OAuth
a not-so-basic introduction
zach graves
zachg@yahoo-inc.com
twitter: basictheory

What Is OAuth?
A simple, open standard for secure API authentication.
-or-
An open protocol to allow secure API authorization in a
simple and standard method from desktop and web
applications.

Why OAuth?
Too many different authentication protocols
across the internet.

OAuth is similar to...
• Flickr Auth
• Yahoo BBAuth
• Google AuthSub
• Facebook Auth
• and more... for an open standard)
(hence the need

OAuth is...
• API Authentication services requiring basic auth.
Provides access to various
• Token-basedhas a unique token given to an app to
Logged-in user
API Authentication
fetch data from the site, with permission.

Who is involved?
• Flickr & Yahoo!
• Twitter
• Google
• Digg
• Pownce
• Google / Orkut

Goals of OAuth
• Be Open, Secure & Flexible
• Maintain consistency for developers.
• Make authentication easy for your users to
understand and use.

Typical OAuth flow

Need to Login

Login with service provider

User Authorizes application

Done

How does it work for
developers?
• Provide service provider details about your
application (owner, url, name)
• Service provider assigns your app an id,
consumer key and consumer secret.
• Service provides OAuth endpoints.

OAuth Process
1. Obtain request token
(get_request_token)
2. User login and authorizes
request token
(request_auth)
3. Exchange request token
for an access token.
(get_token)
4. Use access token to
request protected
resources. (Renew after
expiry with get_token)

OAuth Parameters
• oauth_consumer_key - (provided by service provider)
• oauth_token - (user access token)
• oauth_timestamp - (The CURRENT timestamp)
• oauth_nonce - (a random string)
• oauth_signature_method - (the signature method, hmac-
sha1 or plaintext)
• oauth_signature - (encrypted string of url + all parameters)

Passing the OAuth info
• Authorization Header
• HTTP POST request body
• URL query string

How this is secure
• No username or password transmitted to or from the
consumer application
• Timestamp and nonce are unique to prevent replay attacks
• Encrypted signature helps the server verify the integrity of
the data and recognize the application
• Signature method - HMAC-SHA1, RSA-SHA1, Plaintext (for
transmission over SSL.

How this is insecure
• Client applications need consumer secret embedded in the
code.
(javascript, flash, java, silverlight, desktop, etc.)
• Compromises the consumer secret key.
(it is meant to stay a secret)

This is a lot of work.

OAuth code
• Because OAuth is an open spec, open-source
libraries exist for many platforms.
Java, PHP, C, C#, Javascript, .NET, Objective-C,
Perl, Python, Ruby, ActionScript 3, Coldfusion,
OCaml, Jifty, Maven... To name a few.
• http://code.google.com/p/oauth/
• http://oauth.net/code

Yahoo SDK
• We have a PHP SDK for easily making
signed OAuth requests to Yahoo! Social
APIs.
http://developer.yahoo.com/social/sdk

Two legged OAuth
Allows access to resources that don’t require user auth
$consumerKey = “ABCDEFG1234”;
$consumerSecret = “TUVWXYZ5678”;
$baseUrl = “http://myapp.com/services/getStats”;
$args = array(‘format’=>‘json’);
$consumer = new OAuthConsumer($consumerKey, $consumerSecret);
// no access token, pass NULL.
$request = OAuthRequest::from_consumer_and_token($consumer, NULL, \"GET\", $base,
$args);
$request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $consumer, NULL);
$requestUrl = $url.http_build_query($args);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $requestUrl);
curl_setopt($ch, CURLOPT_HTTPHEADER, array($request->to_header()));
...

Use this method for
services like YQL

Signing requests tousing HMAC-SHA1
Yahoo!
POST /oauth/v2/get_request_token HTTP/1.1
Host: api.login.yahoo.com
Accept: */*
Content-Length: 282
Content-Type: application/x-www-form-urlencoded
URL:
https://api.login.yahoo.com/oauth/v2/get_request_token?
oauth_consumer_key=dj0yJmk9YmxIan[....]
&oauth_signature_method=HMAC-SHA1
&oauth_version=1.0
&oauth_timestamp=1221089876
&oauth_nonce=JsZywH
&oauth_signature=PnW34DmC0kPTYYD4lNPVbY3%2BF5A%3D

Finally
• http://oauth.net/
• http://developer.yahoo.com/oauth/
• http://code.google.com/p/oauth/