead.
21. Step 3, Optional Notify
: Hey, , I gave permission to and they
said you could go ahead.
: Awesome, thanks! I’ll get right on that.
22. Step 4: Exchange Token
Hey, . Could I exchange this token:
9iKot2y5UQTDlS2V for the Access Token?
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”
: Great, thanks!
23. Step 5: Access Data
Dear , I’d like to access the photos that
are owned by 94S3sJVmuuxSPiZz.
HMAC-SHA1 (Yours Truly, Moo.)
: Here they are!
Any other requests?
24. Things to Note
(non-obvious)
• No identity information. Moo doesn’t know
who Jane is on Flickr.
• The Consumer could be anonymous.
• The User could be anonymous (where
permission is implicit), providing verified
User-Agent.
• API-independent.
• Tokens (permissions) can be revoked.
26. Signatures
• Signature Base String is what we called the
signed bits. It includes:
• URI
• Request Parameters
• OAuth Parameters
• Does NOT sign HTTP Headers, non
x-www-form-urlencoded HTTP Body.
27. Signatures
• Not just limited to HTTP.
• Signature method exists for XMPP,
methods could be described for any
protocol.
• Did we mention it’s extensible? Easy to
describe extensions to sign, for example,
multi-part HTTP bodies.
30. The Request, with OAuth
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=quot;http://photos.example.net/photosquot;
oauth_consumer_key=quot;dpf43f3p2l4k3l03quot;
oauth_token=quot;nnch734d00sl2jdkquot;
oauth_nonce=quot;kllo9940pd9333jhquot;
oauth_timestamp=quot;1191242096quot;
oauth_signature_method=quot;HMAC-SHA1quot;
oauth_version=quot;1.0quot;
oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
31. How did we get there?
• Collect the following:
• Consumer Key & Secret
• Access Token & Secret
• Timestamp and Nonce
• Request Parameters (normalized)
• Destination URI and HTTP method
32. Request Example
GET /photos?size=original&file=vacation.jpg HTTP/1.1
Host: photos.example.net:80
Authorization: OAuth realm=quot;http://photos.example.net/photosquot;
oauth_consumer_key=quot;dpf43f3p2l4k3l03quot;
oauth_token=quot;nnch734d00sl2jdkquot;
oauth_nonce=quot;kllo9940pd9333jhquot;
oauth_timestamp=quot;1191242096quot;
oauth_signature_method=quot;HMAC-SHA1quot;
oauth_version=quot;1.0quot;
oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
Signature Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
%26oauth_version%3D1.0%26size%3Doriginal
37. Issues
• Documentation.
• Spec is precise, not ideal for implementors.
• Harder than HTTP Basic Auth.
• Concerns of API usage dropoff due to user
loss during the redirect step.
• Not perfect. Doesn’t solve phishing / brute
force attacks.