OAuth 2 at Webvisions
Upcoming SlideShare
Loading in...5

OAuth 2 at Webvisions






Total Views
Views on SlideShare
Embed Views



3 Embeds 713

http://aaronparecki.com 674
http://pk2.dev 37
http://pk.dev 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • It was common to see third party sites asking for your Twitter or Email passwords to log you in. Obviously you should be reluctant to hand over your login information to some other site.
  • Problem is it’s really hard to get the signatures right as a third party, and you have to have a real solid understanding of it if you’re going to implement it on your server.
  • Problem is it’s really hard to get the signatures right as a third party, and you have to have a real solid understanding of it if you’re going to implement it on your server.
  • OAuth 2 recognizes the challenges of requiring signatures and nonces, and moves to a model where all data is transferred using the built-in encryption of HTTPS.
  • Many sites are adopting the new OAuth 2 spec.http://windowsteamblog.com/windows_live/b/developer/archive/2011/05/04/announcing-support-for-oauth-2-0.aspxhttp://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html
  • Make sure to keep the refresh token around
  • ----- Meeting Notes (2012-01-19 13:22) -----I went through an access token using the "auth code" grant type. Since OAuth is designed for more than just web apps, there are other grant types available.----- Meeting Notes (2012-01-19 13:33) -----Ther'es more than one way to get an access token

