• Like
OAuth4 (and OAuth4R)
Upcoming SlideShare
Loading in...5
×

OAuth4 (and OAuth4R)

  • 10,198 views
Uploaded on

 

More in: Design , Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
10,198
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
146
Comments
0
Likes
21

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Auth Presentation to Singapore Ruby Brigade at SMU, School of Information System 29 November 2007 Chew Choon Keat sharedcopy.com http://flickr.com/photos/lachlanhardy/1400641336/
  • 2. Why OAuth • Web 2.0 • APIs • Mashups
  • 3. Giving away access • Mint “an impressive personal finance application”
  • 4. • Mint Terms of Service
  • 5. http://flickr.com/photos/brianoberkirch/1092087510/
  • 6. Giving away access • quot;Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay.quot; - oauth.net
  • 7. Alternatives: Hidden Public • Random URLs • Security by obscurity
  • 8. Alternatives: Proprietary • Google AuthSub • AOL OpenAuth • Yahoo BBAuth • Upcoming API • Flickr API • Amazon Web Services API
  • 9. What is OAuth • “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.”
  • 10. OAuth Flow • Registration (server to server) • Request Token • Authorization • Access Token http://flickr.com/photos/petromyzon/26252991/
  • 11. End User http://flickr.com/photos/andreasnilsson1976/433173596/
  • 12. Protected Resource http://flickr.com/photos/annettepedrosian/2071523294/
  • 13. Service Provider http://flickr.com/photos/spectrasensors/322545693/
  • 14. Consumer http://flickr.com/photos/infidelic/147930477/
  • 15. Tokens http://flickr.com/photos/kt/364996966/
  • 16. Protected Resources Consumer Service Provider End User
  • 17. Consumer Registration Consumer Protected Resources Service Provider “Let’s work together here are my details” End User http://flickr.com/photos/marcroberts/1484118790/
  • 18. Consumer Registration Service Provider Protected Resources Consumer End User
  • 19. Consumer Registration Service Provider Protected Resources Consumer “These are our secrets. Use it every time you talk to me” End User http://flickr.com/photos/9458565@N07/760773574/
  • 20. Consumer Registration Service Provider Protected Resources Consumer End User
  • 21. Use Case Consumer Protected Resources Service Provider End User “Print my pictures from SP”
  • 22. Get Request Tokens Consumer Protected Resources Service Provider “I have someone who needs you” End User
  • 23. Get Request Tokens Service Provider Protected Resources Consumer “Pass this to him, and bring him to me” End User http://flickr.com/photos/9458565@N07/760773574/
  • 24. Get Authorization Consumer Protected Resources Service Provider “Go to there. Bring this along” End User
  • 25. Get Authorization Service Provider Protected Resources Consumer “Hi, remember me?” End User
  • 26. Get Authorization Service Provider Protected Resources Consumer “Silver coin! You need Consumer to do things for you?” End User
  • 27. Get Authorization Service Provider Protected Resources Consumer “Yes” End User
  • 28. Get Authorization Service Provider Protected Resources Consumer “Your wish is my command. Return there” End User
  • 29. Get Access Token Protected Resources Consumer Service Provider End User “Its done!”
  • 30. Get Access Token Consumer Protected Resources Service Provider “He said ok? Gimme the keys” End User
  • 31. Get Access Token Service Provider Protected Resources Consumer “Ignore that silly silver coin... Use this from now and I will always treat you as he” End User http://flickr.com/photos/azuric/150520121/
  • 32. Get Access Token Consumer Protected Resources Service Provider End User
  • 33. Use Access Token Consumer Protected Resources Service Provider “Gimme MY pictures” End User
  • 34. Using Access Token Service Provider Protected Resources Consumer End User
  • 35. Using Access Token • Whenever Consumer calls SP’s API • GET /photos.xml • bring consumer key, access token • sign with consumer secret & access secret • Service Provider verifies signature • treats request as End User
  • 36. Using Access Token • User at Service Provider website can choose to invalidate the access for Consumer at any time
  • 37. Desktop Flow
