OAuth4 (and OAuth4R)

Auth Presentation to Singapore Ruby Brigade at SMU, School of Information System 29 November 2007 Chew Choon Keat sharedcopy.com http://ﬂickr.com/photos/lachlanhardy/1400641336/

Why OAuth • Web 2.0 • APIs • Mashups

Giving away access • Mint “an impressive personal ﬁnance application”

• Mint Terms of Service

http://ﬂickr.com/photos/brianoberkirch/1092087510/

Giving away access • \"Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay.\" - oauth.net

Alternatives: Hidden Public • Random URLs • Security by obscurity

Alternatives: Proprietary • Google AuthSub • AOL OpenAuth • Yahoo BBAuth • Upcoming API • Flickr API • Amazon Web Services API

What is OAuth • “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.”

OAuth Flow • Registration (server to server) • Request Token • Authorization • Access Token http://ﬂickr.com/photos/petromyzon/26252991/

End User http://ﬂickr.com/photos/andreasnilsson1976/433173596/

Protected Resource http://ﬂickr.com/photos/annettepedrosian/2071523294/

Service Provider http://ﬂickr.com/photos/spectrasensors/322545693/

Consumer http://ﬂickr.com/photos/inﬁdelic/147930477/

Tokens http://ﬂickr.com/photos/kt/364996966/

Protected Resources Consumer Service Provider End User

Consumer Registration Consumer Protected Resources Service Provider “Let’s work together here are my details” End User http://ﬂickr.com/photos/marcroberts/1484118790/

Consumer Registration Service Provider Protected Resources Consumer End User

Consumer Registration Service Provider Protected Resources Consumer “These are our secrets. Use it every time you talk to me” End User http://ﬂickr.com/photos/9458565@N07/760773574/

Consumer Registration Service Provider Protected Resources Consumer End User

Use Case Consumer Protected Resources Service Provider End User “Print my pictures from SP”

Get Request Tokens Consumer Protected Resources Service Provider “I have someone who needs you” End User

Get Request Tokens Service Provider Protected Resources Consumer “Pass this to him, and bring him to me” End User http://ﬂickr.com/photos/9458565@N07/760773574/

Get Authorization Consumer Protected Resources Service Provider “Go to there. Bring this along” End User

Get Authorization Service Provider Protected Resources Consumer “Hi, remember me?” End User

Get Authorization Service Provider Protected Resources Consumer “Silver coin! You need Consumer to do things for you?” End User

Get Authorization Service Provider Protected Resources Consumer “Yes” End User

Get Authorization Service Provider Protected Resources Consumer “Your wish is my command. Return there” End User

Get Access Token Protected Resources Consumer Service Provider End User “Its done!”

Get Access Token Consumer Protected Resources Service Provider “He said ok? Gimme the keys” End User

Get Access Token Service Provider Protected Resources Consumer “Ignore that silly silver coin... Use this from now and I will always treat you as he” End User http://ﬂickr.com/photos/azuric/150520121/

Get Access Token Consumer Protected Resources Service Provider End User

Use Access Token Consumer Protected Resources Service Provider “Gimme MY pictures” End User

Using Access Token Service Provider Protected Resources Consumer End User

Using Access Token • Whenever Consumer calls SP’s API • GET /photos.xml • bring consumer key, access token • sign with consumer secret & access secret • Service Provider veriﬁes signature • treats request as End User

Using Access Token • User at Service Provider website can choose to invalidate the access for Consumer at any time

Desktop Flow

Desktop Flow http://ﬂickr.com/photos/factoryjoe/sets/72157601300877805/detail/

Introducing OAuth4R • Forget the protocol, just ﬁll in the blanks • Provides code generators to allow Rails website to support OAuth easily • Generated scaffolds does the OAuth dance out of the box • Only need developers to link tokens to their Users

OAuth4R svn checkout http://oauth4r.googlecode.com/svn/trunk/example_apps • “Provider” site contains • users • users’ contacts • “Consumer” site contains • only users

OAuth4R: Provider cd example_apps/oauth_provider rake db:create:all rake db:migrate ./script/server -p 5001 • Users controller at http://localhost:5001/users • with primitive login implemented • Users’ Addressbook controller at http://localhost:5001/contacts • with primitive permissions based on user’s login

OAuth4R: Consumer cd ../oauth_consumer/ rake db:create:all rake db:migrate ./script/server -p 5000 • Users controller at http://localhost:5000/users • even more primitive login implementation • For this demo, create a new user, “Tommy”

OAuth4R: Provider cd ../oauth_provider/ ./script/generate oauth_provider GetContact rake db:migrate patch -p0 < TODO.patch ./script/server -p 5001 • Generate a “scaffold controller” • Controller does the OAuth dance • Modify to linkup with your own user models

• Modifying generated OAuth controller • oauth_user = User.ﬁnd(session..)

• Modify your User model to has_many oauth_user • Modify controller guarding Protected Resources to requires_oauth

OAuth4R: Consumer cd ../oauth_consumer/ ./script/generate oauth_consumer UseGetContact rake db:migrate patch -p0 < TODO1.patch ./script/server -p 5000 • Generate a “scaffold controller” • Controller can do OAuth dance with one service provider • Modify to linkup with your User models

• Modify generated OAuth controller • oauth_user = User.ﬁnd(session..)

• Modify user to has_many oauth_user • Add a link to kick-start OAuth authorization link_to .. new_use_get_contact_path

Registering Consumer • Go to http://localhost:5000/use_get_contacts • Copy “Callback URL”

Registering Consumer • http://localhost:5001/get_contacts/new • Paste “Callback URL” & click Register • Update config/use_get_contacts.oauth.yml

User Authorization • Go to http://localhost:5000/users • Click on “Tommy > Show” to login • Click on \"Establish OAuth...\"

User Authorization • Click “Create” and you’ll arrive at provider site (http://localhost:5001) to Login • Authorization prompt will appear • Click “Yes” & you’ll be redirected back to consumer site (http://localhost:5000)

All done, then what? • Scripts accessing APIs on behalf of End User • This demo uses a simple ActiveResource

All done, then what? $ ruby script/fetch_contacts.rb /example_apps/oauth_consumer/vendor/rails/ activeresource/lib/active_resource/connection.rb: 124:in `handle_response': Failed with 500 Internal Server Error (ActiveResource::ServerError) • OAuth blocks our unauthenticated access • We need to modify our API callers slightly patch -p0 < TODO2.patch

Modify ActiveResource • Add acts_as_oauth_resource • underlying http connection will be automatically padded with OAuth credentials

Backend API Access? • Wrap ActiveResource activity inside with_oauth code blocks

Done $ ruby script/fetch_contacts.rb --- - !ruby/object:Contact attributes: name: Dick updated_at: 2007-11-29 08:11:35 Z id: 1 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: &id001 {} - !ruby/object:Contact attributes: name: Harry updated_at: 2007-11-29 08:11:35 Z id: 2 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: *id001

Ruby Links • OAuth4R http://oauth4r.googlecode.com/ • OAuth Rails Plugin http://oauth-plugin.googlecode.com/ http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider • OAuth Gem sudo gem install oauth • OAuth (was Twitter) http://oauth.googlecode.com/svn/code/ruby/ • Google Group: oauth-ruby http://groups.google.com/group/oauth-ruby

Thank you!

OAuth4 (and OAuth4R)

0 comments

Notes on slide 1

13 Favorites & 3 Groups