OAuth In The Real World : 10 actual implementations you can't guess

5,728 views

Published on

Published in: Internet, Technology
1 Comment
8 Likes
Statistics
Notes
No Downloads
Views
Total views
5,728
On SlideShare
0
From Embeds
0
Number of Embeds
2,510
Actions
Shares
0
Downloads
30
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

OAuth In The Real World : 10 actual implementations you can't guess

  1. 1. OAuth in the Real World APIdays Berlin
  2. 2. @medjawii OAuth.io@medjawii APIscene.com.
  3. 3. Are you getting the maximum from OAuth? OAuth.io@medjawii
  4. 4. Identity provider Identity consumer (Application) User OAuth.io@medjawii
  5. 5. OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
  6. 6. OAuth.io@medjawii
  7. 7. OAuth.io@medjawii
  8. 8. OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
  9. 9. The business value data is concentrated mainly on the provider and the consumer OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
  10. 10. OAuth enables to concentrate the business value data on the provider side. OAuth.io@medjawii
  11. 11. The tale of 2 OAuth... OAuth.io@medjawii
  12. 12. OAuth 1.0/1.a - Released in October 2007 - Revised in June 2009 (Revision A) - Hard to implement with signatures, no expiration of tokens, no control the level of access requested. Some implementations have tried to get around these problems, which causes interoperability issues OAuth.io@medjawii
  13. 13. OAuth 2.0 - Non-backward compatible alternative. - Several drafts from January 2010 and October 2012 where published as RFC 6749 - Facebook and many others implemented it when not final - OAuth 2.0 is more flexible, wide range of non-interoperable implementations - less secure than OAuth 1.0, relying on SSL connections rather than signatures to protect the user’s access token, - Easier to install when developing clients OAuth.io@medjawii
  14. 14. The tale of 2 OAuth... OAuth.io@medjawii
  15. 15. The tale of too many OAuth... OAuth.io@medjawii
  16. 16. 10 OAuth implementations you can’t guess… that differ from RFC6949 OAuth.io@medjawii
  17. 17. Refresh_token grant_type: "refresh_token" => grant_type: "fb_exchange_token" refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}" scope “notation”: friends_actions.music, friends_actions.video Separator is a “,” instead of “%20“ OAuth.io@medjawii FACEBOOK
  18. 18. client_id -> app_id=... scope -> perms=email,read_friendlists... state=... [non documented] response_type=code [useless] “Facebook is the standard” OAuth.io@medjawii DEEZER
  19. 19. More parameters options for the authorization form: access_type: to choose to send a refresh_token or not approval_prompt to force the popup even if we are already connected login_hint to select an account or prefill the email address include_granted_scopes to add more authorizations “incremental authorization” OAuth.io@medjawii GOOGLE
  20. 20. - Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up. - No scope. OAuth.io@medjawii FOURSQUARE
  21. 21. Added custom authorization parameters: immediate: whether the user should be prompted for login and approval display: template web, mobile, popup login_hint: to prefill an email prompt: prompt the user for reauthorization or reapproval OAuth.io@medjawii SALESFORCE
  22. 22. OAuth.io@medjawii SALESFORCE the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form)
  23. 23. Added authorizations parameters: API version The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so) OAuth.io@medjawii VK Instead of access_token: xxx /user/me?access_token=xxx You have access_token: xxx user_id: yyy /user/yyy?access_token=xxx
  24. 24. scope “notation”: profile:write profile:read OAuth.io@medjawii 23ANDME
  25. 25. OAuth.io@medjawii Authorization parameters : chinese language only oauth_version=2.a (useless parameter) Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0 TENCENT WEIBO
  26. 26. And this is not exhaustive.
  27. 27. api.provider.com/path/action?access_token=TOKEN api.provider.com/path/action?oauth_token=TOKEN api.provider.com/path/action?token=TOKEN Authorization HTTP header: Bearer TOKEN Authorization HTTP Header: OAuth TOKEN OAuth.io@medjawii API CALLS AUTHORIZATION
  28. 28. OAuth.io@medjawii SCOPE scope=email%20publish scope=email,publish scope=email;publish scope=email:publish scope=email|publish scope=read_only or scope=read_write
  29. 29. ● inexistent (dailymotion, eventbrite...) so you have to put it in the callback ● undocumented (wordpress, deezer...) ● impossible (angelist.co) “fixed callback url” OAuth.io@medjawii THE “STATE” PARAM
  30. 30. - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” WHAT YOU SHOULD NOT TELL ABOUT OAUTH!
  31. 31. OAuth.io@medjawii Introducing OAuth 3:0
  32. 32. - “0 token” paradigm - No more secret key, everything public The huge majority did not understand... OAuth.io@medjawii APRIL FOOL: INTRODUCING OAUTH 3.0
  33. 33. - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” WHAT YOU SHOULD NOT TELL YOURSELF ABOUT OAUTH
  34. 34. Even if you are right, 3rd party developers will be lost… because of others providers already did it wrong before you OAuth.io@medjawii
  35. 35. - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” WHAT YOU SHOULD NOT TELL YOURSELF ABOUT OAUTH
  36. 36. “In a design perspective, documentation is a bug, not a feature” It is the most important but the last place to find information OAuth.io@medjawii
  37. 37. OAuth.io
  38. 38. 100+ providers unified and simplified OAuth.io@medjawii
  39. 39. OAuth.io@medjawii To retrieve your token
  40. 40. OAuth.io@medjawii - Register on OAuth.io - Click on the OAuth provider you want in the list - Share your credentials - Click on “try me“ That’s it, you have your token. 90 seconds after signup. PROCESS
  41. 41. OAuth.io@medjawii What about generating a pop-up?
  42. 42. OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('facebook', function(err) { if (err) { // do something with error }
  43. 43. OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('twitter', function(err) { if (err) { // do something with error }
  44. 44. OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('salesforce', function(err) { if (err) { // do something with error }
  45. 45. OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('yourcompany', function(err) { if (err) { // do something with error }
  46. 46. OAuth.io@medjawii And for deeper APIs calls?
  47. 47. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) })
  48. 48. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) }) No need to call your own server and to sign your API request and send it back No more access token management, it’s now completely abstracted It feels lighter right?
  49. 49. For web and mobile OAuth.io@medjawii
  50. 50. Open source : oauthd for on premises implementation to consume your own oauth https://github.com/oauth-io/oauthd Easy contributions process, with a small JSON to fill on github OAuth.io@medjawii
  51. 51. OAuth.io@medjawii THANK YOU

×