  • 38. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 39. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 40. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 41. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 42. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 43. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 44. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  • 45. Introducing OAuth4R • Forget the protocol, just fill in the blanks • Provides code generators to allow Rails website to support OAuth easily • Generated scaffolds does the OAuth dance out of the box • Only need developers to link tokens to their Users
  • 46. OAuth4R svn checkout http://oauth4r.googlecode.com/svn/trunk/example_apps • “Provider” site contains • users • users’ contacts • “Consumer” site contains • only users
  • 47. OAuth4R: Provider cd example_apps/oauth_provider rake db:create:all rake db:migrate ./script/server -p 5001 • Users controller at http://localhost:5001/users • with primitive login implemented • Users’ Addressbook controller at http://localhost:5001/contacts • with primitive permissions based on user’s login
  • 48. OAuth4R: Consumer cd ../oauth_consumer/ rake db:create:all rake db:migrate ./script/server -p 5000 • Users controller at http://localhost:5000/users • even more primitive login implementation • For this demo, create a new user, “Tommy”
  • 49. OAuth4R: Provider cd ../oauth_provider/ ./script/generate oauth_provider GetContact rake db:migrate patch -p0 < TODO.patch ./script/server -p 5001 • Generate a “scaffold controller” • Controller does the OAuth dance • Modify to linkup with your own user models
  • 50. • Modifying generated OAuth controller • oauth_user = User.find(session..)
  • 51. • Modify your User model to has_many oauth_user • Modify controller guarding Protected Resources to requires_oauth
  • 52. OAuth4R: Consumer cd ../oauth_consumer/ ./script/generate oauth_consumer UseGetContact rake db:migrate patch -p0 < TODO1.patch ./script/server -p 5000 • Generate a “scaffold controller” • Controller can do OAuth dance with one service provider • Modify to linkup with your User models
  • 53. • Modify generated OAuth controller • oauth_user = User.find(session..)
  • 54. • Modify user to has_many oauth_user • Add a link to kick-start OAuth authorization link_to .. new_use_get_contact_path
  • 55. Registering Consumer • Go to http://localhost:5000/use_get_contacts • Copy “Callback URL”
  • 56. Registering Consumer • http://localhost:5001/get_contacts/new • Paste “Callback URL” & click Register • Update config/use_get_contacts.oauth.yml
  • 57. User Authorization • Go to http://localhost:5000/users • Click on “Tommy > Show” to login • Click on quot;Establish OAuth...quot;
  • 58. User Authorization • Click “Create” and you’ll arrive at provider site (http://localhost:5001) to Login • Authorization prompt will appear • Click “Yes” & you’ll be redirected back to consumer site (http://localhost:5000)
  • 59. All done, then what? • Scripts accessing APIs on behalf of End User • This demo uses a simple ActiveResource
  • 60. All done, then what? $ ruby script/fetch_contacts.rb /example_apps/oauth_consumer/vendor/rails/ activeresource/lib/active_resource/connection.rb: 124:in `handle_response': Failed with 500 Internal Server Error (ActiveResource::ServerError) • OAuth blocks our unauthenticated access • We need to modify our API callers slightly patch -p0 < TODO2.patch
  • 61. Modify ActiveResource • Add acts_as_oauth_resource • underlying http connection will be automatically padded with OAuth credentials
  • 62. Backend API Access? • Wrap ActiveResource activity inside with_oauth code blocks
  • 63. Done $ ruby script/fetch_contacts.rb --- - !ruby/object:Contact attributes: name: Dick updated_at: 2007-11-29 08:11:35 Z id: 1 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: &id001 {} - !ruby/object:Contact attributes: name: Harry updated_at: 2007-11-29 08:11:35 Z id: 2 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: *id001
  • 64. Ruby Links • OAuth4R http://oauth4r.googlecode.com/ • OAuth Rails Plugin http://oauth-plugin.googlecode.com/ http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider • OAuth Gem sudo gem install oauth • OAuth (was Twitter) http://oauth.googlecode.com/svn/code/ruby/ • Google Group: oauth-ruby http://groups.google.com/group/oauth-ruby
  • 65. Thank you!