BUILDING AND USING SECURE WEB SERVICES WITH OAUTH Skillswap Goes Portable, November 25, 2008 Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/

web services are about data let’s think about data...

DATA SHOULD BE PORTABLE (even your private data) The Internet is awash with data (put there by our users)

The Internet is awash with data

(put there by our users)

why?

CONTROL YOUR DATA Don't get locked into one vendor

Mash|ups < data > MORE INTERESTING http://pipes.yahoo.com/bruceboughton/skillswapmashup

RE-PURPOSE YOUR DATA in different contexts

INTERPRET IT ACCESS IT Data is portable if you can easily  

Data is portable if you can easily

Data should be available in STANDARD DATA FORMATS <xml/> POSH  JSON μ f

How can users let third parties ACCESS THEIR PRIVATE DATA? User data is moving to the cloud 

User data is moving to the cloud

40-60% OF TWEETS VIA API* Blaine Cook co-authored OAuth Why pick on Twitter?

Why pick on Twitter?

http://kecute.wordpress.com/2007/11/05/cat-computer-geek/

we need an easy , user-friendly standard for third party api security

GOOGLE CONTACTS DEMO http://lab.madgex.com/oauth-net/googlecontacts/

http://lab.madgex.com/oauth-net/googlecontacts/

YOU CHOOSE who you share YOUR DATA with OAuth puts the user back in control

OAuth puts the user back in control

NO NEED to give out your PASSWORD OAuth is secure

OAuth is secure

FIRE EAGLE LOCATION DEMO http://whereami.lab.madgex.com/

http://whereami.lab.madgex.com/

Supports FINE-GRAINED privacy controls Lightweight and open for extension

Lightweight and open for extension

Google Yahoo OpenSocial Netflix MySpace Pownce Ma.gnolia SmugMug GetSatisfaction and more... Big name adoption

Big name adoption

one thing: OAuth != OpenID (but they do play nicely)

OpenID is authentication OAUTH IS ACCESS CONTROL

let’s get technical

Protected resources are exposed by service providers and used by consumer applications on behalf of users

e.g. My physical location is exposed by the Fire Eagle API and used by the Madgex Lab demo on my behalf

Consumer identity asserted using CONSUMER KEY and SECRET

Consumer gets an ACCESS TOKEN (tied to a user, usually re-usable) To fetch a protected resource

To fetch a protected resource

Consumer asks USER TO LOG IN and AUTHORIZE request To get an access token

To get an access token

Requests are SIGNED and include a TIMESTAMP and NONCE

This is just PLAIN OLD HTTP with added super powers

don’t worry, there are plenty of open source libraries

Ruby .NET Python PHP Java JavaScript Objective-C and more... http://oauth.net/code

do we have time for some code? OAuth.net library http://lab.madgex.com/oauth-net

Configuring the Fire Eagle service (without discovery)

Configuring the Fire Eagle service

(without discovery)

Requesting the user’s location

Requesting the user’s location

Handling authorization (if we didn’t already have an access token)

Handling authorization

(if we didn’t already have an access token)

Using the protected resource

Using the protected resource

QUESTIONS? OR BEER. Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/