OAuth 2 at Webvisions OAuth 2 at Webvisions Presentation Transcript

  • OAuth 2: A Brief Overview Aaron Parecki • @aaronpk WebVisions • New York, January 2012
  • Before OAuth aka the Dark Ages If a third party wanted access to an account, you’d give them your password.aaron.pk/oauth2 @aaronpk
  • Before OAuth 1.0 Many sites implemented things similar to OAuth 1.0, with slight differences between them.  Flickr: “FlickrAuth” frobs and tokens  Google: “AuthSub”  Facebook: requests signed with MD5 hashesaaron.pk/oauth2 @aaronpk
  • aaron.pk/oauth2 @aaronpk
  • aaron.pk/oauth2 @aaronpk
  • aaron.pk/oauth2 @aaronpk
  • OAuth 1.0 Signatures The signature base string is composed of the HTTP method being used, followed by an ampersand ("&") and then the URL-encoded base URL being accessed, complete with path (but not query parameters), followed by an ampersand ("&"). Then, you take all query parameters and POST body parameters (when the POST body is of the URL-encoded type, otherwise the POST body is ignored), including the OAuth parameters necessary for negotiation with the request at hand, and sort oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7o them in lexicographical order by first parameter name and then dC2XJcn4XlZJqk", parameter value (for duplicate parameters), all the while ensuring that both the key and the value for each parameter are URL encoded in oauth_callback="http%3A%2F%2Flocalhost%3A300 isolation. Instead of using the equals ("=") sign to mark the key/value 5%2Fthe_dance%2Fprocess_callback%3Fservice_pr relationship, you use the URL-encoded form of "%3D". Each parameter is ovider_id%3D11", then joined by the URL-escaped ampersand sign, "%26". oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272323042", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_signature="8wUi7m5HFQy76nowoCThusfgB%aaron.pk/oauth2 2BQ%3D", oauth_version="1.0" @aaronpk
  • aaron.pk/oauth2 @aaronpk
  • OAuth 2: signatures replaced by https HMACaaron.pk/oauth2 @aaronpk
  • Some Current Implementers
  • OAuth 2?There are 22 versions!!
  • Currently Implemented DraftsProvider Draft ReferenceFoursquare -10 http://aaron.pk/2YSGoogle -10 http://code.google.com/apis/accounts/docs/OAuth2.htmlGowalla -8 http://gowalla.com/api/docs/oauth https://developers.facebook.com/docs/authentication/oaFacebook -10 (ish) uth2_updates/Windows Live -10 http://aaron.pk/2YVSalesforce -10 http://aaron.pk/2YWGithub -07 http://develop.github.com/p/oauth.htmlGeoloqi -10 http://geoloqi.org/API @aaronpk
  • So how does it work?aaron.pk/oauth2 @aaronpk
  • Definitionsaaron.pk/oauth2 @aaronpk
  • 1. Authorizationaaron.pk/oauth2 @aaronpk
  • Create a “Log In” linkLink to:https://geoloqi.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URIaaron.pk/oauth2 @aaronpk
  • Send the user to the auth pagehttps://geoloqi.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URIaaron.pk/oauth2 @aaronpk
  • On success, user is redirectedback to your site with auth codehttps://example.com/auth?code=AUTH_CODE_HEREOn error, user is redirected backto your site with error codehttps://example.com/auth?error=access_deniedaaron.pk/oauth2 @aaronpk
  • Exchange auth code for anaccess tokenYour server makes the following requestPOST https://api.geoloqi.com/1/oauth/tokenPost Body:grant_type=authorization_code&code=CODE_FROM_QUERY_STRING&redirect_uri=REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETaaron.pk/oauth2 @aaronpk
  • Exchange auth code for anaccess token (response)Your server gets a response like the following{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}or if there was an error{ "error":"invalid_request"}aaron.pk/oauth2 @aaronpk
  • 2. Accessing Resourcesaaron.pk/oauth2 @aaronpk
  • Use the access token tomake requestsNow you can make requests using the access token.GET https://api.geoloqi.com/1/account/profileAuthorization: OAuth RsT5OjbzRn430zqMLgV3IaAccess token can be in an HTTP header or a querystring parameterhttps://api.geoloqi.com/1/account/profile?oauth_token=RsT5OjbzRn430zqMLgV3Iaaaron.pk/oauth2 @aaronpk
  • Eventually the access tokenwill expireWhen you make a request with an expiredtoken, you will get this response{ "error":"expired_token"}Now you need to get a new access token!aaron.pk/oauth2 @aaronpk
  • Get a new access tokenusing a refresh tokenYour server makes the following requestPOST https://api.geoloqi.com/1/oauth/tokengrant_type=refresh_token&reresh_token=e1qoXg7Ik2RRua48lXIV&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETYour server gets a similar response as the original call tooauth/token with new tokens.{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}aaron.pk/oauth2 @aaronpk
  • OAuth 2 ClientsClient libraries should handle refreshing the tokenautomatically behind the scenes.aaron.pk/oauth2 @aaronpk
  • Authorization Methods Auth Code Refresh Token PasswordDraft 10 also has AssertionDraft 22 also has Implicit (for browser-based apps) Extensions (for defining custom grant types)aaron.pk/oauth2 @aaronpk
  • Password Grant Type Suitable for mobile or native desktop apps where a web browser flow would be awkward. This breaks the fundamental benefit of OAuth (not giving your password to third parties), so should probably be limited to your own apps.aaron.pk/oauth2
  • Password GrantYour server makes the following requestPOST https://api.geoloqi.com/1/oauth/tokengrant_type=password&username=USERNAME&password=PASSWORD&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRETYour server gets a similar response as the original call to oauth/token withnew tokens.{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV"}aaron.pk/oauth2 @aaronpk
  • Implicit Grant (-22)For clients who can’t store a client secret in a secureway, typically Javascript-based apps.No concept of refresh tokens, and auth codes arenot used either.The redirection back to your app will include anaccess token in the URL fragment.https://example.com/auth#access_token=FJQbwq9aaron.pk/oauth2 @aaronpk
  • Security Recommendationsfor Clients Using BearerTokens Safeguard bearer tokens Validate SSL certificates Always use https Don’t store bearer tokens in plaintext cookies Issue short-lived bearer tokens Don’t pass bearer tokens in page URLsaaron.pk/oauth2 @aaronpk
  • http://code.flickr.com/blog/2011/06/21/flickr-now-supports-oauth-1-0a/ Currently, we only support OAuth 1.0a, but we have plans to eventually support OAuth 2.0. The decision was based on the fact that OAuth 2.0 is still an evolving definition that is rapidly changing.
  • More Info & Code Samples:http://aaron.pk/oauth2 Thanks. Aaron Parecki @aaronpk aaronparecki.com github.com/aaronpk